#VU11336 Buffer overflow in Cisco IOS XE - CVE-2018-0171
Published: March 28, 2018 / Updated: February 1, 2023
Vulnerability identifier: #VU11336
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber
CVE-ID: CVE-2018-0171
CWE-ID: CWE-120
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vulnerable software:
Cisco IOS XE
Cisco IOS XE
Software vendor:
Cisco Systems, Inc
Cisco Systems, Inc
Description
The vulnerability allows a remote unauthenticated attacker to cause DoS condition or execute arbitrary code on the target system.
The weakness exists in the Smart Install feature due to improper validation of packet data. A remote attacker can trigger buffer overflow, cause the service to crash and execute arbitrary code.
Successful exploitation of the vulnerability may result in system compromise.
Remediation
Update to versions 16.3(5.72), 15.7(3.1.14A)OT, 15.7(3.1.10V)OT, 15.7(3.0z)M, 15.7(2.0v)M0.6, 15.6(3)M4, 15.6(3)M3.1, 15.5(3)M7, 15.5(3)M6.1, 15.5(1.0.93)SY1, 15.5(1.0.91)SY1, 15.5(1)SY1, 15.5(1)IC1.112, 15.5(1)IA1.529, 15.4(3)M9, 15.4(1.1.21)SY4, 15.4(1)SY4, 15.2(6.5.1i)E1, 15.2(6.4.66i)E1, 15.2(6.4.4i)E1, 15.2(6)E1, 15.2(4.7.8)EA7, 15.2(2)E8, 15.2(1)SY6, 15.2(1)SY5.114, 15.1(2)SY11.62 or 12.2(60)EZ13.