Data handling in Cisco Network Convergence System 1000 Series

#VU12382 Data handling in Cisco Network Convergence System 1000 Series

Published: 2018-05-07

Vulnerability identifier: #VU12382

Vulnerability risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-0286

CWE-ID: CWE-19

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Cisco Network Convergence System 1000 Series
Hardware solutions / Firmware

Vendor: Cisco Systems, Inc

Description
The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.

The weakness exists in the netconf interface due to improper handling of malformed requests processed by the netconf process. A remote attacker can send specially crafted requests and cause the service to crash.

Mitigation
Update to versions 6.5.1.15i.MGBL, 6.4.2.1i.MGBL or 6.3.3.2i.MGBL.

Vulnerable software versions

Cisco Network Convergence System 1000 Series: 6.3.1 - 6.5.1

External links
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180502-iosxr

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Denial of service in Cisco Network Convergence System 1000 Series