To determine if a device is vulnerable, first confirm that the device
is running an affected version of 12.2 or 12.4 Cisco IOS system software. Then
check for the process L2TP mgmt daemon running on the
To determine the software version running on a Cisco product, log in to
the device and issue the show version command to display the
system banner. Cisco IOS software will identify itself as "Internetwork
Operating System Software" or simply "IOS." On the next line of output, the
image name will be displayed between parentheses, followed by "Version" and the
IOS release name. Other Cisco devices will not have the show
version command or will give different output.
The following example identifies a Cisco product that is running Cisco
IOS Software Release 12.4(11)T2:
Cisco IOS Software, 7200 Software (C7200-ADVSECURITYK9-M), Version 12.4(11)T2, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Tue 01-May-07 04:19 by prod_rel_team
Additional information on the Cisco IOS release naming conventions can
be found in the document entitled "White Paper: Cisco IOS Reference Guide,"
which is available at http://www.cisco.com/warp/public/620/1.html
To check if the process L2TP mgmt daemon is running on
a device, log into the command line interface (CLI) and issue the command
show processes | include L2TP . (NOTE: The command is case
sensitive.) If the output returns a line with the process name L2TP
mgmt daemon, the device is vulnerable. The following example shows a
device running the L2TP mgmt daemon process:
Router#show processes | include L2TP
158 Mwe 62590FE4 4 3 133322900/24000 0 L2TP mgmt daemon
The L2TP mgmt daemon is started by several different types of
configurations that may be deployed in networks that leverage the L2TP
protocol. If any of the following commands appear within a device's
configuration, show running-config, then the device will have
started the L2TP mgmt daemon and is vulnerable.
Device is configured with Virtual Private Dial-Up Networks
The command vpdn enable will appear in the device
Device is configured for L2TP or L2TPv3 Client-Initiated VPDN
The command pseudowire peer-ip-address
vcid pw-class pw-class-name
appears in the device configuration.
Device is configured with Stack Group Bidding Protocol (SGBP).
The command sgbp group
will appear in the device
A L2TP signaling template has been defined.
The command l2tp-class l2tp-class
will appear in the device configuration.
Devices configured for Layer 2 Tunnel Protocol Version 3
The commands pseudowire-class pseudowire-class
and a successfully applied interface
xconnect command will appear in the device
Devices that are running Cisco IOS versions that are not explicitly
listed in the software table below as vulnerable, are not affected.
Cisco IOS XR is not affected.
Cisco IOS XE is not affected.
No other Cisco products are currently known to be affected by this