Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1212
Views
5
Helpful
4
Replies

Cisco advisories and IOS version confusion

Go to solution
NGJ
Level 1
Level 1

‎10-10-2018 02:37 PM - edited ‎03-10-2019 01:06 AM

Hi, I must begin to update our Company switches against current vulnerabilities and I’m confused and unclear how  some advisories are even applicable to our switches. 

 

I.e. The Sept 18 Cisco advisories lists cisco-sa-20180926-ptp (Cisco IOS Software Precision Time Protocol Denial of Service Vulnerability).

 

Our 2960-x switches run 15.2(2)E7. The Cisco IOS checker states the advisory was fixed  in version 15.2(2)E9.  So I assume our IOS version is vulnerable against this advisory.

 

The advisory says to check if PTP is enabled use ‘show PTP clock’

Yet, when I try command ‘show PTP clock’ it isn’t available? Nor are any commands to enable PTP.

 

I don’t understand how our IOS version is listed as having the vulnerability, as it seems to me the feature isn’t even available. There are a few other similar advisories like this.

 

Can anyone assist in clearing up my confusion. Thanks

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎10-10-2018 02:57 PM

Precision Time Protocol is only found in IE 2K/3K/4K switches which the 2960X isn't one of them.
So you're in the clear with this vulnerability.

View solution in original post

0 Helpful

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni

‎10-10-2018 04:17 PM

in general certain vulnerabilities are only seen when using certain versions on certain physical kit. so for instance a webvpn vuln. on a ASA. only applies to you when you have  a. an ASA and b. have webvpn enabled on it.  so if you have an ASA and have not got webvpn enabled on it, then you are in the clear. same principle goes for PTP.

Hope that makes sense

Please remember to rate useful posts, by clicking on the stars below.

View solution in original post

4 Replies 4

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎10-10-2018 02:57 PM

Precision Time Protocol is only found in IE 2K/3K/4K switches which the 2960X isn't one of them.
So you're in the clear with this vulnerability.
0 Helpful

Go to solution
NGJ
Level 1
Level 1
In response to Leo Laohoo

‎10-10-2018 03:14 PM

Thanks Leo for the quick reply.  Good to know it doesn't affect the 2960x.  However, why would the Cisco IOS checker tool, when I input our IOS version as 15.2(2)E7, list the PTP vulnerability?  Is it a case that the same IOS version, installed on a different switch family, i.e. the IE switches you mention, will have different features?

0 Helpful

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni

‎10-10-2018 04:17 PM

in general certain vulnerabilities are only seen when using certain versions on certain physical kit. so for instance a webvpn vuln. on a ASA. only applies to you when you have  a. an ASA and b. have webvpn enabled on it.  so if you have an ASA and have not got webvpn enabled on it, then you are in the clear. same principle goes for PTP.

Hope that makes sense

Please remember to rate useful posts, by clicking on the stars below.

Go to solution
NGJ
Level 1
Level 1
In response to Dennis Mink

‎10-11-2018 12:08 AM

Hi Dennis, yes that makes sense. Thanks for the response

0 Helpful
Customers Also Viewed These Support Documents