Cluster Management Protocol Remote Code Execution Vulnerability

YUEN WAI NAM · ‎03-21-2017

Hi all,

For recent CMP vulnerability, apply ACL on VTY to allow trusted host remote telnet , could it be a workaround before fix patch is available.

Marius Gunnerud · ‎03-23-2017

From what I have been reading the vulnerability is just affecting telnet within the CMP protocol, so I believe you would not be affected unless you are clustering your switches. If by chance you are clustering your switches, applying an ACL on the VTY line is not a work around but it will limit which subnets or IPs will be able to perform attacks.

The only real workaround is to disable telnet until a patch is available.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

BmfL · ‎03-24-2017

While Cisco site stated the devices will be vulnerable only if CMP is configured, I have found the following information at http://thehackernews.com:

"The vulnerability is in the default configuration of affected Cisco devices, even if the user doesn't configure any cluster configuration commands. The flaw can be exploited during Telnet session negotiation over either IPv4 or IPv6."

Not sure about the veracity of that source, need to research more.

Workaround: Instead of transport input telnet or transport input telnet ssh, leave the configuration with transport input ssh only.

How to verify if CMP is configured:

http://www.cisco.com/c/en/us/support/docs/switches/catalyst-2900-xl-series-switches/4085-61.html#show_output

Cisco Security Advisory:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp