SB2018033005 - Multiple vulnerabilities in Cisco IOS XE
Published: March 30, 2018 Updated: February 1, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 38 secuirty vulnerabilities.
1) Use of hard-coded credentials (CVE-ID: CVE-2018-0150)
The vulnerability allows a remote unauthenticated attacker to bypass security restrictions on the target system.The weakness exists due to an undocumented user account with privilege level 15 that has a default username and password. A remote attacker can use this account to remotely connect to an affected device and log in to the device with privilege level 15 access.
2) Privilege escalation (CVE-ID: CVE-2018-0152)
The vulnerability allows a remote authenticated attacker to gain elevated privileges on the target system.The weakness exists in the web-based user interface (web UI) due to improper reset of the privilege level for each web UI session. A remote attacker who has valid credentials for an affected device can access a VTY line to the device remotely and gain root privileges.
3) Improper input validation (CVE-ID: CVE-2018-0196)
The vulnerability allows a remote authenticated attacker to write arbitrary files to the target system.The weakness exists in the web-based user interface (web UI) due to insufficient input validation of HTTP requests that are sent to the web UI. A remote attacker can send a malicious HTTP request to the web UI and write arbitrary files.
4) Cross-site scripting (CVE-ID: CVE-2018-0186)
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The weakness exists in the web-based user interface (web UI) due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
5) Cross-site scripting (CVE-ID: CVE-2018-0188)
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The weakness exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
6) Cross-site scripting (CVE-ID: CVE-2018-0190)
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The weakness exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
7) Double free error (CVE-ID: CVE-2018-0160)
The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.The weakness exists in Simple Network Management Protocol (SNMP) subsystem due to improper management of memory resources. A remote attacker can send specially crafted SNMP packets, trigger double free error and cause the service to crash.
8) Resource management errors (CVE-ID: CVE-2018-0161)
The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.The weakness exists in the Simple Network Management Protocol (SNMP) subsystem due to a condition that could occur when processing an SNMP read request that contains a request for the ciscoFlashMIB object ID (OID). A remote attacker can issue an SNMP GET request for the ciscoFlashMIB OID and cause the service to crash due to a SYS-3-CPUHOG.
9) Buffer overflow (CVE-ID: CVE-2018-0171)
The vulnerability allows a remote unauthenticated attacker to cause DoS condition or execute arbitrary code on the target system.
The weakness exists in the Smart Install feature due to improper validation of packet data. A remote attacker can trigger buffer overflow, cause the service to crash and execute arbitrary code.
Successful exploitation of the vulnerability may result in system compromise.
10) Improper input validation (CVE-ID: CVE-2018-0156)
The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.The weakness exists in the Smart Install feature due to improper validation of packet data. A remote attacker can send a specially crafted packet to an affected device on TCP port 4786 and cause the service to crash.
11) Resource management errors (CVE-ID: CVE-2018-0179)
The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.The weakness exists due to an attempt to free an area of memory that has not been previously allocated. A remote attacker can attempt to log in via Secure Shell (SSH) or Telnet with invalid credentials multiple times and cause the service to crash.
12) Resource management errors (CVE-ID: CVE-2018-0180)
The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.The weakness exists due to an attempt to free an area of memory that has not been previously allocated. A remote attacker can attempt to log in via Secure Shell (SSH) or Telnet with invalid credentials multiple times while the administrator modifies the login block-for configuration and cause the service to crash.
13) Improper input validation (CVE-ID: CVE-2018-0164)
The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.The weakness exists in the Switch Integrated Security Features due to incorrect handling of crafted IPv6 packets. A remote attacker can send specially crafted IPv6 packets, trigger interface queue wedge and cause the service to crash.
14) Improper authorization (CVE-ID: CVE-2018-0195)
The vulnerability allows a remote authenticated attacker to bypass authorization and obtain elevated privileges on the target system.The weakness exists in the REST API due to insufficient authorization checks for requests that are sent to the REST API. A remote attacker can send a specially crafted request via the REST API, bypass authorization and gain root privileges.
15) Buffer overflow (CVE-ID: CVE-2018-0151)
The vulnerability allows a remote unauthenticated attacker to cause DoS condition or execute arbitrary code on the target system.
The weakness exists due to boundary error in packets that are destined for UDP port 18999. A remote attacker can send specially crafted packets, trigger buffer overflow, cause the service to crash and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
16) Command injection (CVE-ID: CVE-2018-0183)
The vulnerability allows a local attacker to gain elevated privileges on the target system.The weakness exists in the CLI parser of Cisco IOS XE Software due to the affected software improperly sanitizing command arguments to prevent access to internal data structures on a device. A local attacker with privileged EXEC mode (privilege level 15) access can execute CLI commands that contain crafted arguments, gain access to the underlying Linux shell and execute arbitrary commands with root privileges.
17) Command injection (CVE-ID: CVE-2018-0184)
The vulnerability allows a local attacker to gain elevated privileges on the target system.The weakness exists in the CLI parser of Cisco IOS XE Software due to the affected software improperly sanitizing command arguments to prevent access to internal data structures on a device. A local attacker with privileged EXEC mode (privilege level 15) access can execute CLI commands that contain crafted arguments, gain access to the underlying Linux shell and execute arbitrary commands with root privileges.
18) Command injection (CVE-ID: CVE-2018-0169)
The vulnerability allows a local attacker to gain elevated privileges on the target system.The weakness exists in the CLI parser of Cisco IOS XE Software due to the affected software improperly sanitizing command arguments to prevent access to internal data structures on a device. A local attacker with privileged EXEC mode (privilege level 15) access can execute CLI commands that contain crafted arguments, gain access to the underlying Linux shell and execute arbitrary commands with root privileges.
19) Command injection (CVE-ID: CVE-2018-0176)
The vulnerability allows a local attacker to gain elevated privileges on the target system.The weakness exists in the CLI parser of Cisco IOS XE Software due to the affected software improperly sanitizing command arguments to prevent access to internal data structures on a device. A local attacker with privileged EXEC mode (privilege level 15) access can execute CLI commands that contain crafted arguments, gain access to the underlying Linux shell and execute arbitrary commands with root privileges.
20) Use after free (CVE-ID: CVE-2018-0170)
The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.The weakness exists in the Cisco Umbrella Integration feature due to logic error when handling a malformed incoming packet, leading to access to an internal data structure after it has been freed. A remote attacker can send specially crafted, malformed IP packets, trigger use after free and cause the service to crash.
21) Buffer overflow (CVE-ID: CVE-2018-0167)
The vulnerability allows an adjacent unauthenticated attacker to cause DoS condition or execute arbitrary code with elevated privileges on the target system.
The weakness exists in the LLDP subsystem due to improper error handling of malformed LLDP messages. An adjacent attacker can submit a specially crafted LLDP protocol data unit (PDU), trigger buffer overflow, cause the service to crash or execute arbitrary code with root privileges.
Successful exploitation of the vulnerability may result in system compromise.
22) Memory corruption (CVE-ID: CVE-2018-0175)
The vulnerability allows an adjacent unauthenticated attacker to cause DoS condition or execute arbitrary code with elevated privileges on the target system.
The weakness exists in the LLDP subsystem due to improper handling of certain fields in an LLDP message. An adjacent attacker can submit a specially crafted LLDP PDU, trick the victim into executing a specific show command in the CLI, trigger memory corruption, cause the service to crash or execute arbitrary code with root privileges.
Successful exploitation of the vulnerability may result in system compromise.
23) Data handling (CVE-ID: CVE-2018-0177)
The vulnerability allows a remote unauthenticated attacker to cause high CPU utilization, traceback messages, or cause DoS condition on the target system.The weakness exists in the IP Version 4 (IPv4) processing code due to incorrect processing of certain IPv4 packets. A remote attacker can send specially crafted IPv4 packets to an IPv4 address, trigger high CPU utilization, traceback messages, or cause the service to crash.
24) Improper input validation (CVE-ID: CVE-2018-0159)
The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.
The weakness exists in the implementation of Internet Key Exchange Version 1 (IKEv1) functionality due to improper validation of specific IKEv1 packets. A remote attacker can send specially crafted IKEv1 packets during an IKE negotiation and cause the service to crash.
25) Memory leak (CVE-ID: CVE-2018-0158)
The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.The weakness exists in the Internet Key Exchange Version 2 (IKEv2) module due to incorrect processing of certain IKEv2 packets. A remote attacker can send specially crafted IKEv2 packets, trigger memory leak and cause the service to crash.
26) Resource exhaustion (CVE-ID: CVE-2018-0165)
The vulnerability allows an adjacent unauthenticated attacker to cause DoS condition on the target system.The weakness exists in the Internet Group Management Protocol (IGMP) packet-processing functionality due to insufficiently processing of IGMP Membership Query packets. An adjacent attacker can send a large number of specially crafted IGMP Membership Query packets, trigger buffer exhaustion and cause the service to crash.
27) Data handling (CVE-ID: CVE-2018-0157)
The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.The weakness exists in the Zone-Based Firewall code due to improper handling of fragmented packets. A remote attacker can send fragmented IP Version 4 or IP Version 6 packets and cause the service to crash.
28) Improper authentication (CVE-ID: CVE-2018-0163)
The vulnerability allows an adjacent unauthenticated attacker to bypass authentication on the target system.The weakness exists in the 802.1x multiple-authentication (multi-auth) feature due to logic change error introduced into the code. An adjacent attacker can try to access an 802.1x multi-auth port after a successful supplicant has authenticated and bypass the 802.1x access controls.
29) Data handling (CVE-ID: CVE-2018-0154)
The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.The weakness exists in the crypto engine of the Cisco Integrated Services Module for VPN (ISM-VPN) due to insufficient handling of VPN traffic. A remote attacker can send specially crafted VPN traffic and cause the service to crash.
30) Improper input validation (CVE-ID: CVE-2018-0174)
The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.The weakness exists in the DHCP option 82 encapsulation functionality due to incomplete input validation of option 82 information that it receives in DHCP Version 4 (DHCPv4) packets from DHCP relay agents. A remote attacker can send a specially crafted DHCPv4 packet and cause the service to crash.
31) Improper input validation (CVE-ID: CVE-2018-0173)
The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.The weakness exists in the function that restores encapsulated option 82 information in DHCP Version 4 (DHCPv4) packets due to incomplete input validation of encapsulated option 82 information that it receives in DHCPOFFER messages from DHCPv4 servers. A remote attacker can send a specially crafted DHCPv4 packet and cause the service to crash.
32) Heap-based buffer overflow (CVE-ID: CVE-2018-0172)
The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.The weakness exists in the DHCP option 82 encapsulation functionality due to incomplete input validation of option 82 information that it receives in DHCP Version 4 (DHCPv4) packets from DHCP relay agents. A remote attacker can send a specially crafted DHCPv4 packet, trigger heap overflow and cause the service to crash.
33) OS command injection (CVE-ID: CVE-2018-0182)
The vulnerability allows a local authenticated attacker to inject and execute arbitrary commands with elevated privileges on the target system.The weakness exists in the CLI parser due to sufficiently sanitization of command arguments before passing commands to the Linux shell for execution. A local attacker can submit a malicious CLI command, gain access to the underlying Linux shell and execute arbitrary commands with root privileges.
34) OS command injection (CVE-ID: CVE-2018-0185)
The vulnerability allows a local authenticated attacker to inject and execute arbitrary commands with elevated privileges on the target system.The weakness exists in the CLI parser due to sufficiently sanitization of command arguments before passing commands to the Linux shell for execution. A local attacker can submit a malicious CLI command, gain access to the underlying Linux shell and execute arbitrary commands with root privileges.
35) OS command execution (CVE-ID: CVE-2018-0193)
The vulnerability allows a local authenticated attacker to inject and execute arbitrary commands with elevated privileges on the target system.The weakness exists in the CLI parser due to sufficiently sanitization of command arguments before passing commands to the Linux shell for execution. A local attacker can submit a malicious CLI command, gain access to the underlying Linux shell and execute arbitrary commands with root privileges.
36) OS command execution (CVE-ID: CVE-2018-0194)
The vulnerability allows a local authenticated attacker to inject and execute arbitrary commands with elevated privileges on the target system.The weakness exists in the CLI parser due to sufficiently sanitization of command arguments before passing commands to the Linux shell for execution. A local attacker can submit a malicious CLI command, gain access to the underlying Linux shell and execute arbitrary commands with root privileges.
37) Error handling (CVE-ID: CVE-2018-0155)
The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.The weakness exists in the Bidirectional Forwarding Detection (BFD) offload implementation of Cisco Catalyst 4500 Series Switches and Cisco Catalyst 4500-X Series Switches due to insufficient error handling when the BFD header in a BFD packet is incomplete. A remote attacker can send a specially crafted BFD message to or across an affected switch and cause the service to crash.
38) Resource management errors (CVE-ID: CVE-2018-0189)
The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.The weakness exists in the Forwarding Information Base (FIB) code due to a limitation in the way the FIB is internally representing recursive routes. A remote attacker can inject routes into the routing protocol that have a specific recursive pattern and cause the service to crash.
Remediation
Install update from vendor's website.
References
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-xesc
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-xepriv
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-wfw
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-webuixss
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-snmp-dos
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-snmp
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-slogin
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-sisf
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-rest
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-qos
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-privesc3
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-privesc2
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-privesc1
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-opendns-dos
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-lldp
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-ipv4
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-ike-dos
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-ike
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-igmp
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-fwip
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-dot1x
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-dos
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-dhcpr3
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-dhcpr2
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-dhcpr1
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-cmdinj
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-bfd
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-FIB-dos