Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2412
Views
5
Helpful
5
Replies

Cisco Smart Install Protocol Vunerability

Go to solution
georgehewittuk1
Level 1
Level 1

‎01-14-2019 05:22 AM - edited ‎03-08-2019 05:01 PM

Hi All,

 

I've detected that one of our devices is affected by a vunerability [https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170214-smi] whereby Smart Install client is exploted. Our code version does not allow us to do a 'no vstack' to disable the feature.

 

Other than the ACL workaround how can I verify what future code versions offer the ability to disable the feature if we were to upgrade? To conclude I'm looking on how one would check for a future code version that allows us to turn off or the Smart install is disabled!

Many Thanks

George

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to georgehewittuk1

‎01-14-2019 05:58 AM

ok thats odd they dont allow to disable the feature , i can confirm that in later version you can disable it im running 3.8.6 IOS-XE on 45s

and on my 3650/38s were running 3.6.7b and we can disable it on that too
You may be stuck with the ACL workaround for your current image

What platform are you on ?

xxxxxx#sh vstack config | i Disabled
Oper Mode: Disabled
xxxxxx#sh ver | i SPA.03.08.06
System image file is "bootflash:cat4500es8-universalk9.SPA.03.08.06.E.152-4.E6.bin"

View solution in original post

5 Replies 5

Go to solution
Mark Malone
VIP Alumni
VIP Alumni

‎01-14-2019 05:37 AM - edited ‎01-14-2019 05:46 AM

Hi
You would need to check the command output for that specific IOS version on the Cisco website or post the version your going to use and see if someone is running it already and can confirm ,eacxh IOS has a linked command output guide by alphabetical order , you could confirm there if the command is present in that code to disable

out of interest which version are you on as we disabled this on all our IOS-XE devices last year without issue

also did you check its not already disabled by default in show run all | i vstack

 

EDIT : if you cant turn it off it cant be on usually , are you sure this specific version is effected ?

0 Helpful

Go to solution
georgehewittuk1
Level 1
Level 1
In response to Mark Malone

‎01-14-2019 05:49 AM

Thanks for your reply.

 

Code version -  03.08.02.E

 

It is defintley enabled unforuntaely.

#show vstack config Role: Client (SmartInstall enabled) 

 

 

Even if we knew when the command was added that would be of use!

 

 

 

0 Helpful

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to georgehewittuk1

‎01-14-2019 05:58 AM

ok thats odd they dont allow to disable the feature , i can confirm that in later version you can disable it im running 3.8.6 IOS-XE on 45s

and on my 3650/38s were running 3.6.7b and we can disable it on that too
You may be stuck with the ACL workaround for your current image

What platform are you on ?

xxxxxx#sh vstack config | i Disabled
Oper Mode: Disabled
xxxxxx#sh ver | i SPA.03.08.06
System image file is "bootflash:cat4500es8-universalk9.SPA.03.08.06.E.152-4.E6.bin"

Go to solution
georgehewittuk1
Level 1
Level 1
In response to Mark Malone

‎01-14-2019 06:53 AM

That is very helpful knowing we can do it after this code release. Going to look at upgrading
0 Helpful

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame
In response to georgehewittuk1

‎01-14-2019 09:56 PM

Upgrade the stack. The command "no vstack" is available in later releases.
0 Helpful
Customers Also Viewed These Support Documents