[c-nsp] 3750 and CVE-2018-0167

Tristan Gulyas evilzardoz at gmail.com
Wed Jul 18 03:42:57 EDT 2018 

Hi,

Glad that someone else is seeing similar things that we are:

1. 3850s have buggy code. We have been running 3850s since November 2015 and still do not have a bug-free release of code.  We just recently hit an issue where the box would either not program an ACL into the ASIC and/or crash the box if we tried to play around with it.

2. Cat9300s with their new licensing model and costing are off-putting. Plus their 48 port multigigabit model is deeper than the 3850, so it won't fit in our 600mm deep racks.

3. There is still vulnerability support for the last 16M flash version of code on 3750G:
https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-3750-series-switches/eos-eol-notice-c51-731425.html <https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-3750-series-switches/eos-eol-notice-c51-731425.html>

I logged a case re: the vstack issue, however Cisco claim the ability to disable a vulnerable service is considered a *feature request* and not a security issue.  I did observe an SE11 release but this lacks the fix we need for this issue.

At least we have a workaround to put an ACL on all the management SVIs to block that service, but it's still not ideal.  We are currently downgrading our 3750G fleet to 3850s, but this Takes A Long Time, especially when physical work is required and we keep hitting software defects which have caused significant delays to the project.  Plus, the CVE aside, the 3750G switches are still providing a reliable service to customers.

Tristan

> On 8 Jun 2018, at 7:10 pm, Sebastian Beutel <sebastian.beutel at rus.uni-stuttgart.de> wrote:
> 
> Hi Chuck,
> 
> On Mon, Jun 04, 2018 at 07:46:56PM -0400, Chuck Church wrote:
>> 
>> Cisco might be willing to do that, but I think they'd much rather you buy a
>> new switch.  I have seen them offer updates beyond end of security patch
>> dates, but it's usually for larger chassis such as 6500s.  
>> 
> It's not that we want to keep these old switches. We're allready replaced
> most of them with 3850, we are still doing so and planned to to be done at
> the end of 2018. As our 3750 turned out to be pretty stable workhorses this
> seems like a doable thing. But now, with CVE-2018-0167 in mind, that date is
> now pretty far in the future. As we know of the wide spread of 3750 we
> believe that we are not the only customers having this sort of problem. In
> my ears cisco is telling me here: "We fucked up but now it's your problem
> replacing about a hundred switches over night"
>   As we assume that cisco will announce end of live of 3850 maybe in 2019
> we need to decide what plattform will be next. Ciscos current software
> quality combined with the new port based licence model of 9k and experiences
> like this summ up to a hard decision. 
> 
> Best,
>     Sebastian.
> 
>> 
>> -----Original Message-----
>> From: Sebastian Beutel <sebastian.beutel at rus.uni-stuttgart.de> 
>> Sent: Monday, June 04, 2018 1:15 PM
>> To: Chuck Church <chuckchurch at gmail.com>
>> Cc: Brian Turnbow <b.turnbow at twt.it>; NSP - Cisco
>> <cisco-nsp at puck.nether.net>
>> Subject: Re: [c-nsp] 3750 and CVE-2018-0167
>> 
>> Hi Chuck,
>> 
>> On Mon, Jun 04, 2018 at 11:41:52AM -0400, Chuck Church wrote:
>>> 
>>> I thought with LLDP you can turn off receive and transmit of LLDP 
>>> messages separately.  If you disable the receipt of them and only 
>>> transmit, does that address the issue?
>>> 
>> The security advisory mentioned no workaround. Maybe this could help and we
>> will definitively give it a try. Maybe we even find an exploit to test it.
>> Thanks for the suggestion.
>> 
>>> 
>>> These switches are end of all support dates. They most surely won't 
>>> address this bug.
>>> 
>> I know. End of shipping was 2013 and end of security was 2016. But as this
>> plattform is still widely useed, my naive hope was, that Cisco could utilise
>> this issue to demonstrate the world that they offer the benefits of a
>> premium class vendor that doesn't sell their customers down the river, even
>> if their product is long out of sale. 
>> 
>> Best,
>>   Sebastian.
>> 
>>> 
>>> On Mon, Jun 4, 2018 at 5:54 AM, Sebastian Beutel < 
>>> sebastian.beutel at rus.uni-stuttgart.de> wrote:
>>> 
>>>> Hi Brian,
>>>> 
>>>> On Thu, May 31, 2018 at 07:03:23PM +0200, Brian Turnbow wrote:
>>>>> 
>>>>> We don't use lldp, but you can turn it off on an interface by 
>>>>> interface bassis.
>>>>> 
>>>> We need lldp because our ip phones learn their voice vlan via lldp. 
>>>> We can't define dedicated phone ports because people are used to 
>>>> plug in their phone wherever they choose to.
>>>> 
>>>>> 
>>>>> Why run it on ports with devices outside of your control?
>>>>> 
>>>> We didn't choose so. Universities had byod long before it had a name...
>>>> 
>>>> Best,
>>>>    Sebastian.
>>>> 
>>>>> 
>>>>>> -----Original Message-----
>>>>>> From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On 
>>>>>> Behalf
>>>> Of
>>>>>> Sebastian Beutel
>>>>>> Sent: mercoledì 30 maggio 2018 17:52
>>>>>> To: cisco-nsp at puck.nether.net
>>>>>> Subject: [c-nsp] 3750 and CVE-2018-0167
>>>>>> 
>>>>>> Dear list,
>>>>>> 
>>>>>>    we're still having some Cat 3750 in operation and it will 
>>>>>> still
>>>> take
>>>>> some time
>>>>>> till we can retire the last ones. We've asked Cisco whether they 
>>>>>> are
>>>>> planning
>>>>>> to publish a new software image for this platform that fixes
>>>>>> CVE-2018-0167 despite the fact that the product is way beyond 
>>>>>> end of security and vulnerability support.
>>>>>>    Our Cisco representative stated that they are not planning 
>>>>>> to do so
>>>>> despite
>>>>>> the severity of the bug. He also said we're the only customer 
>>>>>> having
>>>>> this issue.
>>>>>> So my question is: If you're still running 3750s, how do you 
>>>>>> deal with
>>>>> this?
>>>>>> 
>>>>>> Best,
>>>>>>   Sebastian.
>>>>>> 
>>>>>> P.S.: Cisco's advisory:
>>>>>> 
>>>>> https://tools.cisco.com/security/center/content/
>>>> CiscoSecurityAdvisory/cisco-sa-20180328-lldp
>>>> 
>>>> _______________________________________________
>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>> 
>> 
>> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list