03-21-2017 11:33 PM - edited 03-08-2019 09:51 AM
Hi all,
For recent CMP vulnerability, apply ACL on VTY to allow trusted host remote telnet , could it be a workaround before fix patch is available.
03-23-2017 03:47 AM
From what I have been reading the vulnerability is just affecting telnet within the CMP protocol, so I believe you would not be affected unless you are clustering your switches. If by chance you are clustering your switches, applying an ACL on the VTY line is not a work around but it will limit which subnets or IPs will be able to perform attacks.
The only real workaround is to disable telnet until a patch is available.
--
Please remember to select a correct answer and rate helpful posts
03-24-2017 03:26 AM
While Cisco site stated the devices will be vulnerable only if CMP is configured, I have found the following information at http://thehackernews.com:
"The vulnerability is in the default configuration of affected Cisco devices, even if the user doesn't configure any cluster configuration commands. The flaw can be exploited during Telnet session negotiation over either IPv4 or IPv6."
Not sure about the veracity of that source, need to research more.
Workaround: Instead of transport input telnet or transport input telnet ssh, leave the configuration with transport input ssh only.
How to verify if CMP is configured:
http://www.cisco.com/c/en/us/support/docs/switches/catalyst-2900-xl-series-switches/4085-61.html#show_output
Cisco Security Advisory:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide