POE network switch

[OVERKILL]

Just a quick update. The switch is connected and working great. There were a few bonehead mistakes on my part, but the switch does just what I want. Thanks to @OVERKILL and @rijndael for your help!

No problem! Did you update the software? As I mentioned earlier in the thread, you can download the image with the WebUI if you want, there are a few more lines you need to add to the config to make it accessible, but it's pretty simple.

 

[terry274]

I have not been able to download the software. I created an account at cisco.com but when I log in and click the link in your post and try to download I see this:

If I click "this link" I get a blank page. I can't find a place to edit my profile.

 

[terry274]

I disable ublock origin and then I get this page:

 

[terry274]

I believe I need a support contract for software downloads.

 

[OVERKILL]

I believe I need a support contract for software downloads.

Not for switches you don't, just ISR's and stuff.

I'll send you a DM.

 

[rijndael]

There's not much new in the way of software for 2960Xs anyway, we're pretty deep in the EOL timeline.

 

[OVERKILL]

There's not much new in the way of software for 2960Xs anyway, we're pretty deep in the EOL timeline.

Yeah, it's mostly just bug fixes and security patches:

 

[mk378]

Most potential "privilege escalations" i.e. being able to take control without the password were related to the web interface, which you should disable anyway.

 

[rijndael]

Most potential "privilege escalations"

Right, that's by design.

Regular bug fix support ended in 10/2023 ... we're in the "Vulnerability Support" part that ends in 10/2027.

which you should disable anyway.

Yep.

 

[OVERKILL]

Most potential "privilege escalations" i.e. being able to take control without the password were related to the web interface, which you should disable anyway.

This is typically true, however the vast majority of resolved caveats seem to be DoS related, and of that category, it's SNMP that stands out. It is nice to see two bug fixes on that list as well, given the age of the product.

Of the caveats listed as "privilege escalation":

CSCwj97907 - IESDM (HTTP -> Ability to gain level 15 with a lower level account)
CSCwm64309 - CLI - Level 15 user can gain root on the underlying OS (this has an impact score of HIGH)
CSCwm66565 - CLI - Level 15 user can gain root on the underlying OS (this has an impact score of HIGH)
CSCwm68661 - CLI - Level 15 user can gain root on the underlying OS (this has an impact score of HIGH)

The last three all seem to be variations of the same issue, but they all have separate CVE's?

So, in this particular instance, of the privilege escalation caveats, 1/4 of them are web-based, the remaining 3/4 are CLI-based, which I find interesting, but not surprising given where we are in the product support lifecycle.

Given these facts, I think it's worthwhile to upgrade to this release.

 

[rijndael]

https://sec.cloudapps.cisco.com/sec...urityAdvisory/cisco-sa-iosxe-privesc-su7scvdp

Multiple vulnerabilities in the CLI of Cisco IOS XE Software could allow an authenticated, local attacker with privilege level 15 to elevate privileges to root on the underlying operating system of an affected device.

So, you have to be already at enable to execute the attack. While not insigficant, at this point, they already own you.

 

[OVERKILL]

https://sec.cloudapps.cisco.com/sec...urityAdvisory/cisco-sa-iosxe-privesc-su7scvdp



So, you have to be already at enable to execute the attack. While not insigficant, at this point, they already own you.

Yes, as I noted, you have to be a logged in Level 15 user. It's an interesting vuln for sure, I don't think for its exploitability in the wild, but rather the ability to traverse the containment from config to the host OS, which is why it's flagged as it is.