Information disclosure in Cisco IOS XE - CVE-2017-12289
Published: October 19, 2017
Vulnerability identifier: #VU8890
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-12289
CWE-ID: CWE-200
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Cisco IOS XE
Cisco IOS XE
Detailed vulnerability description
The disclosed vulnerability allows a local privileged attacker to obtain potentially sensitive information.
The vulnerability exists in conditional, verbose debug logging for the IPsec feature of Cisco IOS XE Software due to incorrect implementation of IPsec conditional, verbose debug logging that causes sensitive information to be written to the log file. A local attacker with administrative credentials can authenticate to the device and enable conditional, verbose debug logging for IPsec to access sensitive information related to the IPsec configuration.
Successful exploitation of the vulnerability results in information disclosure.
How to mitigate CVE-2017-12289
Update to version 16.3.2 or 16.4.1.