Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1789
Views
25
Helpful
7
Replies

CVE-2018-0171 & CVE-2018-0156

Go to solution
leyakhath muhammed
Level 1
Level 1

‎04-09-2018 07:42 PM - edited ‎03-08-2019 02:35 PM

Could you please help take a look and confirm whether this needs to be done or not? Please Suggest me thanks

CVE-2018-0171 & CVE-2018-0156  c2960s-universalk9-tar.122-55.SE10 and

c3560-ipbase-mz.122-50.SE5

 

thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame
In response to Suraj Kamble

‎04-25-2018 01:21 PM

Go HERE to see a list of routers & switches that support Smart Install.  If the routers & switches are in this list, issue the command "no vstack" or "no vstack config" and this should disable Smart Install. 

Next, for switches not found in this list, you need to put an ACL to block TCP port 4786 and apply the ACL to all VLANs with an IP address.  

NOTEThere is one or two switch model that do not support the "no vstack" or "no vstack config" command but they have an IBC role so the ACL is mandatory in this case.

View solution in original post

7 Replies 7

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni

‎04-09-2018 08:18 PM

just run "no vstack" on your switches this turns the smrt install client off. no poiunt upgrading IOS's if you are not using the feature. If it doesnt run, it cant be exploited.

Please remember to rate useful posts, by clicking on the stars below.

Go to solution
Suraj Kamble
Level 1
Level 1
In response to Dennis Mink

‎04-25-2018 10:55 AM

Hi, The cisco bug id CSCvg76186 associated with this CVE says the known affected release is 15.2(5)e. Does this mean other ios versions are not vulnerable even though smart install is enabled?
0 Helpful

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame
In response to Suraj Kamble

‎04-25-2018 01:21 PM

Go HERE to see a list of routers & switches that support Smart Install.  If the routers & switches are in this list, issue the command "no vstack" or "no vstack config" and this should disable Smart Install. 

Next, for switches not found in this list, you need to put an ACL to block TCP port 4786 and apply the ACL to all VLANs with an IP address.  

NOTEThere is one or two switch model that do not support the "no vstack" or "no vstack config" command but they have an IBC role so the ACL is mandatory in this case.

Go to solution
Suraj Kamble
Level 1
Level 1
In response to Leo Laohoo

‎04-25-2018 10:52 AM

Hi, The cisco bug id CSCvg76186 associated with this CVE says the known affected release is 15.2(5)e. Does this mean other ios versions are not vulnerable even though smart install is enabled? 

Go to solution
leyakhath muhammed
Level 1
Level 1
In response to Leo Laohoo

‎05-03-2018 06:54 PM

3750X is presently working as a stack if I disable smart install by using the command "no vstack", will it get affected with stack members?
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card