![]() In versions of Cisco IOS Software that support only the Smart Install director functionality, Smart Install can be disabled with the no vstack basic global configuration command. If a Cisco IOS Software release supports the Smart Install feature but the no vstack command does not exist, the release does not contain the fix for Cisco bug CSCtj75729. Note: The no vstack global configuration command to disable Smart Install was introduced with the fix for Cisco bug CSCtj75729 ("Ability to shut Smart Install default service on TCP port 4786"). In versions of Cisco IOS Software where this command is available, the vulnerability can be mitigated by disabling the Smart Install feature if it is not needed. ![]() In some versions of Cisco IOS Software, the Smart Install feature can be disabled with the global configuration command no vstack. The following example identifies a Cisco product that is running Cisco IOS Software Release 15.0(1)M1 with an installed image name of C3900-UNIVERSALK9-M: Router> show versionĬisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1)Ĭopyright (c) 1986-2009 by Cisco Systems, Inc.Ĭompiled Wed 02-Dec-09 17:17 by prod_rel_team !- output truncatedĪdditional information about Cisco IOS Software release naming conventions is available in "White Paper: Cisco IOS and NX-OS Software Reference Guide" at. Other Cisco devices do not have the show version command or may provide different output. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to "Cisco Internetwork Operating System Software" or "Cisco IOS Software." The image name displays in parentheses, followed by "Version" and the Cisco IOS Software release name. To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. These devices are typically routers and the feature is disabled by default because it requires additional configuration that is not necessary in the case of Smart Install clients. The Smart Install feature is disabled by default on devices that can act only as Smart Install directors. These devices are LAN switches (Cisco Catalyst Switches), and the default configuration is to enable Smart Install with a client role. The Smart Install feature is enabled by default on devices that can be configured to act as Smart Install directors or Smart Install clients. The following example shows the output from show tcp brief all | include 4786 on a device that has the Smart Install feature enabled: router# show tcp brief all | include 4786 The command show tcp brief all | include 4786 can be used to determine if TCP port 4786 is open (and therefore, to determine if Smart Install is enabled). The following is the output of show vstack config in a Cisco Catalyst Switch configured as a Smart Install director: Director# show vstack configĪ device that has the Smart Install feature enabled, either as a director or as a client, has TCP port 4786 in the open state. The following is the output of show vstack config in a Cisco Catalyst Switch configured as a Smart Install client: The outputs of show commands are different when entered on the director or on the client. To display Smart Install information, use the show vstack config privileged EXEC command on the Smart Install director or client. Individual publication links are in "Cisco Event Response: Semi-Annual Cisco IOS Software Security Advisory Bundled Publication" at the following link:ĭevices configured as a Smart Install client or director are affected by this vulnerability. Each advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all vulnerabilities in the March 2012 bundled publication. Note: The March 28, 2012, Cisco IOS Software Security Advisory bundled publication includes nine Cisco Security Advisories. This advisory is available at the following link: A workaround may be available in some versions of Cisco IOS Software if the Smart Install feature is not needed. ![]() The vulnerability is triggered when an affected device processes a malformed Smart Install message on TCP port 4786.Ĭisco has released software updates that address this vulnerability. Cisco IOS Software contains a vulnerability in the Smart Install feature that could allow an unauthenticated, remote attacker to cause a reload of an affected device if the Smart Install feature is enabled.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |