CISCO-SA-NBAR-DOS-LAVWTMET

Vulnerable Products:

This vulnerability affects the following Cisco products if they are running a vulnerable release of Cisco IOS XE Software and have the NBAR for CAPWAP feature enabled:

1100 Integrated Services Routers 4000 Series Integrated Services Routers ASR 920 Series Aggregation Services Routers ASR 1000 Series Aggregation Services Routers Catalyst 1101 Rugged Routers Catalyst 8000V Edge Software Catalyst 8200 Series Edge Platforms Catalyst 8300 Series Edge Platforms Catalyst 8500 Edge Platforms Catalyst 8500L Edge Platforms Catalyst IR8300 Rugged Series Routers

For information about which Cisco software releases are vulnerable, see the Fixed Software ["#fs"] section of this advisory. Determine the Device Configuration To determine whether the device has the CAPWAP inspection for NBAR enabled, use the show running-config | include tunneled-traffic capwap CLI command. If there is output for this command, CAPWAP inspection for NBAR is enabled, as shown in following example:

Router#show running-config | include tunneled-traffic capwap ip nbar classification tunneled-traffic capwap Router#

If there is no output, the device is not affected by this vulnerability.

Otherwise, determine whether NBAR is in use on a device by verifying that the show ip nbar control-plane | include NBAR state CLI command reports the state as ACTIVATED. If that command does not produce output, or it reports the state as DEACTIVATED, then NBAR operation is not configured.

The following example shows the output of a device that has NBAR is enabled:

Router#show ip nbar control-plane | include NBAR state NBAR state is ACTIVATED NBAR state: ACTIVATED

The following example shows the output of a device that has NBAR disabled:

Router#show ip nbar control-plane | include NBAR state NBAR state is DEACTIVATED NBAR state: DEACTIVATED

If both CAPWAP inspection for NBAR is enabled and NBAR is ACTIVATED, the device is considered...