Customers can disable the use of the IOS FTP Server feature by
executing the following command in configuration mode:
no ftp-server enable
Additional mitigations that can be deployed on Cisco devices within the
network are available in the Cisco Applied Mitigation Bulletin companion
document for this advisory:
Alternative File Transfer Mechanisms
Cisco IOS supports multiple methods for transferring files to and from
the device. One such method is Secure Copy (SCP). SCP is supported on Cisco IOS
images that support strong cryptography. More information on the SCP feature
can be found at the following url:
Another alternative is using the Trivial File Transfer Protocol (TFTP)
server in IOS. Information on configuring the TFTP server can be found
If disabling the IOS FTP Server is not feasible, customers can limit
FTP access to the device via one of the following mechanisms:
Infrastructure ACLs (iACL)
Although it is often difficult to block traffic transiting your
network, it is possible to identify traffic which should never be allowed to
target your infrastructure devices and block that traffic at the border of your
network. Infrastructure ACLs are considered a network security best practice
and should be considered as a long-term addition to good network security as
well as a workaround for this specific vulnerability. The ACL example shown
below should be included as part of the deployed infrastructure access-list
which will protect all devices with IP addresses in the infrastructure IP
A sample access list for devices running Cisco IOS is below:
!--- Permit FTP services from trusted hosts destined
!--- to infrastructure addresses.
access-list 150 permit tcp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 21
access-list 150 permit tcp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 20
!--- Deny FTP packets from all other sources destined to infrastructure addresses.
access-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES MASK eq 21
access-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES MASK eq 20
!--- Permit all other traffic to transit the device.
access-list 150 permit IP any any
interface serial 2/0
ip access-group 150 in
The white paper entitled "Protecting Your Core: Infrastructure
Protection Access Control Lists" presents guidelines and recommended deployment
techniques for infrastructure protection access lists. This white paper can be
Receive ACLs (rACL)
For distributed platforms, Receive ACLs may be an option starting in
Cisco IOS Software Versions 12.0(21)S2 for the 12000 (GSR), 12.0(24)S for the
7500, and 12.0(31)S for the 10720. The Receive ACL protects the device from
harmful traffic before the traffic can impact the route processor. Receive ACLs
are designed to only protect the device on which it is configured. On the
12000, 7500, and 10720, transit traffic is never affected by a receive ACL.
Because of this, the destination IP address "any" used in the example ACL
entries below only refer to the router's own physical or virtual IP addresses.
Receive ACLs are considered a network security best practice, and should be
considered as a long-term addition to good network security, as well as a
workaround for this specific vulnerability. The white paper entitled "GSR:
Receive Access Control Lists" will help you identify and allow legitimate
traffic to your device and deny all unwanted packets:
The following is the receive path ACL written to permit this type of
traffic from trusted hosts:
!--- Permit FTP from trusted hosts allowed to the RP.
access-list 151 permit tcp TRUSTED_ADDRESSES MASK any eq 21
access-list 151 permit tcp TRUSTED_ADDRESSES MASK any eq 20
!--- Deny FTP from all other sources to the RP.
access-list 151 deny tcp any any eq 21
access-list 151 deny tcp any any eq 20
!--- Permit all other traffic to the RP.
!--- according to security policy and configurations.
access-list 151 permit ip any any
!--- Apply this access list to the 'receive' path.
ip receive access-list 151
Control Plane Policing (CoPP)
The Control Plane Policing (CoPP) feature may be used to mitigate these
vulnerabilities. In the following example, only FTP traffic from trusted hosts
and with 'receive' destination IP addresses is permitted to reach the route
It should be noted that dropping traffic from unknown or untrusted IP
addresses may affect hosts with dynamically assigned IP addresses from
connecting to the Cisco IOS device.
access-list 152 deny tcp TRUSTED_ADDRESSES MASK any eq 21
access-list 152 deny tcp TRUSTED_ADDRESSES MASK any eq 20
access-list 152 permit tcp any any eq 20
access-list 152 permit tcp any any eq 21
access-list 152 deny ip any any
class-map match-all COPP-KNOWN-UNDESIRABLE
match access-group 152
service-policy input COPP-INPUT-POLICY
In the above CoPP example, the ACL entries that match the exploit
packets with the "permit" action result in these packets being discarded by the
policy-map "drop" function, while packets that match the "deny" action are not
affected by the policy-map drop function.
CoPP is available in Cisco IOS release trains 12.0S, 12.2SX, 12.2S,
12.3T, 12.4, and 12.4T.
Additional information on the configuration and use of the CoPP feature
can be found at the following URL: