There are no workarounds that address this vulnerability.
However, administrators can choose one of the following mitigation options to help decrease any attack surface:
For features that leverage the TTYs, apply an ACL to all VTY lines. This will mitigate this vulnerability for those applications, as shown in the following example:
line template vty
access-class ingress MGMT_ACL_V4
!
vty-pool default 0 9 line-template vty
For features that leverage a feature-specific ACL, apply an ACL to the feature itself. This will mitigate this vulnerability for those applications as shown in the following examples:
NETCONF
ssh server netconf ipv4 access-list MGMT_ACL_V4
SSH
ssh server ipv4 access-list MGMT_ACL_V4
Telnet
telnet ipv4 server max-servers 3 access-list MGMT_ACL_V4
For features that are controlled through management plane protection, apply an out-of-band management plane protection policy, as shown in the following example:
control-plane
management-plane
out-of-band
interface MgmtEth0/RSP0/CPU0/0
allow all peer
address ipv4 192.168.1.1
!
!
interface MgmtEth0/RSP1/CPU0/0
allow all peer
address ipv4 192.168.1.1
!
!
Note: Applications that are accessible on the device that do not require a TTY to be allocated and do not support application-specific ACLs are still exposed.