[c-nsp] 3750 and CVE-2018-0167

Sebastian Beutel sebastian.beutel at rus.uni-stuttgart.de
Mon Jun 4 13:15:04 EDT 2018 

Hi Chuck,

On Mon, Jun 04, 2018 at 11:41:52AM -0400, Chuck Church wrote:
>
> I thought with LLDP you can turn off receive and transmit of LLDP messages
> separately.  If you disable the receipt of them and only transmit, does
> that address the issue?
>
The security advisory mentioned no workaround. Maybe this could help and we
will definitively give it a try. Maybe we even find an exploit to test it.
Thanks for the suggestion.

>
> These switches are end of all support dates. They most surely won't
> address this bug.
>
I know. End of shipping was 2013 and end of security was 2016. But as this
plattform is still widely useed, my naive hope was, that Cisco could utilise
this issue to demonstrate the world that they offer the benefits of a
premium class vendor that doesn't sell their customers down the river, even
if their product is long out of sale. 

Best,
   Sebastian.
 
> 
> On Mon, Jun 4, 2018 at 5:54 AM, Sebastian Beutel <
> sebastian.beutel at rus.uni-stuttgart.de> wrote:
> 
> > Hi Brian,
> >
> > On Thu, May 31, 2018 at 07:03:23PM +0200, Brian Turnbow wrote:
> > >
> > > We don't use lldp, but you can turn it off on an interface by interface
> > > bassis.
> > >
> > We need lldp because our ip phones learn their voice vlan via lldp. We
> > can't
> > define dedicated phone ports because people are used to plug in their phone
> > wherever they choose to.
> >
> > >
> > > Why run it on ports with devices outside of your control?
> > >
> > We didn't choose so. Universities had byod long before it had a name...
> >
> > Best,
> >     Sebastian.
> >
> > >
> > > > -----Original Message-----
> > > > From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf
> > Of
> > > > Sebastian Beutel
> > > > Sent: mercoledì 30 maggio 2018 17:52
> > > > To: cisco-nsp at puck.nether.net
> > > > Subject: [c-nsp] 3750 and CVE-2018-0167
> > > >
> > > > Dear list,
> > > >
> > > >     we're still having some Cat 3750 in operation and it will still
> > take
> > > some time
> > > > till we can retire the last ones. We've asked Cisco whether they are
> > > planning
> > > > to publish a new software image for this platform that fixes
> > > > CVE-2018-0167 despite the fact that the product is way beyond end of
> > > > security and vulnerability support.
> > > >     Our Cisco representative stated that they are not planning to do so
> > > despite
> > > > the severity of the bug. He also said we're the only customer having
> > > this issue.
> > > > So my question is: If you're still running 3750s, how do you deal with
> > > this?
> > > >
> > > > Best,
> > > >    Sebastian.
> > > >
> > > > P.S.: Cisco's advisory:
> > > >
> > > https://tools.cisco.com/security/center/content/
> > CiscoSecurityAdvisory/cisco-sa-20180328-lldp
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >

More information about the cisco-nsp mailing list