CIS Logo
tagline: Confidence in the Connected World
HomeResourcesAdvisoriesMultiple Vulnerabilities in Cisco IOS, IOS XE and IOS XR Could Allow for Remote Code Execution

Multiple Vulnerabilities in Cisco IOS, IOS XE and IOS XR Could Allow for Remote Code Execution

MS-ISAC ADVISORY NUMBER:

2018-034

DATE(S) ISSUED:

03/28/2018

OVERVIEW:

Multiple vulnerabilities have been discovered in Cisco IOS, IOS XE and IOS XR Software, the most severe of which could result in remote code execution. Cisco IOS is the infrastructure operating system used by Cisco routers and network switches. Cisco IOS XE is the Linux-based infrastructure operating system used by Cisco routers and network switches. Cisco IOS XR Software is a distributed operating system designed for continuous system operation combined with service flexibility and higher performance. Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute remote code and gain full control of the affected system. Failed exploit attempts could result in a denial of service condition.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

April 9 – UPDATED THREAT INTELLIGENCE:
Russian cyber actors have misused the Smart Install protocol within Cisco switches to attack organizations active in the U.S. energy grid and other critical infrastructure networks. There are reports of the vulnerability CVE-2018-0171 being exploited in the wild successfully by hacktivist botnets in a campaign against Iran. Cisco is also aware of a significant increase in Internet scans attempting to exploit instances where the Smart Install feature is enabled and not secured. It is important to note that both attacks require a Cisco device to be running a vulnerable version of the Smart Install feature on open port 4786.

SYSTEMS AFFECTED:

  • Cisco IOS
  • Cisco IOS XE
  • Cisco IOS XR

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
LOW

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Cisco IOS, IOS XE, and IOS XR Software, the most severe of which could result in remote code execution. Details of these vulnerabilities are as follows:

  • A denial of service vulnerability exists in the Cisco IOS and IOS XE Software Bidirectional Forwarding Detection (BFD) offload implementation of Cisco Catalyst 4500 Series Switches and Cisco Catalyst 4500-X Series Switches. (CVE-2018-0155)
  • A denial of service vulnerability exists in the Dynamic Host Configuration Protocol (DHCP) option 82 encapsulation functionality of Cisco IOS Software and Cisco IOS XE Software. (CVE-2018-0174)
  • A heap overflow vulnerability exists in the DHCP option 82 encapsulation functionality of Cisco IOS Software and Cisco IOS XE Software which could result in a denial of service. (CVE-2018-0172)
  • A denial of service vulnerability exists in the Cisco IOS Software and Cisco IOS XE Software function that restores encapsulated option 82 information in DHCP Version 4 (DHCPv4) packets. (CVE-2018-0173)
  • A denial of service vulnerability exists in the Internet Key Exchange 2 (IKEv2) module of Cisco IOS Software and Cisco IOS XE Software when processing specially crafted packets. (CVE-2018-0158)
  • A denial of service vulnerability exists in the Internet Key Exchange 1 (IKEv1) module of Cisco IOS Software and Cisco IOS XE Software when processing specially crafted packets. (CVE-2018-0159)
  • A buffer overflow vulnerability exists in the quality of service (QoS) subsystem of Cisco IOS Software and Cisco IOS XE Software, which could result in arbitrary code execution. (CVE-2018-0151)
  • A denial of service vulnerability exists in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software when processing specially crafted packets on TCP port 4786. (CVE-2018-0156)
  • A buffer overflow vulnerability exists in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software when processing specially crafted packets on TCP port 4786, which could result in arbitrary code execution. (CVE-2018-0171)
  • A denial of service vulnerability exists in the crypto engine of the Cisco Integrated Services Module for VPN (ISM-VPN) running Cisco IOS Software due to insufficient handling of VPN traffic by the affected device (CVE-2018-0154)
  • A denial of service vulnerability exists in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS Software when processing specially crafted SNMP GET request for the ciscoFlashMIB OID. (CVE-2018-0161)
  • A denial of service vulnerability exists in IP Version 4 (IPv4) processing code of Cisco IOS XE Software running on Cisco Catalyst 3850 and Cisco Catalyst 3650 Series Switches when processing specific IPv4 packets. (CVE-2018-0177)
  • A denial of service vulnerability exists in the Internet Group Management Protocol (IGMP) packet-processing functionality of Cisco IOS XE Software when processing a large number of specially crafted IGMP Membership Query packets. (CVE-2018-0165)
  • A denial of service vulnerability exists in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS XE Software due to improper management of memory resources when processing specially crafted SNMP packets. (CVE-2018-0160)
  • A software static credential vulnerability exists in the Cisco IOS XE Software due to an undocumented user account with privilege level 15 that has a default username and password. (CVE-2018-0150)
  • A root shell access vulnerability exists in the Command-line interface (CLI) parser of Cisco IOS XE Software due to improperly sanitizing command arguments to prevent access to internal data structures on a device which could result in arbitrary command execution with root privileges. (CVE-2018-0169 and CVE-2018-0176)
  • A privilege escalation vulnerability exists in the web-based user interface (web UI) of Cisco IOS XE Software due to incorrect resetting of privilege level for each web UI session. (CVE-2018-0152)
  • A denial of service vulnerability exists in the Cisco Umbrella Integration feature of Cisco IOS XE Software due to a logic error when handling a malformed incoming packet, leading to access to an internal data structure after it has been freed. (CVE-2018-0170)
  • A denial of service vulnerability exists in the Zone-Based Firewall code of Cisco IOS XE Software due to the processing of specially crafted fragmented packets in the firewall code. (CVE-2018-0170)
  • A buffer overflow vulnerability exists in the Link Layer Discovery Protocol (LLDP) subsystem of Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software, which could allow for denial of service or arbitrary code execution. (CVE-2018-0167 and CVE-2018-0175)

April 9 – UPDATED TECHNICAL SUMMARY:
A misuse of the Smart Install feature of Cisco Switches could allow an unauthenticated, remote attacker to change the startup-config file, force a reload of the device, load a new IOS image on the device, and execute high-privilege CLI commands on switches running Cisco IOS and IOS XE Software.

Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute remote code and gain full control of the affected system. Failed exploit attempts could result in a denial of service condition.

RECOMENDATIONS:

We recommend the following actions be taken:

  • Verify no unauthorized system modifications have occurred on system before applying patch.
  • Apply patches provided by Cisco immediately after appropriate testing.
  • Monitor intrusion detection systems for any signs of anomalous activity.
  • Unless required, limit external network access to affected products.

April 9 – RECOMMENDATIONS:

  • Implement the best practice recommendations from the Smart Install Configuration Guide.

REFERENCES:

Cisco:
https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-66682 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-bfd https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-dhcpr3 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-dhcpr1 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-dhcpr2 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-ike https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-ike-dos https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-qos https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-dos https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-snmp https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-ipv4 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-igmp https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-snmp-dos https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-xesc https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-privesc1 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-xepriv https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-opendns-dos https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-fwip https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-lldp https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170214-smi https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2 https://blogs.cisco.com/security/talos/smart-install-client-targeted

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Protect Your Systems from Cyber Threats Like This

CIS Controls That Help Avoid This Issue Arrow CIS Control 3: Continuous Vulnerability Assessment and Remediation Arrow CIS Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches CIS Benchmark and Other Tools for Related Technology Arrow Cisco