Cisco Community
English
Register
Great changes are coming to Cisco Community in July. LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
1240
Views
25
Helpful
7
Replies
leyakhath muhammed
Beginner
Beginner
‎04-09-2018 07:42 PM
‎04-09-2018 07:42 PM

CVE-2018-0171 & CVE-2018-0156

Could you please help take a look and confirm whether this needs to be done or not? Please Suggest me thanks

CVE-2018-0171 & CVE-2018-0156  c2960s-universalk9-tar.122-55.SE10 and

c3560-ipbase-mz.122-50.SE5

 

thanks

Labels:
0 Helpful
1 ACCEPTED SOLUTION

Accepted Solutions
Leo Laohoo
VIP Community Legend VIP Community Legend
VIP Community Legend
In response to Suraj Kamble
‎04-25-2018 01:21 PM
‎04-25-2018 01:21 PM

Go HERE to see a list of routers & switches that support Smart Install.  If the routers & switches are in this list, issue the command "no vstack" or "no vstack config" and this should disable Smart Install. 

Next, for switches not found in this list, you need to put an ACL to block TCP port 4786 and apply the ACL to all VLANs with an IP address.  

NOTEThere is one or two switch model that do not support the "no vstack" or "no vstack config" command but they have an IBC role so the ACL is mandatory in this case.

View solution in original post

7 REPLIES 7
Dennis Mink
Advisor
Advisor
‎04-09-2018 08:18 PM
‎04-09-2018 08:18 PM

just run "no vstack" on your switches this turns the smrt install client off. no poiunt upgrading IOS's if you are not using the feature. If it doesnt run, it cant be exploited.

Please remember to rate useful posts, by clicking on the stars below.

Suraj Kamble
Beginner
Beginner
In response to Dennis Mink
‎04-25-2018 10:55 AM
‎04-25-2018 10:55 AM

Hi, The cisco bug id CSCvg76186 associated with this CVE says the known affected release is 15.2(5)e. Does this mean other ios versions are not vulnerable even though smart install is enabled?
0 Helpful
Leo Laohoo
VIP Community Legend VIP Community Legend
VIP Community Legend
In response to Suraj Kamble
‎04-25-2018 01:21 PM
‎04-25-2018 01:21 PM

Go HERE to see a list of routers & switches that support Smart Install.  If the routers & switches are in this list, issue the command "no vstack" or "no vstack config" and this should disable Smart Install. 

Next, for switches not found in this list, you need to put an ACL to block TCP port 4786 and apply the ACL to all VLANs with an IP address.  

NOTEThere is one or two switch model that do not support the "no vstack" or "no vstack config" command but they have an IBC role so the ACL is mandatory in this case.

Leo Laohoo
VIP Community Legend VIP Community Legend
VIP Community Legend
‎04-10-2018 12:14 AM
‎04-10-2018 12:14 AM

Dennis is correct.  

Disable Smart Install by using the command "no vstack".

Action Required to Secure the Cisco IOS and IOS XE Smart Install Feature

Suraj Kamble
Beginner
Beginner
In response to Leo Laohoo
‎04-25-2018 10:52 AM
‎04-25-2018 10:52 AM

Hi, The cisco bug id CSCvg76186 associated with this CVE says the known affected release is 15.2(5)e. Does this mean other ios versions are not vulnerable even though smart install is enabled? 

leyakhath muhammed
Beginner
Beginner
In response to Leo Laohoo
‎05-03-2018 06:54 PM
‎05-03-2018 06:54 PM

3750X is presently working as a stack if I disable smart install by using the command "no vstack", will it get affected with stack members?
0 Helpful
Leo Laohoo
VIP Community Legend VIP Community Legend
VIP Community Legend
In response to leyakhath muhammed
‎05-04-2018 01:19 AM
‎05-04-2018 01:19 AM

No it won't.
Latest Contents
AppDynamics
Created by mclymer on 06-30-2022 09:46 AM
0
0
0
0
Cisco Champion Radio: S9|E25 SD-WAN and Ubiquitous Cloud Sec...
Created by Amilee San Juan on 06-29-2022 02:35 PM
0
0
0
0
Listen: https://smarturl.it/CCRS9E25 Follow us: twitter.com/ciscochampions With applications and users everywhere, the networks are now, more than ever, being tasked with delivering consistent protection while providing an exceptional user exper... view more
Cisco Champion Radio: S9|E24 Cisco Radio Aware Routing
Created by Amilee San Juan on 06-28-2022 01:30 PM
0
0
0
0
Listen: https://smarturl.it/CCRS9E24 Follow us: https://twitter.com/CiscoChampion  Cisco Radio Aware Routing addresses several of the challenges faced when merging IP routing and radio communications in mobile networks, especially those exhibiti... view more
Cisco Champion Radio: S9|E23 The Cisco Catalyst 9136 Wi-Fi 6...
Created by Amilee San Juan on 06-28-2022 01:21 PM
0
0
0
0
Listen: https://smarturl.it/CCRS9E23 Follow us: https://twitter.com/CiscoChampion The Wi-Fi 6E Catalyst 9136 access point takes advantage of the 6-GHz band to produce a network that is more reliable and secure, with higher throughput, more ... view more
DR and the Type-2 LSA in OSPFv3 versus OSPFv2
Created by Meddane on 06-24-2022 04:35 PM
0
0
0
0
When moving from OSPFv2 to OSPFv3, there are many changes in the format of the LSAs Type, but the most known changes are: IP prefix informations are no longer carried in Type-1 LSA and Type-2 LSA, new LSAs Type 8 and 9 are added to carry these prefixes. L... view more
Ask a Question
Create
+ Discussion
+ Blog
+ Document
+ Video
+ Project Story
Find more resources
Discussions
Blogs
Documents
Events
Videos
Project Gallery
New Community Member Guide
Related support document topics
Recognize Your Peers
Spotlight Award Nomination
Content for Community-Ad