Re: [c-nsp] 3750 and CVE-2018-0167
Hi, Glad that someone else is seeing similar things that we are: 1. 3850s have buggy code. We have been running 3850s since November 2015 and still do not have a bug-free release of code. We just recently hit an issue where the box would either not program an ACL into the ASIC and/or crash the box if we tried to play around with it. 2. Cat9300s with their new licensing model and costing are off-putting. Plus their 48 port multigigabit model is deeper than the 3850, so it won't fit in our 600mm deep racks. 3. There is still vulnerability support for the last 16M flash version of code on 3750G: https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-3750-series-switches/eos-eol-notice-c51-731425.html <https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-3750-series-switches/eos-eol-notice-c51-731425.html> I logged a case re: the vstack issue, however Cisco claim the ability to disable a vulnerable service is considered a *feature request* and not a security issue. I did observe an SE11 release but this lacks the fix we need for this issue. At least we have a workaround to put an ACL on all the management SVIs to block that service, but it's still not ideal. We are currently downgrading our 3750G fleet to 3850s, but this Takes A Long Time, especially when physical work is required and we keep hitting software defects which have caused significant delays to the project. Plus, the CVE aside, the 3750G switches are still providing a reliable service to customers. Tristan > On 8 Jun 2018, at 7:10 pm, Sebastian Beutel > wrote: > > Hi Chuck, > > On Mon, Jun 04, 2018 at 07:46:56PM -0400, Chuck Church wrote: >> >> Cisco might be willing to do that, but I think they'd much rather you buy a >> new switch. I have seen them offer updates beyond end of security patch >> dates, but it's usually for larger chassis such as 6500s. >> > It's not that we want to keep these old switches. We're allready replaced > most of them with 3850, we are still doing so and planned to to be done at > the end of 2018. As our 3750 turned out to be pretty stable workhorses this > seems like a doable thing. But now, with CVE-2018-0167 in mind, that date is > now pretty far in the future. As we know of the wide spread of 3750 we > believe that we are not the only customers having this sort of problem. In > my ears cisco is telling me here: "We fucked up but now it's your problem > replacing about a hundred switches over night" > As we assume that cisco will announce end of live of 3850 maybe in 2019 > we need to decide what plattform will be next. Ciscos current software > quality combined with the new port based licence model of 9k and experiences > like this summ up to a hard decision. > > Best, > Sebastian. > >> >> -Original Message----- >> From: Sebastian Beutel >> Sent: Monday, June 04, 2018 1:15 PM >> To: Chuck Church >> Cc: Brian Turnbow ; NSP - Cisco >> >> Subject: Re: [c-nsp] 3750 and CVE-2018-0167 >> >> Hi Chuck, >> >> On Mon, Jun 04, 2018 at 11:41:52AM -0400, Chuck Church wrote: >>> >>> I thought with LLDP you can turn off receive and transmit of LLDP >>> messages separately. If you disable the receipt of them and only >>> transmit, does that address the issue? >>> >> The security advisory mentioned no workaround. Maybe this could help and we >> will definitively give it a try. Maybe we even find an exploit to test it. >> Thanks for the suggestion. >> >>> >>> These switches are end of all support dates. They most surely won't >>> address this bug. >>> >> I know. End of shipping was 2013 and end of security was 2016. But as this >> plattform is still widely useed, my naive hope was, that Cisco could utilise >> this issue to demonstrate the world that they offer the benefits of a >> premium class vendor that doesn't sell their customers down the river, even >> if their product is long out of sale. >> >> Best, >> Sebastian. >> >>> >>> On Mon, Jun 4, 2018 at 5:54 AM, Sebastian Beutel < >>> sebastian.beu...@rus.uni-stuttgart.de> wrote: >>> >>>> Hi Brian, >>>> >>>> On Thu, May 31, 2018 at 07:03:23PM +0200, Brian Turnbow wrote: >>>>> >>>>> We don't use lldp, but you can turn it off on an interface by >>>>> interface bassis. >>>>> >>>> We need lldp because our ip phones learn their voice vlan via lldp. >>>> We can't define dedicated phone ports because people are used to &g
Re: [c-nsp] 3750 and CVE-2018-0167
Hi, thanks for the extensive answer, i will go into details below. On Tue, Jun 05, 2018 at 11:20:07AM +0200, Antoine Monnier wrote: > > so the IP phones first get an IP address in the data VLAN, that is the > default/native/untagged VLAN on that port. > Then it's like i initially supposed. I just thought there where a magic trick i'm not aware of to get around this. > > Indeed in that VLAN they use the standard helper-address to get to the DHCP > server. One of the options on that DHCP scope is the VLAN tag they need to > use. > This won't work for us for several reasons: Some of our svi have our dhcp servers configured, others have the dhcp server of the corresponding customer and a lot have no ip-helper at all. Maybe the customer there is running his own l2-connected dhcp server, maybe he's configuring his hosts manually. Best, Sebastian. > They then reboot and this time tag their traffic (and DHCP request) with > the learned voice VLAN - in that DHCP scope they will likely learn also the > TFTP server from which they need to download their full config. > > > > On Mon, Jun 4, 2018 at 7:26 PM, Coy Hile wrote: > > > > > > > > On Jun 4, 2018, at 13:18, Sebastian Beutel > stuttgart.de> wrote: > > > > > > Hi Antoine, > > > > > >> On Mon, Jun 04, 2018 at 05:23:58PM +0200, Antoine Monnier wrote: > > >> Usually IP phones can also learn their voice vlan through a specific > > DHCP > > >> option in the data VLAN - they then reboot inside the voice vlan to get > > >> their final IP. Might be an option? > > >> > > > Maybe that's a dumb question but how do they reach their dhcp server if > > they > > > do not know the vlan yet where it resides? > > > > > > Best, > > > Sebastian. > > > > > > > Helper addresses configured on the switch configures where such requests > > should be forwarded. > > > > >> On Mon, Jun 4, 2018 at 11:54 AM, Sebastian Beutel < > > >> sebastian.beu...@rus.uni-stuttgart.de> wrote: > > >> > > >>> Hi Brian, > > >>> > > >>>> On Thu, May 31, 2018 at 07:03:23PM +0200, Brian Turnbow wrote: > > >>>> > > >>>> We don't use lldp, but you can turn it off on an interface by > > interface > > >>>> bassis. > > >>>> > > >>> We need lldp because our ip phones learn their voice vlan via lldp. We > > >>> can't > > >>> define dedicated phone ports because people are used to plug in their > > phone > > >>> wherever they choose to. > > >>> > > >>>> > > >>>> Why run it on ports with devices outside of your control? > > >>>> > > >>> We didn't choose so. Universities had byod long before it had a name... > > >>> > > >>> Best, > > >>>Sebastian. > > >>> > > >>>> > > >>>>> -Original Message- > > >>>>> From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf > > >>> Of > > >>>>> Sebastian Beutel > > >>>>> Sent: mercoledì 30 maggio 2018 17:52 > > >>>>> To: cisco-nsp@puck.nether.net > > >>>>> Subject: [c-nsp] 3750 and CVE-2018-0167 > > >>>>> > > >>>>> Dear list, > > >>>>> > > >>>>>we're still having some Cat 3750 in operation and it will still > > >>> take > > >>>> some time > > >>>>> till we can retire the last ones. We've asked Cisco whether they are > > >>>> planning > > >>>>> to publish a new software image for this platform that fixes > > >>>>> CVE-2018-0167 despite the fact that the product is way beyond end of > > >>>>> security and vulnerability support. > > >>>>>Our Cisco representative stated that they are not planning to do > > so > > >>>> despite > > >>>>> the severity of the bug. He also said we're the only customer having > > >>>> this issue. > > >>>>> So my question is: If you're still running 3750s, how do you deal > > with > > >>>> this? > > >>>>> > > >>>>> Best, > > >>>>> Sebastian. > > >>>>> > > >>>>> P.S.: Cisco's advisory: > > >>>>> > > >>>> https://tools.cisco.com/security/center/content/ > > >>> CiscoSecurityAdvisory/cisco-sa-20180328-lldp > > >>> > > >>> ___ > > >>> cisco-nsp mailing list cisco-nsp@puck.nether.net > > >>> https://puck.nether.net/mailman/listinfo/cisco-nsp > > >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > >>> > > > ___ > > > cisco-nsp mailing list cisco-nsp@puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3750 and CVE-2018-0167
Hi Chuck, On Mon, Jun 04, 2018 at 07:46:56PM -0400, Chuck Church wrote: > > Cisco might be willing to do that, but I think they'd much rather you buy a > new switch. I have seen them offer updates beyond end of security patch > dates, but it's usually for larger chassis such as 6500s. > It's not that we want to keep these old switches. We're allready replaced most of them with 3850, we are still doing so and planned to to be done at the end of 2018. As our 3750 turned out to be pretty stable workhorses this seems like a doable thing. But now, with CVE-2018-0167 in mind, that date is now pretty far in the future. As we know of the wide spread of 3750 we believe that we are not the only customers having this sort of problem. In my ears cisco is telling me here: "We fucked up but now it's your problem replacing about a hundred switches over night" As we assume that cisco will announce end of live of 3850 maybe in 2019 we need to decide what plattform will be next. Ciscos current software quality combined with the new port based licence model of 9k and experiences like this summ up to a hard decision. Best, Sebastian. > > -Original Message- > From: Sebastian Beutel > Sent: Monday, June 04, 2018 1:15 PM > To: Chuck Church > Cc: Brian Turnbow ; NSP - Cisco > > Subject: Re: [c-nsp] 3750 and CVE-2018-0167 > > Hi Chuck, > > On Mon, Jun 04, 2018 at 11:41:52AM -0400, Chuck Church wrote: > > > > I thought with LLDP you can turn off receive and transmit of LLDP > > messages separately. If you disable the receipt of them and only > > transmit, does that address the issue? > > > The security advisory mentioned no workaround. Maybe this could help and we > will definitively give it a try. Maybe we even find an exploit to test it. > Thanks for the suggestion. > > > > > These switches are end of all support dates. They most surely won't > > address this bug. > > > I know. End of shipping was 2013 and end of security was 2016. But as this > plattform is still widely useed, my naive hope was, that Cisco could utilise > this issue to demonstrate the world that they offer the benefits of a > premium class vendor that doesn't sell their customers down the river, even > if their product is long out of sale. > > Best, >Sebastian. > > > > > On Mon, Jun 4, 2018 at 5:54 AM, Sebastian Beutel < > > sebastian.beu...@rus.uni-stuttgart.de> wrote: > > > > > Hi Brian, > > > > > > On Thu, May 31, 2018 at 07:03:23PM +0200, Brian Turnbow wrote: > > > > > > > > We don't use lldp, but you can turn it off on an interface by > > > > interface bassis. > > > > > > > We need lldp because our ip phones learn their voice vlan via lldp. > > > We can't define dedicated phone ports because people are used to > > > plug in their phone wherever they choose to. > > > > > > > > > > > Why run it on ports with devices outside of your control? > > > > > > > We didn't choose so. Universities had byod long before it had a name... > > > > > > Best, > > > Sebastian. > > > > > > > > > > > > -Original Message- > > > > > From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On > > > > > Behalf > > > Of > > > > > Sebastian Beutel > > > > > Sent: mercoledì 30 maggio 2018 17:52 > > > > > To: cisco-nsp@puck.nether.net > > > > > Subject: [c-nsp] 3750 and CVE-2018-0167 > > > > > > > > > > Dear list, > > > > > > > > > > we're still having some Cat 3750 in operation and it will > > > > > still > > > take > > > > some time > > > > > till we can retire the last ones. We've asked Cisco whether they > > > > > are > > > > planning > > > > > to publish a new software image for this platform that fixes > > > > > CVE-2018-0167 despite the fact that the product is way beyond > > > > > end of security and vulnerability support. > > > > > Our Cisco representative stated that they are not planning > > > > > to do so > > > > despite > > > > > the severity of the bug. He also said we're the only customer > > > > > having > > > > this issue. > > > > > So my question is: If you're still running 3750s, how do you > > > > > deal with > > > > this? > > > > > > > > > > Best, > > > > >Sebastian. > > > > > > > > > > P.S.: Cisco's advisory: > > > > > > > > > https://tools.cisco.com/security/center/content/ > > > CiscoSecurityAdvisory/cisco-sa-20180328-lldp > > > > > > ___ > > > cisco-nsp mailing list cisco-nsp@puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3750 and CVE-2018-0167
so the IP phones first get an IP address in the data VLAN, that is the default/native/untagged VLAN on that port. Indeed in that VLAN they use the standard helper-address to get to the DHCP server. One of the options on that DHCP scope is the VLAN tag they need to use. They then reboot and this time tag their traffic (and DHCP request) with the learned voice VLAN - in that DHCP scope they will likely learn also the TFTP server from which they need to download their full config. On Mon, Jun 4, 2018 at 7:26 PM, Coy Hile wrote: > > > > On Jun 4, 2018, at 13:18, Sebastian Beutel stuttgart.de> wrote: > > > > Hi Antoine, > > > >> On Mon, Jun 04, 2018 at 05:23:58PM +0200, Antoine Monnier wrote: > >> Usually IP phones can also learn their voice vlan through a specific > DHCP > >> option in the data VLAN - they then reboot inside the voice vlan to get > >> their final IP. Might be an option? > >> > > Maybe that's a dumb question but how do they reach their dhcp server if > they > > do not know the vlan yet where it resides? > > > > Best, > > Sebastian. > > > > Helper addresses configured on the switch configures where such requests > should be forwarded. > > >> On Mon, Jun 4, 2018 at 11:54 AM, Sebastian Beutel < > >> sebastian.beu...@rus.uni-stuttgart.de> wrote: > >> > >>> Hi Brian, > >>> > >>>> On Thu, May 31, 2018 at 07:03:23PM +0200, Brian Turnbow wrote: > >>>> > >>>> We don't use lldp, but you can turn it off on an interface by > interface > >>>> bassis. > >>>> > >>> We need lldp because our ip phones learn their voice vlan via lldp. We > >>> can't > >>> define dedicated phone ports because people are used to plug in their > phone > >>> wherever they choose to. > >>> > >>>> > >>>> Why run it on ports with devices outside of your control? > >>>> > >>> We didn't choose so. Universities had byod long before it had a name... > >>> > >>> Best, > >>>Sebastian. > >>> > >>>> > >>>>> -Original Message- > >>>>> From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf > >>> Of > >>>>> Sebastian Beutel > >>>>> Sent: mercoledì 30 maggio 2018 17:52 > >>>>> To: cisco-nsp@puck.nether.net > >>>>> Subject: [c-nsp] 3750 and CVE-2018-0167 > >>>>> > >>>>> Dear list, > >>>>> > >>>>>we're still having some Cat 3750 in operation and it will still > >>> take > >>>> some time > >>>>> till we can retire the last ones. We've asked Cisco whether they are > >>>> planning > >>>>> to publish a new software image for this platform that fixes > >>>>> CVE-2018-0167 despite the fact that the product is way beyond end of > >>>>> security and vulnerability support. > >>>>>Our Cisco representative stated that they are not planning to do > so > >>>> despite > >>>>> the severity of the bug. He also said we're the only customer having > >>>> this issue. > >>>>> So my question is: If you're still running 3750s, how do you deal > with > >>>> this? > >>>>> > >>>>> Best, > >>>>> Sebastian. > >>>>> > >>>>> P.S.: Cisco's advisory: > >>>>> > >>>> https://tools.cisco.com/security/center/content/ > >>> CiscoSecurityAdvisory/cisco-sa-20180328-lldp > >>> > >>> ___ > >>> cisco-nsp mailing list cisco-nsp@puck.nether.net > >>> https://puck.nether.net/mailman/listinfo/cisco-nsp > >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >>> > > ___ > > cisco-nsp mailing list cisco-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3750 and CVE-2018-0167
Cisco might be willing to do that, but I think they'd much rather you buy a new switch. I have seen them offer updates beyond end of security patch dates, but it's usually for larger chassis such as 6500s. Chuck -Original Message- From: Sebastian Beutel Sent: Monday, June 04, 2018 1:15 PM To: Chuck Church Cc: Brian Turnbow ; NSP - Cisco Subject: Re: [c-nsp] 3750 and CVE-2018-0167 Hi Chuck, On Mon, Jun 04, 2018 at 11:41:52AM -0400, Chuck Church wrote: > > I thought with LLDP you can turn off receive and transmit of LLDP > messages separately. If you disable the receipt of them and only > transmit, does that address the issue? > The security advisory mentioned no workaround. Maybe this could help and we will definitively give it a try. Maybe we even find an exploit to test it. Thanks for the suggestion. > > These switches are end of all support dates. They most surely won't > address this bug. > I know. End of shipping was 2013 and end of security was 2016. But as this plattform is still widely useed, my naive hope was, that Cisco could utilise this issue to demonstrate the world that they offer the benefits of a premium class vendor that doesn't sell their customers down the river, even if their product is long out of sale. Best, Sebastian. > > On Mon, Jun 4, 2018 at 5:54 AM, Sebastian Beutel < > sebastian.beu...@rus.uni-stuttgart.de> wrote: > > > Hi Brian, > > > > On Thu, May 31, 2018 at 07:03:23PM +0200, Brian Turnbow wrote: > > > > > > We don't use lldp, but you can turn it off on an interface by > > > interface bassis. > > > > > We need lldp because our ip phones learn their voice vlan via lldp. > > We can't define dedicated phone ports because people are used to > > plug in their phone wherever they choose to. > > > > > > > > Why run it on ports with devices outside of your control? > > > > > We didn't choose so. Universities had byod long before it had a name... > > > > Best, > > Sebastian. > > > > > > > > > -Original Message----- > > > > From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On > > > > Behalf > > Of > > > > Sebastian Beutel > > > > Sent: mercoledì 30 maggio 2018 17:52 > > > > To: cisco-nsp@puck.nether.net > > > > Subject: [c-nsp] 3750 and CVE-2018-0167 > > > > > > > > Dear list, > > > > > > > > we're still having some Cat 3750 in operation and it will > > > > still > > take > > > some time > > > > till we can retire the last ones. We've asked Cisco whether they > > > > are > > > planning > > > > to publish a new software image for this platform that fixes > > > > CVE-2018-0167 despite the fact that the product is way beyond > > > > end of security and vulnerability support. > > > > Our Cisco representative stated that they are not planning > > > > to do so > > > despite > > > > the severity of the bug. He also said we're the only customer > > > > having > > > this issue. > > > > So my question is: If you're still running 3750s, how do you > > > > deal with > > > this? > > > > > > > > Best, > > > >Sebastian. > > > > > > > > P.S.: Cisco's advisory: > > > > > > > https://tools.cisco.com/security/center/content/ > > CiscoSecurityAdvisory/cisco-sa-20180328-lldp > > > > ___ > > cisco-nsp mailing list cisco-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3750 and CVE-2018-0167
> On Jun 4, 2018, at 13:18, Sebastian Beutel > wrote: > > Hi Antoine, > >> On Mon, Jun 04, 2018 at 05:23:58PM +0200, Antoine Monnier wrote: >> Usually IP phones can also learn their voice vlan through a specific DHCP >> option in the data VLAN - they then reboot inside the voice vlan to get >> their final IP. Might be an option? >> > Maybe that's a dumb question but how do they reach their dhcp server if they > do not know the vlan yet where it resides? > > Best, > Sebastian. > Helper addresses configured on the switch configures where such requests should be forwarded. >> On Mon, Jun 4, 2018 at 11:54 AM, Sebastian Beutel < >> sebastian.beu...@rus.uni-stuttgart.de> wrote: >> >>> Hi Brian, >>> >>>> On Thu, May 31, 2018 at 07:03:23PM +0200, Brian Turnbow wrote: >>>> >>>> We don't use lldp, but you can turn it off on an interface by interface >>>> bassis. >>>> >>> We need lldp because our ip phones learn their voice vlan via lldp. We >>> can't >>> define dedicated phone ports because people are used to plug in their phone >>> wherever they choose to. >>> >>>> >>>> Why run it on ports with devices outside of your control? >>>> >>> We didn't choose so. Universities had byod long before it had a name... >>> >>> Best, >>>Sebastian. >>> >>>> >>>>> -Original Message- >>>>> From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf >>> Of >>>>> Sebastian Beutel >>>>> Sent: mercoledì 30 maggio 2018 17:52 >>>>> To: cisco-nsp@puck.nether.net >>>>> Subject: [c-nsp] 3750 and CVE-2018-0167 >>>>> >>>>> Dear list, >>>>> >>>>>we're still having some Cat 3750 in operation and it will still >>> take >>>> some time >>>>> till we can retire the last ones. We've asked Cisco whether they are >>>> planning >>>>> to publish a new software image for this platform that fixes >>>>> CVE-2018-0167 despite the fact that the product is way beyond end of >>>>> security and vulnerability support. >>>>>Our Cisco representative stated that they are not planning to do so >>>> despite >>>>> the severity of the bug. He also said we're the only customer having >>>> this issue. >>>>> So my question is: If you're still running 3750s, how do you deal with >>>> this? >>>>> >>>>> Best, >>>>> Sebastian. >>>>> >>>>> P.S.: Cisco's advisory: >>>>> >>>> https://tools.cisco.com/security/center/content/ >>> CiscoSecurityAdvisory/cisco-sa-20180328-lldp >>> >>> ___ >>> cisco-nsp mailing list cisco-nsp@puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3750 and CVE-2018-0167
Hi, On Mon, Jun 04, 2018 at 07:15:04PM +0200, Sebastian Beutel wrote: > On Mon, Jun 04, 2018 at 11:41:52AM -0400, Chuck Church wrote: > > I thought with LLDP you can turn off receive and transmit of LLDP messages > > separately. If you disable the receipt of them and only transmit, does > > that address the issue? > > > The security advisory mentioned no workaround. Maybe this could help and we > will definitively give it a try. Maybe we even find an exploit to test it. > Thanks for the suggestion. "no receive" will work around, but it might break your phones if they use LLDP to negotiate a voice VLAN... > > These switches are end of all support dates. They most surely won't > > address this bug. > > > I know. End of shipping was 2013 and end of security was 2016. But as this > plattform is still widely useed, my naive hope was, that Cisco could utilise > this issue to demonstrate the world that they offer the benefits of a > premium class vendor that doesn't sell their customers down the river, even > if their product is long out of sale. 3750 was never "premium anything", except "premium price" gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3750 and CVE-2018-0167
Hi Antoine, On Mon, Jun 04, 2018 at 05:23:58PM +0200, Antoine Monnier wrote: > Usually IP phones can also learn their voice vlan through a specific DHCP > option in the data VLAN - they then reboot inside the voice vlan to get > their final IP. Might be an option? > Maybe that's a dumb question but how do they reach their dhcp server if they do not know the vlan yet where it resides? Best, Sebastian. > On Mon, Jun 4, 2018 at 11:54 AM, Sebastian Beutel < > sebastian.beu...@rus.uni-stuttgart.de> wrote: > > > Hi Brian, > > > > On Thu, May 31, 2018 at 07:03:23PM +0200, Brian Turnbow wrote: > > > > > > We don't use lldp, but you can turn it off on an interface by interface > > > bassis. > > > > > We need lldp because our ip phones learn their voice vlan via lldp. We > > can't > > define dedicated phone ports because people are used to plug in their phone > > wherever they choose to. > > > > > > > > Why run it on ports with devices outside of your control? > > > > > We didn't choose so. Universities had byod long before it had a name... > > > > Best, > > Sebastian. > > > > > > > > > -Original Message- > > > > From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf > > Of > > > > Sebastian Beutel > > > > Sent: mercoledì 30 maggio 2018 17:52 > > > > To: cisco-nsp@puck.nether.net > > > > Subject: [c-nsp] 3750 and CVE-2018-0167 > > > > > > > > Dear list, > > > > > > > > we're still having some Cat 3750 in operation and it will still > > take > > > some time > > > > till we can retire the last ones. We've asked Cisco whether they are > > > planning > > > > to publish a new software image for this platform that fixes > > > > CVE-2018-0167 despite the fact that the product is way beyond end of > > > > security and vulnerability support. > > > > Our Cisco representative stated that they are not planning to do so > > > despite > > > > the severity of the bug. He also said we're the only customer having > > > this issue. > > > > So my question is: If you're still running 3750s, how do you deal with > > > this? > > > > > > > > Best, > > > >Sebastian. > > > > > > > > P.S.: Cisco's advisory: > > > > > > > https://tools.cisco.com/security/center/content/ > > CiscoSecurityAdvisory/cisco-sa-20180328-lldp > > > > ___ > > cisco-nsp mailing list cisco-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3750 and CVE-2018-0167
Hi Chuck, On Mon, Jun 04, 2018 at 11:41:52AM -0400, Chuck Church wrote: > > I thought with LLDP you can turn off receive and transmit of LLDP messages > separately. If you disable the receipt of them and only transmit, does > that address the issue? > The security advisory mentioned no workaround. Maybe this could help and we will definitively give it a try. Maybe we even find an exploit to test it. Thanks for the suggestion. > > These switches are end of all support dates. They most surely won't > address this bug. > I know. End of shipping was 2013 and end of security was 2016. But as this plattform is still widely useed, my naive hope was, that Cisco could utilise this issue to demonstrate the world that they offer the benefits of a premium class vendor that doesn't sell their customers down the river, even if their product is long out of sale. Best, Sebastian. > > On Mon, Jun 4, 2018 at 5:54 AM, Sebastian Beutel < > sebastian.beu...@rus.uni-stuttgart.de> wrote: > > > Hi Brian, > > > > On Thu, May 31, 2018 at 07:03:23PM +0200, Brian Turnbow wrote: > > > > > > We don't use lldp, but you can turn it off on an interface by interface > > > bassis. > > > > > We need lldp because our ip phones learn their voice vlan via lldp. We > > can't > > define dedicated phone ports because people are used to plug in their phone > > wherever they choose to. > > > > > > > > Why run it on ports with devices outside of your control? > > > > > We didn't choose so. Universities had byod long before it had a name... > > > > Best, > > Sebastian. > > > > > > > > > -Original Message----- > > > > From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf > > Of > > > > Sebastian Beutel > > > > Sent: mercoledì 30 maggio 2018 17:52 > > > > To: cisco-nsp@puck.nether.net > > > > Subject: [c-nsp] 3750 and CVE-2018-0167 > > > > > > > > Dear list, > > > > > > > > we're still having some Cat 3750 in operation and it will still > > take > > > some time > > > > till we can retire the last ones. We've asked Cisco whether they are > > > planning > > > > to publish a new software image for this platform that fixes > > > > CVE-2018-0167 despite the fact that the product is way beyond end of > > > > security and vulnerability support. > > > > Our Cisco representative stated that they are not planning to do so > > > despite > > > > the severity of the bug. He also said we're the only customer having > > > this issue. > > > > So my question is: If you're still running 3750s, how do you deal with > > > this? > > > > > > > > Best, > > > >Sebastian. > > > > > > > > P.S.: Cisco's advisory: > > > > > > > https://tools.cisco.com/security/center/content/ > > CiscoSecurityAdvisory/cisco-sa-20180328-lldp > > > > ___ > > cisco-nsp mailing list cisco-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3750 and CVE-2018-0167
I thought with LLDP you can turn off receive and transmit of LLDP messages separately. If you disable the receipt of them and only transmit, does that address the issue? These switches are end of all support dates. They most surely won't address this bug. Chuck On Mon, Jun 4, 2018 at 5:54 AM, Sebastian Beutel < sebastian.beu...@rus.uni-stuttgart.de> wrote: > Hi Brian, > > On Thu, May 31, 2018 at 07:03:23PM +0200, Brian Turnbow wrote: > > > > We don't use lldp, but you can turn it off on an interface by interface > > bassis. > > > We need lldp because our ip phones learn their voice vlan via lldp. We > can't > define dedicated phone ports because people are used to plug in their phone > wherever they choose to. > > > > > Why run it on ports with devices outside of your control? > > > We didn't choose so. Universities had byod long before it had a name... > > Best, > Sebastian. > > > > > > -Original Message- > > > From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf > Of > > > Sebastian Beutel > > > Sent: mercoledì 30 maggio 2018 17:52 > > > To: cisco-nsp@puck.nether.net > > > Subject: [c-nsp] 3750 and CVE-2018-0167 > > > > > > Dear list, > > > > > > we're still having some Cat 3750 in operation and it will still > take > > some time > > > till we can retire the last ones. We've asked Cisco whether they are > > planning > > > to publish a new software image for this platform that fixes > > > CVE-2018-0167 despite the fact that the product is way beyond end of > > > security and vulnerability support. > > > Our Cisco representative stated that they are not planning to do so > > despite > > > the severity of the bug. He also said we're the only customer having > > this issue. > > > So my question is: If you're still running 3750s, how do you deal with > > this? > > > > > > Best, > > >Sebastian. > > > > > > P.S.: Cisco's advisory: > > > > > https://tools.cisco.com/security/center/content/ > CiscoSecurityAdvisory/cisco-sa-20180328-lldp > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3750 and CVE-2018-0167
Usually IP phones can also learn their voice vlan through a specific DHCP option in the data VLAN - they then reboot inside the voice vlan to get their final IP. Might be an option? On Mon, Jun 4, 2018 at 11:54 AM, Sebastian Beutel < sebastian.beu...@rus.uni-stuttgart.de> wrote: > Hi Brian, > > On Thu, May 31, 2018 at 07:03:23PM +0200, Brian Turnbow wrote: > > > > We don't use lldp, but you can turn it off on an interface by interface > > bassis. > > > We need lldp because our ip phones learn their voice vlan via lldp. We > can't > define dedicated phone ports because people are used to plug in their phone > wherever they choose to. > > > > > Why run it on ports with devices outside of your control? > > > We didn't choose so. Universities had byod long before it had a name... > > Best, > Sebastian. > > > > > > -Original Message- > > > From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf > Of > > > Sebastian Beutel > > > Sent: mercoledì 30 maggio 2018 17:52 > > > To: cisco-nsp@puck.nether.net > > > Subject: [c-nsp] 3750 and CVE-2018-0167 > > > > > > Dear list, > > > > > > we're still having some Cat 3750 in operation and it will still > take > > some time > > > till we can retire the last ones. We've asked Cisco whether they are > > planning > > > to publish a new software image for this platform that fixes > > > CVE-2018-0167 despite the fact that the product is way beyond end of > > > security and vulnerability support. > > > Our Cisco representative stated that they are not planning to do so > > despite > > > the severity of the bug. He also said we're the only customer having > > this issue. > > > So my question is: If you're still running 3750s, how do you deal with > > this? > > > > > > Best, > > >Sebastian. > > > > > > P.S.: Cisco's advisory: > > > > > https://tools.cisco.com/security/center/content/ > CiscoSecurityAdvisory/cisco-sa-20180328-lldp > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3750 and CVE-2018-0167
Hi Brian, On Thu, May 31, 2018 at 07:03:23PM +0200, Brian Turnbow wrote: > > We don't use lldp, but you can turn it off on an interface by interface > bassis. > We need lldp because our ip phones learn their voice vlan via lldp. We can't define dedicated phone ports because people are used to plug in their phone wherever they choose to. > > Why run it on ports with devices outside of your control? > We didn't choose so. Universities had byod long before it had a name... Best, Sebastian. > > > -Original Message- > > From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of > > Sebastian Beutel > > Sent: mercoledì 30 maggio 2018 17:52 > > To: cisco-nsp@puck.nether.net > > Subject: [c-nsp] 3750 and CVE-2018-0167 > > > > Dear list, > > > > we're still having some Cat 3750 in operation and it will still take > some time > > till we can retire the last ones. We've asked Cisco whether they are > planning > > to publish a new software image for this platform that fixes > > CVE-2018-0167 despite the fact that the product is way beyond end of > > security and vulnerability support. > > Our Cisco representative stated that they are not planning to do so > despite > > the severity of the bug. He also said we're the only customer having > this issue. > > So my question is: If you're still running 3750s, how do you deal with > this? > > > > Best, > >Sebastian. > > > > P.S.: Cisco's advisory: > > > https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-lldp ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3750 and CVE-2018-0167
Hi Sebastian, We don't use lldp, but you can turn it off on an interface by interface bassis. Why run it on ports with devices outside of your control? Brian > -Original Message- > From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of > Sebastian Beutel > Sent: mercoledì 30 maggio 2018 17:52 > To: cisco-nsp@puck.nether.net > Subject: [c-nsp] 3750 and CVE-2018-0167 > > Dear list, > > we're still having some Cat 3750 in operation and it will still take some time > till we can retire the last ones. We've asked Cisco whether they are planning > to publish a new software image for this platform that fixes > CVE-2018-0167 despite the fact that the product is way beyond end of > security and vulnerability support. > Our Cisco representative stated that they are not planning to do so despite > the severity of the bug. He also said we're the only customer having this issue. > So my question is: If you're still running 3750s, how do you deal with this? > > Best, >Sebastian. > > P.S.: Cisco's advisory: > https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisc o- > sa-20180328-lldp > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3750 and CVE-2018-0167
we are not running LLDP so we should be ok on that platform On Wed, May 30, 2018 at 5:52 PM, Sebastian Beutel < sebastian.beu...@rus.uni-stuttgart.de> wrote: > Dear list, > > we're still having some Cat 3750 in operation and it will still take > some time till we can retire the last ones. We've asked Cisco whether they > are planning to publish a new software image for this platform that fixes > CVE-2018-0167 despite the fact that the product is way beyond end of > security and vulnerability support. > Our Cisco representative stated that they are not planning to do so > despite the severity of the bug. He also said we're the only customer > having > this issue. So my question is: If you're still running 3750s, how do you > deal with this? > > Best, >Sebastian. > > P.S.: Cisco's advisory: > https://tools.cisco.com/security/center/content/ > CiscoSecurityAdvisory/cisco-sa-20180328-lldp > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 3750 and CVE-2018-0167
Dear list, we're still having some Cat 3750 in operation and it will still take some time till we can retire the last ones. We've asked Cisco whether they are planning to publish a new software image for this platform that fixes CVE-2018-0167 despite the fact that the product is way beyond end of security and vulnerability support. Our Cisco representative stated that they are not planning to do so despite the severity of the bug. He also said we're the only customer having this issue. So my question is: If you're still running 3750s, how do you deal with this? Best, Sebastian. P.S.: Cisco's advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-lldp ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/