If disabling the IOS SSH Server is not feasible, the following
workarounds may be useful to some customers in their environments.
Telnet is not vulnerable to the issue described in this advisory and
may be used as an insecure alternative to SSH. Telnet does not encrypt the
authentication information or data; therefore, it should only be enabled for
trusted local networks.
VTY Access Class
It is possible to limit the exposure of the Cisco device by applying a
VTY access class to allow only known, trusted hosts to connect to the device
For more information on restricting traffic to VTYs, please consult:
The following example permits access to VTYs from the 192.168.1.0/24
netblock and the single IP address 172.16.1.2 while denying access from
Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255
Router(config)# access-list 1 permit host 172.16.1.2
Router(config)# line vty 0 4
Router(config-line)# access-class 1 in
Different Cisco platforms support different numbers of terminal lines.
Check your device's configuration to determine the correct number of terminal
lines for your platform.
Infrastructure ACLs (iACL)
Although it is often difficult to block traffic transiting your
network, it is possible to identify traffic that should never be allowed to
target your infrastructure devices and block that traffic at the border of your
network. Infrastructure ACLs are considered a network security best practice
and should be considered as a long-term addition to good network security as
well as a workaround for this specific vulnerability. The ACL example shown
below should be included as part of the deployed infrastructure access-list,
which will protect all devices with IP addresses in the infrastructure IP
A sample access list for devices running Cisco IOS is below:
!--- Permit SSH services from trusted hosts destined
!--- to infrastructure addresses.
access-list 150 permit tcp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 22
!--- Deny SSH packets from all other sources destined to infrastructure addresses.
access-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES MASK eq 22
!--- Permit all other traffic to transit the device.
access-list 150 permit IP any any
interface serial 2/0
ip access-group 150 in
The white paper titled "Protecting Your Core: Infrastructure Protection
Access Control Lists" presents guidelines and recommended deployment techniques
for infrastructure protection access lists. This white paper can be obtained
Control Plane Policing (CoPP)
The Control Plane Policing (CoPP) feature may be used to mitigate these
vulnerabilities. In the following example, only SSH traffic from trusted hosts
and with 'receive' destination IP addresses is permitted to reach the route
Note: Dropping traffic from unknown or untrusted IP addresses may affect
hosts with dynamically assigned IP addresses from connecting to the Cisco IOS
access-list 152 deny tcp TRUSTED_ADDRESSES MASK any eq 22
access-list 152 permit tcp any any eq 22
class-map match-all COPP-KNOWN-UNDESIRABLE
match access-group 152
service-policy input COPP-INPUT-POLICY
In the above CoPP example, the ACL entries that match the exploit
packets with the "permit" action result in these packets being discarded by the
policy-map "drop" function, while packets that match the "deny" action are not
affected by the policy-map drop function.
CoPP is available in Cisco IOS release trains 12.0S, 12.2SX, 12.2S,
12.3T, 12.4, and 12.4T.
Additional information on the configuration and use of the CoPP
feature can be found at the following URL: