CIS Logo
tagline: Confidence in the Connected World
HomeResourcesAdvisoriesMultiple Vulnerabilities in Cisco IOS and IOS XE Could Allow for Remote Code Execution

Multiple Vulnerabilities in Cisco IOS and IOS XE Could Allow for Remote Code Execution

MS-ISAC ADVISORY NUMBER:

2017-091

DATE(S) ISSUED:

09/28/2017

OVERVIEW:

Multiple vulnerabilities have been discovered in Cisco IOS and IOS XE Software, the most severe of which could result in remote code execution. Cisco IOS is the infrastructure operating system used by Cisco routers and network switches. Cisco IOS XE is the Linux-based infrastructure operating system used by Cisco routers and network switches. Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute remote code and gain full control of the affected system. Failed exploit attempts could result in a denial of service condition.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • Cisco IOS
  • Cisco IOS XE

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
LOW

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Cisco IOS and IOS XE Software, the most severe of which could result in remote code execution. Details of these vulnerabilities are as follows:

  • A remote code execution vulnerability exists in the DHCP relay subsystem due to a buffer overflow condition. (CVE-2017-12240)
  • A denial of service vulnerability exists in Internet Key Exchange 2 (IKEv2) when processing specially crafted packets. (CVE-2017-12237)
  • An information disclosure vulnerability exists in the Cisco Network Plug-and-Play application due to insufficient certificate validation. (CVE-2017-12228)
  • Multiple vulnerabilities exist in the Common Industrial Protocol (CIP) due to improper parsing of specially crafted packets, which could allow for denial of service. (CVE-2017-12233, CVE-2017-12234)
  • A denial of service vulnerability exists due to a memory management issue in Cisco Catalyst 6800 series switches when receiving a large number of Virtual Private LAN Service (VPLS) MAC entries. (CVE-2017-12238)
  • A denial of service vulnerability exists in the PROFINET Discovery and Configuration Protocol (PN-DCP) due to improper parsing of ingress PN-DCP Identify Request packets. (CVE-2017-12235)
  • A denial of service vulnerability exists in Cisco Integrated Services Router Generation 2 (ISR G2) routers due to a misclassification of Ethernet frames. (CVE-2017-12232)
  • A denial of service vulnerability exists in the implementation of Network Address Translation (NAT) in Cisco IOS due to improper translation of H.323 messages that use the Registration, Admission, and Status (RAS) protocol over IPv4. (CVE-2017-12231)
  • A security bypass vulnerability exists in Cisco ASR 1000 series and cBR-8 routers due to an engineering console port being available on the motherboard of the line cards, which would grant a physical attacker console access to the operating systems of the affected devices. (CVE-2017-12239)
  • A security bypass vulnerability exists in the implementation of the Locator/ID Separation Protocol (LISP) due to a logic error introduced via code regression in Cisco IOS XE. (CVE-2017-12236)
  • A privilege escalation vulnerability exists in the web-based user interface (Web UI) due to incorrect default permission settings for new users. (CVE-2017-12230)
  • A security bypass vulnerability exists in the Web UI REST API due to insufficient input validation. (CVE-2017-12229)

Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute remote code and gain full control of the affected system. Failed exploit attempts could result in a denial of service condition.

September 29 - UPDATED TECHNICAL SUMMARY:
Cisco IOS and IOS XE Software are prone to a privilege escalation vulnerability due to incomplete input validation of HTTP requests by the affected GUI. (CVE-2017-12226)

RECOMENDATIONS:

We recommend the following actions be taken:

  • Verify no unauthorized system modifications have occurred on system before applying patch.
  • Apply patch provided by Cisco immediately after appropriate testing.
  • Monitor intrusion detection systems for any signs of anomalous activity.
  • Unless required, limit external network access to affected products.

REFERENCES:

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Protect Your Systems from Cyber Threats Like This

CIS Controls That Help Avoid This Issue Arrow CIS Control 4: Continuous Vulnerability Assessment and Remediation Arrow CIS Control 11: Secure Configurations for Network Devices CIS Benchmark and Other Tools for Related Technology Arrow Cisco