Cisco IOS and Cisco IOS XE Software OpenSSH TCP Denial of Service Vulnerability

jh840bjjhj · ‎08-19-2016

Dear All,

We need one workaround or something else.

Cisco IOS and Cisco IOS XE Software OpenSSH TCP Denial of Service Vulnerability

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160620-isr

Could you help my with some solution?

Kind Regards

Phil Brutsche · ‎08-19-2016

Yeah, that's basically it.

View solution in original post

Phil Brutsche · ‎08-19-2016

The best suggestion I have is to limit SSH access to the device.

jh840bjjhj · ‎08-19-2016

Sorry, but i new in this.

Can you help my with more about this.?

Thank you so much.

Phil Brutsche · ‎08-19-2016

Putting an access-list on the VTY will prevent attackers from connecting: the TCP SYN packet will be rejected, and the TCP connection will not be established; without the TCP connection the attacker will not be able to exploit the vulnerability

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/12-4t/sec-data-acl-12-4t-book/sec-cntrl-acc-vtl.html

jh840bjjhj · ‎08-19-2016

Ah, that's good.

Something like this?

------------------------------------------

line vty 0 4
session-timeout 30
access-class 30 in

----------------------------------------------------------------

SWITCH#sh access-lists
Standard IP access list 30
10 permit 192.168.1.1
20 permit 192.168.1.2 (618 matches)

--------------------------------------------------------

Or more specific.

Please advice

Phil Brutsche · ‎08-19-2016

Yeah, that's basically it.

jh840bjjhj · ‎08-19-2016

Thank for help me Phill Brutsche. again, thank for your time.

And, Again, thank for your time.

Workarounds for: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160620-isr

Cisco IOS and Cisco IOS XE Software OpenSSH TCP Denial of Service Vulnerability