Use of AAA authentication configurations will eliminate this
vulnerability unless configured for fallback to local authentication. AAA
configuration information and examples are provided in Configuring TACACS+,
RADIUS, and Kerberos on Cisco Catalyst Switches, available at:
Strictly limiting telnet and/or ssh access to the device will prevent
the initial connection required to exploit this vulnerability. Telnet and/or
ssh access can be controlled with the following command set:
set ip permit <address> <mask> telnet
set ip permit <address> <mask> ssh
set ip permit enable
This command set will deny all traffic not specified in the permit
statements for each protocol.
Additionally, out-of-band management solutions and isolated management
VLAN configurations can help mitigate this vulnerability by limiting the
initial access necessary for exploitation.