Cisco has bundled 25 security advisories that describe 26 vulnerabilities in Cisco NX-OS switch and Firepower FXOS firewall software.\nWhile the 26 alerts describe vulnerabilities that have a Security Impact Rating of \u201cHigh,\u201d most \u201323 \u2013 affect Cisco NX-OS software, and the remaining three involve both software packages.\n\nThe vulnerabilities span a number of problems that would let an attacker gain unauthorized access, gain elevated privileges, execute arbitrary commands, escape the restricted shell, bypass the system image verification checks or cause denial of service (DoS) conditions, Cisco said.\nIt has released software fixes for all the vulnerabilities, and none of the problems affect Cisco IOS software or Cisco IOS XE software, the company said.\nInformation about which Cisco\u00a0FXOS Software and Cisco\u00a0NX-OS Software releases are vulnerable and what to do about it is available in the fixed software section of the advisory.\nLDAP implementation vulnerability\nThe worst of the vulnerabilities \u2013 with a Common Vulnerability Scoring System rating of 8.6 out of 10 \u2013 are found in the implementation of the Lightweight Directory Access Protocol (LDAP) feature in Cisco\u00a0FXOS and Cisco NX-OS software.\u00a0 The problem\u00a0could let an unauthenticated, remote attacker cause an affected device to reload, resulting in a denial of service (DoS) condition, Cisco stated.\n\u201cThe vulnerabilities are due to the improper parsing of LDAP packets by an affected device. An attacker could exploit these vulnerabilities by sending an LDAP packet crafted using Basic Encoding Rules (BER) to an affected device,\u201d\u00a0 Cisco wrote.\u00a0 \u201cThe LDAP packet must have a source IP address of an LDAP server configured on the targeted device.\u201d\nThe vulnerability affects a number of products from the Firepower 4100 Series Next-Generation Firewall and Firepower 9300 Security Appliance to MDS 9000 Series Multilayer Switches, Nexus 3000, 3500, 7000, 9000 Series Switches and UCS 6200, 6300 Series Fabric Interconnects.\nTetration Analytics vulnerability\nAnother highly ranked vulnerability is in the Cisco Tetration Analytics agent for\u00a0Nexus 9000 series switches in standalone NX-OS mode which could let an authenticated, local attacker execute arbitrary root code.\u00a0 An attacker could exploit this vulnerability by replacing valid agent files with malicious code. A successful exploit could result in the execution of code supplied by the attacker, Cisco said in the advisory. The vulnerability is due to an incorrect permissions setting.\nThe Cisco Tetration Analytics system gathers information from hardware and software sensors and analyzes the information using big data analytics and machine learning to offer IT managers a deeper understanding of their data center resources. The idea behind Tetration includes the ability to dramatically improve enterprise security monitoring, simplify operational reliability.\nA couple vulnerabilities in the Nexus software could let attackers gain elevated privileges on the switches and execute nefarious commands.\u00a0\nThe first weakness is due to an incorrect authorization check of user accounts and their associated group ID, Cisco wrote.\u00a0 \u201cAn attacker could exploit this vulnerability by taking advantage of a logic error that will permit the use of higher privileged commands than what is necessarily assigned. A successful exploit could allow an attacker to execute commands with elevated privileges on the underlying Linux shell of an affected device.\u201d\nThe problem affects Nexus 3000, 3500, 7000, 7700, 9000 and \u00a0Series Switches and Nexus 9500 R-Series Line Cards and Fabric Modules.\nThe second exposure is due to insufficient authorization enforcement. An attacker could exploit this vulnerability by authenticating to the targeted device and executing commands that could lead to elevated privileges. A successful exploit could allow an attacker to make configuration changes to the system as administrator.\nThe problem affects Nexus 3000, 3500, 3600, 9000 and Nexus 9500 R-Series line cards and fabric.\nWarning to secure POAP provisioning tool\nCisco also released an Informational advisory for Cisco Nexus switches using the automatic provisioning or zero-touch-deployment feature called PowerOn Auto Provisioning (POAP).\u00a0\nCisco said the feature assists in automating the initial deployment and configuration of Nexus switches, and the POAP feature disables itself after a configuration is applied. But Cisco said it is critical to properly secure networks in which POAP is employed.\n\u201cSome customers may want to disable the POAP feature and use other methods to configure a Nexus device out of the box,\u201d Cisco stated.\nTo this end, Cisco wrote that it has added multiple new commands to disable POAP that will persist across a reset to factory defaults and the removal of a configuration. For guidelines on securing a POAP environment, as well as information about disabling the feature, see the details and recommendations sections.