Multiple Vulnerabilities in Cisco IOS and IOS XE Could Allow for Remote Code Execution

ITS Advisory Number: 
2017-094
Date(s) Issued: 
Thursday, September 28, 2017
Subject: 
Multiple Vulnerabilities in Cisco IOS and IOS XE Could Allow for Remote Code Execution
Overview: 

Multiple vulnerabilities have been discovered in Cisco IOS and IOS XE Software, the most severe of which could result in remote code execution. Cisco IOS is the infrastructure operating system used by Cisco routers and network switches. Cisco IOS XE is the Linux-based infrastructure operating system used by Cisco routers and network switches. Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute remote code and gain full control of the affected system. Failed exploit attempts could result in a denial of service condition.

Systems Affected: 
  • Cisco IOS
  • Cisco IOS XE
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
Low
Description: 

Multiple vulnerabilities have been discovered in Cisco IOS and IOS XE Software, the most severe of which could result in remote code execution. Details of these vulnerabilities are as follows:

  • A remote code execution vulnerability exists in the DHCP relay subsystem due to a buffer overflow condition. (CVE-2017-12240)
  • A denial of service vulnerability exists in Internet Key Exchange 2 (IKEv2) when processing specially crafted packets. (CVE-2017-12237)
  • An information disclosure vulnerability exists in the Cisco Network Plug-and-Play application due to insufficient certificate validation. (CVE-2017-12228)
  • Multiple vulnerabilities exist in the Common Industrial Protocol (CIP) due to improper parsing of specially crafted packets, which could allow for denial of service. (CVE-2017-12233, CVE-2017-12234)
  • A denial of service vulnerability exists due to a memory management issue in Cisco Catalyst 6800 series switches when receiving a large number of Virtual Private LAN Service (VPLS) MAC entries. (CVE-2017-12238)
  • A denial of service vulnerability exists in the PROFINET Discovery and Configuration Protocol (PN-DCP) due to improper parsing of ingress PN-DCP Identify Request packets. (CVE-2017-12235)
  • A denial of service vulnerability exists in Cisco Integrated Services Router Generation 2 (ISR G2) routers due to a misclassification of Ethernet frames. (CVE-2017-12232)
  • A denial of service vulnerability exists in the implementation of Network Address Translation (NAT) in Cisco IOS due to improper translation of H.323 messages that use the Registration, Admission, and Status (RAS) protocol over IPv4. (CVE-2017-12231)
  • A security bypass vulnerability exists in Cisco ASR 1000 series and cBR-8 routers due to an engineering console port being available on the motherboard of the line cards, which would grant a physical attacker console access to the operating systems of the affected devices. (CVE-2017-12239)
  • A security bypass vulnerability exists in the implementation of the Locator/ID Separation Protocol (LISP) due to a logic error introduced via code regression in Cisco IOS XE. (CVE-2017-12236)
  • A privilege escalation vulnerability exists in the web-based user interface (Web UI) due to incorrect default permission settings for new users. (CVE-2017-12230)
  • A security bypass vulnerability exists in the Web UI REST API due to insufficient input validation. (CVE-2017-12229)

Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute remote code and gain full control of the affected system. Failed exploit attempts could result in a denial of service condition.

Actions: 
  • Verify no unauthorized system modifications have occurred on system before applying patch.
  • After appropriate testing, immediately apply patches provided by Cisco.
  • Monitor intrusion detection systems for any signs of anomalous activity.
  • Unless required, limit external network access to affected products.
References: 

Cisco:

CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12228  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12229

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12230

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12231

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12232

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12233

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12234

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12235

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12236

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12237

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12239

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12240