Re: CVE-2017-3881: which IOS version fixes it?

j03y · ‎04-11-2025

hi,
in reading about CVE-2017-3881:

https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20170317-cmp.html

I see it says: "Cisco has released software updates that address this vulnerability."

But nowhere in that webpage do I see which *version* of IOS contains the fix - how can I find that version number?
Also, how can I find the versions that *do* contain the vulnerability?

(Hopefully there's a more direct method than just using the Cisco software checker website?)

And am I to understand that there are TWO ways to address this CVE:
1) Install the software update, or
2) disable telnet/CMP/etc.

thanks,
js.

Ramblin Tech · ‎04-11-2025

The Advisory shows the bug ID, while the Bug Search Tool shows Known Fixed Releases for CSCvd48893 (it appears that there are 193 fixed releases).

The Advisory also says “Disabling the Telnet protocol as an allowed protocol for incoming connections would eliminate the exploit vector.” Unless your network is an isolated lab environment, telnet should probably be disabled anyway. In production networks, telnet and ftp are just too vulnerable to eavesdropping.

Disclaimers: I am long in CSCO. Bad answers are my own fault as they are not AI generated.

Leo Laohoo · ‎04-11-2025

CMP is old tech. It is the predecessor of the 3750 stacking technology and none of IOS-XE uses this technology any more.

EDIT: Actually, I am wrong. CMP is currently in used and has been given a new "name": Horizontal Stacking. 3560CX-12PD, and Catalyst 1300 (still) use Horizontal Stacking.