Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
248
Views
1
Helpful
3
Replies

Cisco IOS and IOS XE Software Cluster Management Protocol Remote Code

Go to solution
dissai
Level 1
Level 1

‎03-07-2024 02:08 AM

Dear  Friends,

I'm looking for solution to resolve below vulnerability for Cisco router ISR4331

Cisco IOS and IOS XE Software Cluster Management Protocol Remote Code Execution Vulnerability (cisco-sa-20170317-cmp)

I have attached the screen shot. 

Regards

DI

Preview file
161 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to dissai

‎03-07-2024 02:33 AM

@dissai From your output you've enabled only SSH on all VTY lines and from that link I provided:-

  • The SSH protocol is the only protocol enabled for incoming connections on all VTYs. No Telnet connections are possible to any VTY on the device while using this configuration. This configuration is not vulnerable.
Switch#show running-config | include ^line vty|transport input
line vty 0 4
 transport input ssh
line vty 5 15
 transport input ssh
Switch#

I suggestion would be to upgrade your software to remove the vulnerability.

You should as a best practice have a VTY ACL restricting trusted networks to connect on SSH only.

 

 

View solution in original post

3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎03-07-2024 02:16 AM

@dissai

Disabling the Telnet protocol as an allowed protocol for incoming connections would eliminate the exploit vector. Disabling Telnet and using SSH is recommended by Cisco. Information on how to do both can be found on the Cisco Guide to Harden Cisco IOS Devices.

refer to this advisory - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp

 

 

0 Helpful

Go to solution
dissai
Level 1
Level 1
In response to Rob Ingram

‎03-07-2024 02:21 AM

Hello Roby,

See below output. I have not allowed telnet and still I'm getting the
vulnerability query.

SERVICE-RT#
SERVICE-RT#show run | sec line vty
line vty 0 4
exec-timeout 60 0
privilege level 15
transport input ssh
transport output none
line vty 5 15
exec-timeout 60 0
privilege level 15
transport input ssh
transport output none
SERVICE-RT#

Another router has the same issue.

line vty 0 4
transport input ssh
transport output ssh
line vty 5
privilege level 15
transport input ssh
transport output ssh
line vty 6 14
transport input ssh
line vty 15
session-timeout 10 output
transport input ssh
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to dissai

‎03-07-2024 02:33 AM

@dissai From your output you've enabled only SSH on all VTY lines and from that link I provided:-

  • The SSH protocol is the only protocol enabled for incoming connections on all VTYs. No Telnet connections are possible to any VTY on the device while using this configuration. This configuration is not vulnerable.
Switch#show running-config | include ^line vty|transport input
line vty 0 4
 transport input ssh
line vty 5 15
 transport input ssh
Switch#

I suggestion would be to upgrade your software to remove the vulnerability.

You should as a best practice have a VTY ACL restricting trusted networks to connect on SSH only.

 

 

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card