Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2380
Views
10
Helpful
3
Replies

CSCvf73881 - Cisco IOS and IOS XE Software Quality of Service Remote Code Execution Vulnerability

aamsq11
Level 1
Level 1

‎04-09-2018 11:16 AM - edited ‎03-20-2019 10:03 PM

does anyone see the port 18999 still open even after the workaround has been applied. 

 

I applied the workaround as suggested in the advisory, and ran nmap scan - it shows it as open port. any concerns with this?

 

3 people had this problem
Labels:
0 Helpful
3 Replies 3

ahmadzubair654
Level 1
Level 1

‎04-10-2018 02:50 PM

The workaround is simply matching a certain type of traffic and once a match hits the rule, it drops it from going thru the control plane.  It will not disable services or turn off udp port 18999 in this instance.  You can try upgrading your IOS. Hope this helps! (:

pedrazasaul
Level 1
Level 1

‎05-02-2018 12:25 PM

I applied the workaround as suggested in the advisory, and ran nmap scan - it shows it as open port. any concerns with this?

e_stalnaker
Level 1
Level 1

‎06-07-2018 07:43 AM - edited ‎06-07-2018 08:06 AM

If you look at the workaround ACL, it does not block all traffic to the port, it only blocks fragments.

 

! -- Ignore fragments to prevent them from being misclassified by the policy
access-list 199 deny ip any any fragments 
! -- Classify traffic destined to UDP Port 18999 so that we can drop it prior to being processed
access-list 199 permit udp any any eq 18999 

 

As previous poster stated it's not turning off 18999, it's only stopping it from going through the control plane.  If you want to block it entirely, an ACL denying udp 18999 to the management IP(s) of the device would be the way.

0 Helpful
Customers Also Viewed These Support Documents