10-10-2018 02:37 PM - edited 03-10-2019 01:06 AM
Hi, I must begin to update our Company switches against current vulnerabilities and I’m confused and unclear how some advisories are even applicable to our switches.
I.e. The Sept 18 Cisco advisories lists cisco-sa-20180926-ptp (Cisco IOS Software Precision Time Protocol Denial of Service Vulnerability).
Our 2960-x switches run 15.2(2)E7. The Cisco IOS checker states the advisory was fixed in version 15.2(2)E9. So I assume our IOS version is vulnerable against this advisory.
The advisory says to check if PTP is enabled use ‘show PTP clock’
Yet, when I try command ‘show PTP clock’ it isn’t available? Nor are any commands to enable PTP.
I don’t understand how our IOS version is listed as having the vulnerability, as it seems to me the feature isn’t even available. There are a few other similar advisories like this.
Can anyone assist in clearing up my confusion. Thanks
Solved! Go to Solution.
10-10-2018 02:57 PM
10-10-2018 04:17 PM
in general certain vulnerabilities are only seen when using certain versions on certain physical kit. so for instance a webvpn vuln. on a ASA. only applies to you when you have a. an ASA and b. have webvpn enabled on it. so if you have an ASA and have not got webvpn enabled on it, then you are in the clear. same principle goes for PTP.
Hope that makes sense
10-10-2018 02:57 PM
10-10-2018 03:14 PM
Thanks Leo for the quick reply. Good to know it doesn't affect the 2960x. However, why would the Cisco IOS checker tool, when I input our IOS version as 15.2(2)E7, list the PTP vulnerability? Is it a case that the same IOS version, installed on a different switch family, i.e. the IE switches you mention, will have different features?
10-10-2018 04:17 PM
in general certain vulnerabilities are only seen when using certain versions on certain physical kit. so for instance a webvpn vuln. on a ASA. only applies to you when you have a. an ASA and b. have webvpn enabled on it. so if you have an ASA and have not got webvpn enabled on it, then you are in the clear. same principle goes for PTP.
Hope that makes sense
10-11-2018 12:08 AM
Hi Dennis, yes that makes sense. Thanks for the response
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide