Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2784
Views
0
Helpful
3
Replies

Cisco IOS Software DHCP Remote Code Execution Vulnerability on Cisco 4928-10GE

Go to solution
drpillow
Level 1
Level 1

‎01-08-2018 11:22 AM - edited ‎03-10-2019 12:57 AM

I currently have a 4928-10GE that is running the latest code release of 15.0.2-SG11.  I am still getting a Nessus Vulnerability for Cisco IOS Software DHCP Remote Code Execution Vulnerability.  I consulted Cisco Documentation.    The switch is giving out ip-helper addresses for several VLANS for PXE/DHCP forwarding, which is why the vulnerability is showing up from what I read in the documentation.

 

Is there a work around for this vulnerability, since no newer IOS releases are available?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni

‎01-10-2018 07:50 AM

There is no workaround.

In order to address this you would need to upgrade the software, but the 4928 is eol so no new software is available for this devices.

You could turn off the dhcp relay or upgrade the devices.

 

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170927-dhcp

https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-4900-series-switches/eol_c51-702107.html

 

HTH

Bogdan

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni

‎01-10-2018 07:50 AM

There is no workaround.

In order to address this you would need to upgrade the software, but the 4928 is eol so no new software is available for this devices.

You could turn off the dhcp relay or upgrade the devices.

 

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170927-dhcp

https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-4900-series-switches/eol_c51-702107.html

 

HTH

Bogdan

0 Helpful

Go to solution
drpillow
Level 1
Level 1
In response to Bogdan Nita

‎01-10-2018 09:04 AM

Thank you, so remove the ip-helper relays on each VLAN.

 

Thanks for the information.

 

0 Helpful

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni
In response to drpillow

‎01-10-2018 11:25 PM

Yes that will mitigate the DHCP Remote Code Execution Vulnerability, but it will also stop the clients getting IPs from the DHCP server.

0 Helpful
Customers Also Viewed These Support Documents
Top