03-07-2024 02:08 AM
Dear Friends,
I'm looking for solution to resolve below vulnerability for Cisco router ISR4331
Cisco IOS and IOS XE Software Cluster Management Protocol Remote Code Execution Vulnerability (cisco-sa-20170317-cmp)
I have attached the screen shot.
Regards
DI
Solved! Go to Solution.
03-07-2024 02:33 AM
@dissai From your output you've enabled only SSH on all VTY lines and from that link I provided:-
Switch#show running-config | include ^line vty|transport input line vty 0 4 transport input ssh line vty 5 15 transport input ssh Switch#
I suggestion would be to upgrade your software to remove the vulnerability.
You should as a best practice have a VTY ACL restricting trusted networks to connect on SSH only.
03-07-2024 02:16 AM
Disabling the Telnet protocol as an allowed protocol for incoming connections would eliminate the exploit vector. Disabling Telnet and using SSH is recommended by Cisco. Information on how to do both can be found on the Cisco Guide to Harden Cisco IOS Devices.
refer to this advisory - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp
03-07-2024 02:21 AM
03-07-2024 02:33 AM
@dissai From your output you've enabled only SSH on all VTY lines and from that link I provided:-
Switch#show running-config | include ^line vty|transport input line vty 0 4 transport input ssh line vty 5 15 transport input ssh Switch#
I suggestion would be to upgrade your software to remove the vulnerability.
You should as a best practice have a VTY ACL restricting trusted networks to connect on SSH only.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide