[c-nsp] 3750 and CVE-2018-0167

Sebastian Beutel sebastian.beutel at rus.uni-stuttgart.de
Fri Jun 8 05:54:16 EDT 2018


Hi,

   thanks for the  extensive answer, i will go into details below.

On Tue, Jun 05, 2018 at 11:20:07AM +0200, Antoine Monnier wrote:
>
> so the IP phones first get an IP address in the data VLAN, that is the
> default/native/untagged VLAN on that port.
>
Then it's like i initially supposed. I just thought there where a magic
trick i'm not aware of to get around this.

>
> Indeed in that VLAN they use the standard helper-address to get to the DHCP
> server. One of the options on that DHCP scope is the VLAN tag they need to
> use.
>
This won't work for us for several reasons: Some of our svi have our dhcp
servers configured, others have the dhcp server of the corresponding
customer and a lot have no ip-helper at all. Maybe the customer there is
running his own l2-connected dhcp server, maybe he's configuring his hosts
manually. 

Best,
    Sebastian.
 
> They then reboot and this time tag their traffic (and DHCP request) with
> the learned voice VLAN - in that DHCP scope they will likely learn also the
> TFTP server from which they need to download their full config.
> 
> 
> 
> On Mon, Jun 4, 2018 at 7:26 PM, Coy Hile <coy.hile at coyhile.com> wrote:
> 
> >
> >
> > > On Jun 4, 2018, at 13:18, Sebastian Beutel <sebastian.beutel at rus.uni-
> > stuttgart.de> wrote:
> > >
> > > Hi Antoine,
> > >
> > >> On Mon, Jun 04, 2018 at 05:23:58PM +0200, Antoine Monnier wrote:
> > >> Usually IP phones can also learn their voice vlan through a specific
> > DHCP
> > >> option in the data VLAN - they then reboot inside the voice vlan to get
> > >> their final IP. Might be an option?
> > >>
> > > Maybe that's a dumb question but how do they reach their dhcp server if
> > they
> > > do not know the vlan yet where it resides?
> > >
> > > Best,
> > >   Sebastian.
> > >
> >
> > Helper addresses configured on the switch configures where such requests
> > should be forwarded.
> >
> > >> On Mon, Jun 4, 2018 at 11:54 AM, Sebastian Beutel <
> > >> sebastian.beutel at rus.uni-stuttgart.de> wrote:
> > >>
> > >>> Hi Brian,
> > >>>
> > >>>> On Thu, May 31, 2018 at 07:03:23PM +0200, Brian Turnbow wrote:
> > >>>>
> > >>>> We don't use lldp, but you can turn it off on an interface by
> > interface
> > >>>> bassis.
> > >>>>
> > >>> We need lldp because our ip phones learn their voice vlan via lldp. We
> > >>> can't
> > >>> define dedicated phone ports because people are used to plug in their
> > phone
> > >>> wherever they choose to.
> > >>>
> > >>>>
> > >>>> Why run it on ports with devices outside of your control?
> > >>>>
> > >>> We didn't choose so. Universities had byod long before it had a name...
> > >>>
> > >>> Best,
> > >>>    Sebastian.
> > >>>
> > >>>>
> > >>>>> -----Original Message-----
> > >>>>> From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf
> > >>> Of
> > >>>>> Sebastian Beutel
> > >>>>> Sent: mercoledì 30 maggio 2018 17:52
> > >>>>> To: cisco-nsp at puck.nether.net
> > >>>>> Subject: [c-nsp] 3750 and CVE-2018-0167
> > >>>>>
> > >>>>> Dear list,
> > >>>>>
> > >>>>>    we're still having some Cat 3750 in operation and it will still
> > >>> take
> > >>>> some time
> > >>>>> till we can retire the last ones. We've asked Cisco whether they are
> > >>>> planning
> > >>>>> to publish a new software image for this platform that fixes
> > >>>>> CVE-2018-0167 despite the fact that the product is way beyond end of
> > >>>>> security and vulnerability support.
> > >>>>>    Our Cisco representative stated that they are not planning to do
> > so
> > >>>> despite
> > >>>>> the severity of the bug. He also said we're the only customer having
> > >>>> this issue.
> > >>>>> So my question is: If you're still running 3750s, how do you deal
> > with
> > >>>> this?
> > >>>>>
> > >>>>> Best,
> > >>>>>   Sebastian.
> > >>>>>
> > >>>>> P.S.: Cisco's advisory:
> > >>>>>
> > >>>> https://tools.cisco.com/security/center/content/
> > >>> CiscoSecurityAdvisory/cisco-sa-20180328-lldp
> > >>>
> > >>> _______________________________________________
> > >>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > >>> https://puck.nether.net/mailman/listinfo/cisco-nsp
> > >>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >>>
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >


More information about the cisco-nsp mailing list