Buffer overflow in Cisco IOS XE - CVE-2018-0171
Published: March 28, 2018 / Updated: February 1, 2023
Vulnerability identifier: #VU11336
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber
CVE-ID: CVE-2018-0171
CWE-ID: CWE-120
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vendor: Cisco Systems, Inc
Affected software:
Cisco IOS XE
Cisco IOS XE
Detailed vulnerability description
The vulnerability allows a remote unauthenticated attacker to cause DoS condition or execute arbitrary code on the target system.
The weakness exists in the Smart Install feature due to improper validation of packet data. A remote attacker can trigger buffer overflow, cause the service to crash and execute arbitrary code.
Successful exploitation of the vulnerability may result in system compromise.
How to mitigate CVE-2018-0171
Update to versions 16.3(5.72), 15.7(3.1.14A)OT, 15.7(3.1.10V)OT, 15.7(3.0z)M, 15.7(2.0v)M0.6, 15.6(3)M4, 15.6(3)M3.1, 15.5(3)M7, 15.5(3)M6.1, 15.5(1.0.93)SY1, 15.5(1.0.91)SY1, 15.5(1)SY1, 15.5(1)IC1.112, 15.5(1)IA1.529, 15.4(3)M9, 15.4(1.1.21)SY4, 15.4(1)SY4, 15.2(6.5.1i)E1, 15.2(6.4.66i)E1, 15.2(6.4.4i)E1, 15.2(6)E1, 15.2(4.7.8)EA7, 15.2(2)E8, 15.2(1)SY6, 15.2(1)SY5.114, 15.1(2)SY11.62 or 12.2(60)EZ13.