Multiple Vulnerabilities in Cisco IOS, IOS XE and IOS XR Could Allow for Remote Code Execution

ITS Advisory Number: 
2018-035 - UPDATED
Date(s) Issued: 
Thursday, March 29, 2018
Date Updated: 
Monday, April 9, 2018
Subject: 
Multiple Vulnerabilities in Cisco IOS, IOS XE and IOS XR Could Allow for Remote Code Execution
Overview: 

Multiple vulnerabilities have been discovered in Cisco IOS, IOS XE and IOS XR Software, the most severe of which could result in remote code execution. Cisco IOS is the infrastructure operating system used by Cisco routers and network switches. Cisco IOS XE is the Linux-based infrastructure operating system used by Cisco routers and network switches. Cisco IOS XR Software is a distributed operating system designed for continuous system operation combined with service flexibility and higher performance. Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute remote code and gain full control of the affected system. Failed exploit attempts could result in a denial of service condition.

THREAT INTELLIGENCE:

There are currently no reports of this vulnerability being actively exploited in the wild.

 

April 9, 2018 - UPDATED THREAT INTELLIGENCE:

Russian cyber actors have misused the Smart Install protocol within Cisco switches to attack organizations active in the U.S. energy grid and other critical infrastructure networks. There are reports of the vulnerability CVE-2018-0171 being exploited in the wild successfully by hacktivist botnets in a campaign against Iran. Cisco is also aware of a significant increase in Internet scans attempting to exploit instances where the Smart Install feature is enabled and not secured. It is important to note that both attacks require a Cisco device to be running a vulnerable version of the Smart Install feature on open port 4786.

Systems Affected: 

 

  • Cisco IOS

  • Cisco IOS XE

  • Cisco IOS XR

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
Low
Description: 

Multiple vulnerabilities have been discovered in Cisco IOS, IOS XE, and IOS XR Software, the most severe of which could result in remote code execution. Details of these vulnerabilities are as follows:

  • A denial of service vulnerability exists in the Cisco IOS and IOS XE Software Bidirectional Forwarding Detection (BFD) offload implementation of Cisco Catalyst 4500 Series Switches and Cisco Catalyst 4500-X Series Switches. (CVE-2018-0155)

  • A denial of service vulnerability exists in the Dynamic Host Configuration Protocol (DHCP) option 82 encapsulation functionality of Cisco IOS Software and Cisco IOS XE Software. (CVE-2018-0174)

  • A heap overflow vulnerability exists in the DHCP option 82 encapsulation functionality of Cisco IOS Software and Cisco IOS XE Software which could result in a denial of service. (CVE-2018-0172)

  • A denial of service vulnerability exists in the Cisco IOS Software and Cisco IOS XE Software function that restores encapsulated option 82 information in DHCP Version 4 (DHCPv4) packets. (CVE-2018-0173)

  • A denial of service vulnerability exists in the Internet Key Exchange 2 (IKEv2) module of Cisco IOS Software and Cisco IOS XE Software when processing specially crafted packets. (CVE-2018-0158)

  • A denial of service vulnerability exists in the Internet Key Exchange 1 (IKEv1) module of Cisco IOS Software and Cisco IOS XE Software when processing specially crafted packets. (CVE-2018-0159)

  • A buffer overflow vulnerability exists in the quality of service (QoS) subsystem of Cisco IOS Software and Cisco IOS XE Software, which could result in arbitrary code execution. (CVE-2018-0151)

  • A denial of service vulnerability exists in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software when processing specially crafted packets on TCP port 4786. (CVE-2018-0156)

  • A buffer overflow vulnerability exists in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software when processing specially crafted packets on TCP port 4786, which could result in arbitrary code execution. (CVE-2018-0171)

  • A denial of service vulnerability exists in the crypto engine of the Cisco Integrated Services Module for VPN (ISM-VPN) running Cisco IOS Software due to insufficient handling of VPN traffic by the affected device (CVE-2018-0154)

  • A denial of service vulnerability exists in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS Software when processing specially crafted SNMP GET request for the ciscoFlashMIB OID. (CVE-2018-0161)

  • A denial of service vulnerability exists in IP Version 4 (IPv4) processing code of Cisco IOS XE Software running on Cisco Catalyst 3850 and Cisco Catalyst 3650 Series Switches when processing specific IPv4 packets. (CVE-2018-0177)

  • A denial of service vulnerability exists in the Internet Group Management Protocol (IGMP) packet-processing functionality of Cisco IOS XE Software when processing a large number of specially crafted IGMP Membership Query packets. (CVE-2018-0165)

  • A denial of service vulnerability exists in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS XE Software due to improper management of memory resources when processing specially crafted SNMP packets. (CVE-2018-0160)

  • A software static credential vulnerability exists in the Cisco IOS XE Software due to an undocumented user account with privilege level 15 that has a default username and password. (CVE-2018-0150)

  • A root shell access vulnerability exists in the Command-line interface (CLI) parser of Cisco IOS XE Software due to improperly sanitizing command arguments to prevent access to internal data structures on a device which could result in arbitrary command execution with root privileges. (CVE-2018-0169 and CVE-2018-0176)

  • A privilege escalation vulnerability exists in the web-based user interface (web UI) of Cisco IOS XE Software due to incorrect resetting of privilege level for each web UI session. (CVE-2018-0152)

  • A denial of service vulnerability exists in the Cisco Umbrella Integration feature of Cisco IOS XE Software due to a logic error when handling a malformed incoming packet, leading to access to an internal data structure after it has been freed. (CVE-2018-0170)

  • A denial of service vulnerability exists in the Zone-Based Firewall code of Cisco IOS XE Software due to the processing of specially crafted fragmented packets in the firewall code. (CVE-2018-0170)

  • A buffer overflow vulnerability exists in the Link Layer Discovery Protocol (LLDP) subsystem of Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software, which could allow for denial of service or arbitrary code execution. (CVE-2018-0167 and CVE-2018-0175)

April 9, 2018 - UPDATED DESCRIPTION:

A misuse of the Smart Install feature of Cisco Switches could allow an unauthenticated, remote attacker to change the startup-config file, force a reload of the device, load a new IOS image on the device, and execute high-privilege CLI commands on switches running Cisco IOS and IOS XE Software.

Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute remote code and gain full control of the affected system. Failed exploit attempts could result in a denial of service condition.

Actions: 
  • Verify no unauthorized system modifications have occurred on system before applying patch.

  • After appropriate testing, immediately install updates provided by Cisco.

  • Monitor intrusion detection systems for any signs of anomalous activity.

  • Unless required, limit external network access to affected products.

April 9, 2018 - UPDATED ACTIONS:

  • Implement the best practice recommendations from the Smart Install Configuration Guide.
References: 

 

Cisco:

https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-66682

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-bfd

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-dhcpr3

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-dhcpr1

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-dhcpr2

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-ike

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-ike-dos

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-qos

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-dos

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-snmp

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-ipv4

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-igmp

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-snmp-dos

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-xesc

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-privesc1

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-xepriv

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-opendns-dos

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-fwip

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-lldp

 

CVE:

 

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0150

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0151

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0152

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0154

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0155

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0156

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0157

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0158

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0159

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0160

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0161

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0165

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0167

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0169

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0170

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0171

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0172

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0173

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0174   

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0175    

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0176    

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0177

April 9, 2018 – UPDATED REFERENCES:

Cisco:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170214-smi

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2

https://blogs.cisco.com/security/talos/smart-install-client-targeted

Smart Install Configuration Guide: https://www.cisco.com/c/en/us/td/docs/switches/lan/smart_install/configuration/guide/smart_install/concepts.html#23355

 

US-CERT

https://www.us-cert.gov/ncas/alerts/TA18-074A

Bleeping Computer:

https://www.bleepingcomputer.com/news/security/cyber-attacks-on-us-critical-infrastructure-linked-to-cisco-switch-flaw/

CSO Online:

https://www.csoonline.com/article/3267867/security/hackers-abused-cisco-flaw-to-warn-iran-and-russia-dont-mess-with-our-elections.html