The Cisco ACI must be configured to disable the auxiliary USB port.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-271972 | SRG-APP-000142-NDM-000245 | CACI-ND-000057 | SV-271972r1114185_rule | 2025-06-13 | 1 |
| Description |
|---|
| Disable the USB port in those environments where physical access to the devices is not strictly controlled, or in environments where this extra layer of protection is required. Cisco Nexus 9000 switches running Cisco ACI code have the USB port enabled by default. When the USB port is enabled, switches will try to boot from the USB drive first. This may be a security risk in case a malicious actor has physical access to the switch, given they could power-cycle the device to try to boot the switch from a USB image that contains malicious code. Even if this is not a common scenario considering that most organizations have physical access security guidelines in place, Cisco ACI release 5.2(3) introduced the option to disable the USB port using a specific switch policy. |
| ℹ️ Check |
|---|
| Verify the USB port is disabled: 1. Navigate to Fabric >> Access Policies >> Policies >> Switch >> USB Configuration >> default. 2. Verify the "Disable USB Port" box is checked. If the USB port is not disabled, this is a finding. |
| ✔️ Fix |
|---|
| Disable the USB port on all switches within the Cisco ACI fabric: 1. Navigate to Fabric >> Access Policies >> Policies >> Switch >> USB Configuration >> default. 2. Check the "Disable USB Port" box; this will disable the USB port on all switches within the Cisco ACI fabric. |