cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

664
Views
5
Helpful
6
Replies
Highlighted
Beginner

Trafic into vty line between LIIN0 and an unknow foreign address

Hi guys,

I have on my C3850 something weird ...

All my line vty are use by an unknow machine (screenshot below)

I tried some command like "clear line vty" or "clear tcp bcp ###" etc, but this machine (192.168.1.2) still open telnet connection between LIIN0 (192.168.1.1) and Foreign address (192.168.1.2) on my vty line ...

 

There is somebody here have already seen this before and what can i do ??

 

Thanks  in advance, (sorry for my langage and syntax for my first post here ^^)

line.pngline2.pngline3.pngline4.pngline5.png

 

 

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions

Re: Trafic into vty line between LIIN0 and an unknow foreign address

that being said, there seems to be a bug which has many similarities:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuj90227

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/Cisco-SA-20131224-CVE-2013-6979

 

are you running the listed software releases?

6 REPLIES 6

Re: Trafic into vty line between LIIN0 and an unknow foreign address

are you running some special stuff on this device?

LIIN = Linux-IOS Internal Network

 

Jeroen

Re: Trafic into vty line between LIIN0 and an unknow foreign address

that being said, there seems to be a bug which has many similarities:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuj90227

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/Cisco-SA-20131224-CVE-2013-6979

 

are you running the listed software releases?

Beginner

Re: Trafic into vty line between LIIN0 and an unknow foreign address

Hi Jeroen,

 

Thanks for your answer.

 

My stack running this version : 03.02.03SE..

Does it mean that there is an attack on my LAN ?

How can i fixe it ?

 

Thanks a lot

 

 

 

 

Re: Trafic into vty line between LIIN0 and an unknow foreign address

You run a version that matches the affected versions on a 3850. This makes you vulnerable to this bug.

I cannot confirm if you're compromised or not as I have no further knowledge of your network.

 

Please read the bug report and try to verify if it's worth to perform an upgrade or not. They also provide a workaround.

 

Jeroen

 

 

Beginner

Re: Trafic into vty line between LIIN0 and an unknow foreign address

Do you have any tips to find the @mac of this ip machine (192.168.1.2) with some cisco command or somethings else?
NB : I fixed it with acces-list on the vty line, but i'm insightful and wd'like to know what happened ;)
Thanks Jeroen

Re: Trafic into vty line between LIIN0 and an unknow foreign address

Hi,

 

no idea... I don't think the embedded Linux is accessible. That would probably by the place to check the arp-cache for that specific IP and retrieve the mac.

 

Jeroen

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards