This vulnerability affects Cisco products if they are running a vulnerable release of Cisco FTD Software with an interface that is configured in at least one of the following modes:
- Inline Pair
- Inline Pair with Tap
- Passive (ERSPAN)
For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory.
Determine Whether Inline Pairs are Configured
The checks in this section cover both Inline Pairs and Inline Pairs with Tap.
Option 1: Use the CLI
Use the show inline-set CLI command. If that command returns at least one Interface-Pair, the device is vulnerable. If the output is empty or the command does not exist, the device is not vulnerable. The following example shows the output of a device with an Inline Pair that has interfaces Ethernet1/6 and Ethernet1/8 configured:
> show inline-set
Mtu is 1500 bytes
Failsafe mode is on/activated
Failsecure mode is off
Tap mode is off
Propagate-link-state option is on
hardware-bypass mode is disabled
Interface: Ethernet1/6 "INSIDE"
Interface: Ethernet1/8 "OUTSIDE"
Bridge Group ID: 509
Option 2: Use the Cisco Firepower Management Center (FMC) GUI
Choose Devices > Device Management > [Edit Device] > Inline Sets and verify whether any Interface Pairs are configured.
Note: Inline Sets cannot be configured using Cisco Firepower Device Manager (FDM).
Determine Whether Passive Interfaces are Configured
The checks in this section cover both Passive and Passive (ERSPAN) interfaces.
Option 1: Use the CLI
Access the Lina CLI by using the system support diagnostic-cli command. Then, use the show running-config interface | include mode passive command. If that command returns output, at least one passive interface is configured and the device is vulnerable. If that command returns empty output, the device is not vulnerable. The following example shows the output of the show running-config interface | include mode passive command on a device that has one passive interface configured:
ftd# show running-config interface | include mode passive
Option 2: Use the Cisco FMC GUI or FDM GUI
In the Cisco FMC GUI, choose Devices > Device Management > [Edit Device] > Interfaces > [Edit Physical Interface] and verify whether any interfaces are set to Passive mode.
In the Cisco FDM GUI, choose Device > Interfaces > [Edit Physical Interface] and verify whether any interfaces are set to Passive mode. If the Mode drop-down menu does not exist, passive interfaces cannot be configured on the platform and the device is not vulnerable.
Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following Cisco products:
- Adaptive Security Appliance (ASA) Software
- Firepower Management Center (FMC) Software