cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1240
Views
25
Helpful
7
Replies

CVE-2018-0171 & CVE-2018-0156

Could you please help take a look and confirm whether this needs to be done or not? Please Suggest me thanks

CVE-2018-0171 & CVE-2018-0156  c2960s-universalk9-tar.122-55.SE10 and

c3560-ipbase-mz.122-50.SE5

 

thanks

1 ACCEPTED SOLUTION

Accepted Solutions

Go HERE to see a list of routers & switches that support Smart Install.  If the routers & switches are in this list, issue the command "no vstack" or "no vstack config" and this should disable Smart Install. 

Next, for switches not found in this list, you need to put an ACL to block TCP port 4786 and apply the ACL to all VLANs with an IP address.  

NOTEThere is one or two switch model that do not support the "no vstack" or "no vstack config" command but they have an IBC role so the ACL is mandatory in this case.

View solution in original post

7 REPLIES 7
Dennis Mink
Advisor

just run "no vstack" on your switches this turns the smrt install client off. no poiunt upgrading IOS's if you are not using the feature. If it doesnt run, it cant be exploited.

Please remember to rate useful posts, by clicking on the stars below.

Hi, The cisco bug id CSCvg76186 associated with this CVE says the known affected release is 15.2(5)e. Does this mean other ios versions are not vulnerable even though smart install is enabled?

Go HERE to see a list of routers & switches that support Smart Install.  If the routers & switches are in this list, issue the command "no vstack" or "no vstack config" and this should disable Smart Install. 

Next, for switches not found in this list, you need to put an ACL to block TCP port 4786 and apply the ACL to all VLANs with an IP address.  

NOTEThere is one or two switch model that do not support the "no vstack" or "no vstack config" command but they have an IBC role so the ACL is mandatory in this case.

Leo Laohoo
VIP Community Legend

Dennis is correct.  

Disable Smart Install by using the command "no vstack".

Action Required to Secure the Cisco IOS and IOS XE Smart Install Feature

Hi, The cisco bug id CSCvg76186 associated with this CVE says the known affected release is 15.2(5)e. Does this mean other ios versions are not vulnerable even though smart install is enabled? 

3750X is presently working as a stack if I disable smart install by using the command "no vstack", will it get affected with stack members?

No it won't.