cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1634
Views
0
Helpful
6
Replies

Workarounds for: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160620-isr

jh840bjjhj
Level 1
Level 1

Dear All,

We need one workaround or something else.

Cisco IOS and Cisco IOS XE Software OpenSSH TCP Denial of Service Vulnerability

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160620-isr

Could you help my with some solution?

Kind Regards

1 Accepted Solution

Accepted Solutions

Yeah, that's basically it.

View solution in original post

6 Replies 6

Phil Brutsche
Level 1
Level 1

The best suggestion I have is to limit SSH access to the device.

Sorry, but i new in this.

Can you help my with more about this.?

Thank you so much.

Putting an access-list on the VTY will prevent attackers from connecting: the TCP SYN packet will be rejected, and the TCP connection will not be established; without the TCP connection the attacker will not be able to exploit the vulnerability

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/12-4t/sec-data-acl-12-4t-book/sec-cntrl-acc-vtl.html

Ah, that's good.

Something like this?

------------------------------------------

line vty 0 4
 session-timeout 30
 access-class 30 in

----------------------------------------------------------------

SWITCH#sh access-lists
Standard IP access list 30
    10 permit 192.168.1.1
    20 permit 192.168.1.2 (618 matches)

--------------------------------------------------------

Or more specific.


Please advice

Yeah, that's basically it.

jh840bjjhj
Level 1
Level 1

Thank for help me Phill Brutsche. again, thank for your time.

And, Again, thank for your time.