Symptom
This is a modification on the product to adopt new secure code best practices to enhance the security posture and resiliency of the product;
specifically, to disable the Smart Install client feature automatically, if a Smart Install director cannot be detected after initial boot of a
device supporting the Smart Install client feature.
Conditions
Device configured with default configuration and running a version of Cisco IOS or IOS XE prior to the following first fixed releases:
IOS
12.2(60)EZ12
15.1(2)SY12 (upcoming release), 15.2(1)SY6, 15.4(1)SY4, 15.5(1)SY1 (upcoming release)
15.2(2)E7, 15.2(4)E5, 15.2(5)E2c, 15.2(6)E
15.2(4)EA6
IOS XE
3.6.7E
3.8.5E
3.10.0E
Denali-16.3.5
Everest-16.6.1
Auto-disable takes approximately 5 mins from router first boot. For all platforms 'vstack' enabled is a default behaviour and auto-disable works when SMI Director is not configured in network. To make 'no vstack' configuration stick during a reload ensure to do 'wr mem'.
Workaround
Disable the Smart Install feature manually using the no vstack configuration command immediately after initial installation, if this
feature is not used in your network.
Otherwise follow the Recommendations here:
https://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi
Further Problem Description
This issue was found during an internal security audit of the product.
PSIRT Evaluation:
The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via
normal resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another
evaluation.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
