[c-nsp] Recent 3750X oddity

Bryan Holloway bryan at shout.net
Wed Sep 27 20:16:56 EDT 2017 

Thank you, everyone!


On 9/27/17 12:52 PM, Jim Glassford wrote:
> 
> 
> On 9/27/2017 1:47 PM, Chris Russell wrote:
>> On 27/09/2017 16:44, Bryan Holloway wrote:
>>> In case anyone's interested, this problem mysteriously stopped
>>> occurring about two days after I first reported it to the list.
>>>
>>> Curiously enough, it started happening again on Monday, September
>>> 25th, and again it has gone silent.
>>
>>  This is a bug - can't remember the bug id, but its a vstack DoS, the 
>> original bug ID shows as fixed however we've had acknowledgement from 
>> Cisco this isn't the case and it won't be fixed till E7.
>>
>>  Workaround: If you don't use vstack, type "no vstack"
>>
>> Cheers
>>
>> Chris
>>
> 
> 
> FYI on the vstack
> 
> Cisco Security Response: Cisco Smart Install Protocol Misuse
> 
> Response ID: cisco-sr-20170214-smi
> 
> Revision 1.0
> 
> For Public Release 2017 February 14 16:00  UTC (GMT)
> 
> +---------------------------------------------------------------------
> 
> Summary
> =======
> 
> Several researchers have reported on the use of Smart Install (SMI) 
> protocol messages
> toward Smart Install clients, also known as integrated branch clients 
> (IBC), allowing an
> unauthenticated, remote attacker to change the startup-config file and 
> force a reload of the
> device, upgrade the IOS image on the device, and execute high-privilege 
> CLI commands on
> switches running Cisco IOS and IOS XE Software.
> 
> Cisco does not consider this a vulnerability in Cisco IOS, IOS XE, or 
> the Smart Install
> feature itself but a misuse of the Smart Install protocol that by design 
> does not require
> authentication. Customers who seek more than zero-touch deployment 
> should consider deploying
> the Cisco Network Plug and Play solution instead.
> 
> Cisco has updated the Smart Install Configuration Guide to include 
> security best practices
> regarding the deployment of the Cisco Smart Install feature within 
> customer infrastructures:
> http://www.cisco.com/c/en/us/td/docs/switches/lan/smart_install/configuration/guide/smart_install/concepts.html#23355 
> 
> 
> This response is available at the following link:
> https://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi 
> 
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list