CISCO-SA-IOS-CLI-EB7CZ6YO

Vulnerable Products:

This vulnerability affects Cisco IOS and IOS XE Software if the shell processing full command is configured. This command is disabled by default.

For information about which Cisco software releases are vulnerable, see the Fixed Software ["#fs"] section of this advisory. Determine the Device Configuration To determine whether a device has the shell processing full command configured, log in to the device and use the show run | include shell command in the CLI. If the command does not produce output, the device is not affected.

The following example shows the output of the show run | include shell command for a device that has shell processing full configured.

Switch#show run | include shell shell processing fullProducts Confirmed Not Vulnerable:

Only products listed in the Vulnerable Products ["#vp"] section of this advisory are known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect the following Cisco products:

IOS XR Software NX-OS SoftwareWorkarounds:

There are no workarounds that address this vulnerability.

Removing the shell processing full command eliminates the attack vector for this vulnerability and may be a suitable mitigation until affected devices can be upgraded. To remove the shell processing full command, use the no shell processing full command in global configuration mode.

While this mitigation has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such...