CISCO-SA-IOS-TACACS-HDB7THJW

Vulnerable Products:

This vulnerability affects Cisco devices if they are running a vulnerable release of Cisco IOS and IOS XE Software and if they are configured to use TACACS+ but are missing the TACACS+ shared secret.

For information about which Cisco software releases are vulnerable, see the Fixed Software ["#fs"] section of this advisory. Determine the Device Configuration To determine whether a device has TACACS+ or TACACS+ server shared secrets configured, use the instructions in the following sections.

Determine the TACACS+ Configuration

To determine whether a device has TACACS+ configured, use the show running-config | include tacacs CLI command or the show running-config | section tacacs CLI command. If there is no output, the device is not affected by this vulnerability. If there is output, TACACS+ is configured, and the device may be affected.

The following example shows the output for a device with Groups configured:

Router# show running-config | include tacacs aaa group server tacacs+ ise1 tacacs server ise

The following example shows the output for a device without Groups configured:

Router# show running-config | section tacacs address ipv4 10.1.1.1 tacacs-server key cisco123 Router#

The following example shows the output for a device with server-private configured:

Router# show running-config | section tacacs aaa group server tacacs+ ise server-private 10.1.1.1 tacacs server ise address ipv4 10.1.1.1 key Cisc0123

Determine the TACACS+ Server Key Configuration

To determine whether a device has TACACS+ server shared secrets configured, use the show running-config | include tacacs server|key CLI command. If every TACACS+ server that is configured has a shared secret configured, the device is not affected. If any TACACS+ server is configured without a shared key, the device is affected.

The following example shows output from an affected device that has Groups configured, does not have Groups...