Re: Upgrade 2960S on 122-58.SE2 to 15.2(2)E8

dmooreami · ‎04-05-2018

Do I have to download any PAK files or do anything else to get my 2960S' upgraded to 15.2(2)E8 to fix the smart install DOS bug? My 2960s are running c2960s-universalk9-mz.

Can I expect some errors in the config due to certain setting in the cli being depreciated. These 2960s are in a stackwise "stack".

We don't use the gui feature of the 2960's, so will just be doing a tftp to the flash and changing the "system boot" to point to the new image on all the switches.

Thanks

Leo Laohoo · ‎04-05-2018

The SmartInstall bug/vulnerability can be disabled by issuing the command "no vstack".

dmooreami · ‎04-05-2018

Thanks for the reply.

I have done that (no vstack), but Cisco does not list that as a "work around" solution in the Security notice.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi

Leo Laohoo · ‎04-05-2018

Post the complete output to the command "sh vstack conf".

dmooreami · ‎04-06-2018

#sho vstack config
Role: Client (SmartInstall disabled)
Vstack Director IP address: 0.0.0.0

Again, Cisco security advisory does not list using "no vstack" as a workaround in the document.

dmooreami · ‎04-06-2018

seems that using "no vstack" WILL keep the smart install bug from happening.

This tread shows a it being tested and using "no vstack" keeps the malformed packet from reloading the switch. Shame Cisco didn't put this in the security advisory.

https://supportforums.cisco.com/t5/cisco-bug-discussions/cscvg76186-cisco-smart-install-remote-code-execution-and-denial/td-p/3360928

Leo Laohoo · ‎04-06-2018

@dmooreami wrote:
Role: Client (SmartInstall disabled)

VStack is not running. That's good.