cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
753
Views
0
Helpful
6
Replies
dmooreami
Participant

Upgrade 2960S on 122-58.SE2 to 15.2(2)E8

Do I have to download any PAK files or do anything else to get my 2960S' upgraded to 15.2(2)E8 to fix the smart install DOS bug?  My 2960s are running c2960s-universalk9-mz.

 

Can I expect some errors in the config due to certain setting in the cli being depreciated. These 2960s are in a stackwise "stack".

 

We don't use the gui feature of the 2960's, so will just be doing a tftp to the flash and changing the "system boot" to point to the new image on all the switches. 

 

Thanks

6 REPLIES 6
Leo Laohoo
VIP Community Legend

The SmartInstall bug/vulnerability can be disabled by issuing the command "no vstack".  

Thanks for the reply.

 

I have done that (no vstack), but Cisco does not list that as a "work around"  solution in the Security notice.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi

 

Leo Laohoo
VIP Community Legend

Post the complete output to the command "sh vstack conf".

#sho vstack config
Role: Client (SmartInstall disabled)
Vstack Director IP address: 0.0.0.0

Again, Cisco security advisory does not list using "no vstack" as a workaround in the document.

seems that using "no vstack" WILL keep the smart install bug from happening.

 

This tread shows a it being tested and using "no vstack" keeps the malformed packet from reloading the switch. Shame Cisco didn't put this in the security advisory.

 

https://supportforums.cisco.com/t5/cisco-bug-discussions/cscvg76186-cisco-smart-install-remote-code-execution-and-denial/td-p/3360928

Leo Laohoo
VIP Community Legend


@dmooreami wrote:
Role: Client (SmartInstall disabled)

VStack is not running.  That's good.