Vendor and network guys say no patch for CVE-2018-0171

Our network guys as well as the vendor who support our Cisco insisted that there's no patch available for
the 2960, 37xx models  for CVE-2018-0171

I showed them the extract from the link below but they still insisted it's only 'no vstack' that is needed &
there's no patch:
  https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2
"Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. “


Anyone can verify this & if there is patch, help download to a dropbox or somewhere for me to get from there as we don't have TAC.
sunhuxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
If you are not in touch with Cisco themselves do that at once, I have found various solutions bypassing these middlemen over the years.
This is why I will always advise companies to avoid MSP, why not get Managed Service from the vendors themselves? That is what I would recommend.

Managed service is bad for internal IT teams, it encourages a poor level of technicality within the team, that is just my two cents.

Reality is you are more likely to get a straight answer from a company like HPE, Dell, Cisco, VMware etc etc.
Deal with big multi national companies wherever possible, not middle men who only want your money.
0
sunhuxAuthor Commented:
Thanks, I got an email from Cisco TAC in the USA but I'm still unclear as her response is
not affirmative:

As I'm 12 hrs apart from USA, I'm posting here for faster response (due to regulatory authority's pressure).

What does the TAC mean by "update your software to attempt to fix this bug as long as you hold a license" ?

We prefers to patch rather than turning it off in case someone turn it back on in future: it's also regulator's
preference but if there's truly no patch, do confirm here.


"Hi Pete
Cisco has released software updates that address this vulnerability, but there are no workarounds that address this vulnerability, so you can update your software to attempt to fix this bug as long as you hold a license for the software.

I am unable to see the picture that you have included, but only Smart Install client switches are affected by the vulnerability that is described in this advisory. Cisco devices that are configured as a Smart Install director are not affected by this vulnerability.

From what I can see the 'no vstack command' is all that is needed to disable the smart install feature if you do not require it.

If you like, we can open a TAC case for support on this issue, but if you do not have a Cisco account then it would have to be done through your partner company.
"
0
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
If you are worried about CVE's for your business and the MSP is doing a bad job cut them out.
Open a paid case with Cisco, sounds like you need there support, I would take there advice and then relay that to your senior IT people.

Make a team decision.
It is sensible to go with the vendors decision here IMO, it gives you all fallback, once that decision is logical of course.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

sunhuxAuthor Commented:
What does the TAC mean by "update your software to attempt to fix this bug as long as you hold a license" ?

Is doing "no vstack" sufficient or ought to update as best practice?
0
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
They are saying if you do not have a valid licence or and support you are not entitled to updates right?
0
Pete LongTechnical ConsultantCommented:
>>What does the TAC mean by "update your software to attempt to fix this bug as long as you hold a license" ?

Cisco Speak for "You do not hold a Valid SmarNet Contract - and so are not entitled to IOS downloads or updated software". They do (occasionally) provide software for people out of support for free, but that link tends to be taken down very quickly (as was the case with the recent firewall vulnerability) which had free download links but was only up for about a week!
0
masnrockCommented:
Is doing "no vstack" sufficient or ought to update as best practice?
It comes down to whether you need the feature or not. If you don't, then disable it. If you do, then you need to find a way to mitigate your risk (namely, restrict access to TCP port 4786).

For software updates, unless you get a SmartNet contract, you're shot in the foot.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.