SB2017100404 - Multiple vulnerabilities in Cisco IOS XE

Description

This security bulletin contains information about 7 secuirty vulnerabilities.

1) Security restrictions bypass (CVE-ID: CVE-2017-12239)

The vulnerability allows an unauthenticated, physical attacker to bypass security restrictions on the target system.

The weakness exists due to an engineering console port is available on the motherboard. An attacker can physically connect to the console port on the line card, bypass security restrictions and gain full access to the affected device's operating system.

2) Authentication bypass (CVE-ID: CVE-2017-12236)

The vulnerability allows a remote attacker to bypass authentication on the target system.

The weakness exists in the implementation of the Locator/ID Separation Protocol (LISP) in Cisco IOS XE Software due to a logic error introduced via a code regression. A remote attacker can send specific valid map-registration requests, which will be accepted by the MS/MR even if the authentication keys do not match, inject invalid mappings of EIDs to RLOCs in the MS/MR of the affected software and bypass authentication.

3) Improper input validation (CVE-ID: CVE-2017-12222)

The vulnerability allows an adjacent attacker to cause DoS condition on the target system.

The weakness exists in the wireless controller manager of Cisco IOS XE Software due to insufficient input validation. An adjacent attacker can he switch to restart.

4) Privilege escalation (CVE-ID: CVE-2017-12226)

The vulnerability allows a remote authenticated attacker to gain elevated privileges on the target system.

The weakness exists in the web-based Wireless Controller GUI of Cisco IOS XE Software due to incomplete input validation of HTTP requests by the affected GUI, if the GUI connection state or protocol changes. A remote attacker can authenticate to the Wireless Controller GUI as a Lobby Administrator user, change the state or protocol for connection to the GUI, obtain administrator privileges and gain full control over the affected device.

5) Improper certificate validation (CVE-ID: CVE-2017-12228)

The vulnerability allows a remote attacker to conduct man-in-the-middle attack.

The weakness exists due to insufficient certificate validation. A remote attacker can supply a crafted certificate, conduct MiTM attack and decrypt confidential information on user connections to the affected software.

6) Buffer overflow (CVE-ID: CVE-2017-12240)

The vulnerability allows a remote attacker to cause execute arbitrary code on the target system.

The weakness exists due to a buffer overflow condition in the DHCP relay subsystem of Cisco IOS and Cisco IOS XE Software. A remote attacker can send a specially crafted DHCP Version 4 (DHCPv4) packet, execute arbitrary code and gain full control over the affected system.

7) Improper input validation (CVE-ID: CVE-2017-12237)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in the Internet Key Exchange Version 2 (IKEv2) module due to an error when processing certain IKEv2 packets. A remote attacker can send specially crafted IKEv2 packets to the device and cause high CPU utilization, traceback messages, or a device reload.

Successful exploitation of the vulnerability results in denial of service.

Remediation

Install update from vendor's website.

References

• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170927-cc
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170927-lisp
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170927-ios-xe
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170927-ngwc
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170927-pnp
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170927-dhcp
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170927-ike