[c-nsp] 3750 and CVE-2018-0167

Antoine Monnier mrantoinemonnier at gmail.com
Tue Jun 5 05:20:07 EDT 2018


so the IP phones first get an IP address in the data VLAN, that is the
default/native/untagged VLAN on that port.
Indeed in that VLAN they use the standard helper-address to get to the DHCP
server. One of the options on that DHCP scope is the VLAN tag they need to
use.

They then reboot and this time tag their traffic (and DHCP request) with
the learned voice VLAN - in that DHCP scope they will likely learn also the
TFTP server from which they need to download their full config.



On Mon, Jun 4, 2018 at 7:26 PM, Coy Hile <coy.hile at coyhile.com> wrote:

>
>
> > On Jun 4, 2018, at 13:18, Sebastian Beutel <sebastian.beutel at rus.uni-
> stuttgart.de> wrote:
> >
> > Hi Antoine,
> >
> >> On Mon, Jun 04, 2018 at 05:23:58PM +0200, Antoine Monnier wrote:
> >> Usually IP phones can also learn their voice vlan through a specific
> DHCP
> >> option in the data VLAN - they then reboot inside the voice vlan to get
> >> their final IP. Might be an option?
> >>
> > Maybe that's a dumb question but how do they reach their dhcp server if
> they
> > do not know the vlan yet where it resides?
> >
> > Best,
> >   Sebastian.
> >
>
> Helper addresses configured on the switch configures where such requests
> should be forwarded.
>
> >> On Mon, Jun 4, 2018 at 11:54 AM, Sebastian Beutel <
> >> sebastian.beutel at rus.uni-stuttgart.de> wrote:
> >>
> >>> Hi Brian,
> >>>
> >>>> On Thu, May 31, 2018 at 07:03:23PM +0200, Brian Turnbow wrote:
> >>>>
> >>>> We don't use lldp, but you can turn it off on an interface by
> interface
> >>>> bassis.
> >>>>
> >>> We need lldp because our ip phones learn their voice vlan via lldp. We
> >>> can't
> >>> define dedicated phone ports because people are used to plug in their
> phone
> >>> wherever they choose to.
> >>>
> >>>>
> >>>> Why run it on ports with devices outside of your control?
> >>>>
> >>> We didn't choose so. Universities had byod long before it had a name...
> >>>
> >>> Best,
> >>>    Sebastian.
> >>>
> >>>>
> >>>>> -----Original Message-----
> >>>>> From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf
> >>> Of
> >>>>> Sebastian Beutel
> >>>>> Sent: mercoledì 30 maggio 2018 17:52
> >>>>> To: cisco-nsp at puck.nether.net
> >>>>> Subject: [c-nsp] 3750 and CVE-2018-0167
> >>>>>
> >>>>> Dear list,
> >>>>>
> >>>>>    we're still having some Cat 3750 in operation and it will still
> >>> take
> >>>> some time
> >>>>> till we can retire the last ones. We've asked Cisco whether they are
> >>>> planning
> >>>>> to publish a new software image for this platform that fixes
> >>>>> CVE-2018-0167 despite the fact that the product is way beyond end of
> >>>>> security and vulnerability support.
> >>>>>    Our Cisco representative stated that they are not planning to do
> so
> >>>> despite
> >>>>> the severity of the bug. He also said we're the only customer having
> >>>> this issue.
> >>>>> So my question is: If you're still running 3750s, how do you deal
> with
> >>>> this?
> >>>>>
> >>>>> Best,
> >>>>>   Sebastian.
> >>>>>
> >>>>> P.S.: Cisco's advisory:
> >>>>>
> >>>> https://tools.cisco.com/security/center/content/
> >>> CiscoSecurityAdvisory/cisco-sa-20180328-lldp
> >>>
> >>> _______________________________________________
> >>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>>
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list