A new critical vulnerability has been found in Cisco IOS Software and Cisco IOS XE Software that could lead to remote code execution and a denial-of-service condition. An unauthenticated, remote attacker could execute arbitrary code to take full control over a compromised network as well as intercept its traffic. This flaw has been identified as CVE-2018-0171.
More about CVE-2018-0171
The vulnerability is a result of an improper validation of packer data in the Smart Install Client. Smart Install is a plug-and-play configuration and image-management feature that provides zero-touch deployment for new switches, Cisco explains. Thanks to this configuration, a switch can be shipped and placed in the network, without needing any configuration on the device.
“A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition, or to execute arbitrary code on an affected device”, Embedi researchers reported.
The Embedi team recently published a technical overview and Proof-of-Concept code following the publication of patches addressing this flaw. The flaw itself has been rated as critical with a CVSS (Common Vulnerability Scoring System) of 9.8.
8.5 million devices are affected due to a vulnerable open port, and 250,000 of these devices are generally vulnerable:
During a short scan of the Internet, we detected 250,000 vulnerable devices and 8,5 million devices that have a vulnerable port open.
How Can CVE-2018-0171 Be Exploited?
For this flaw to be exploited, the attacker would need to send a crafted Smart Install message to a vulnerable device using the open-by-default port 4786.
More specifically, the buffer overflow takes place in the function smi_ibc_handle_ibd_init_discovery_msg and since the size of the data copied to a fixed-size buffer is not checked, the size and data are obtained directly from the network packet and are controlled by an attacker.
The exploitation of CVE-2018-0171 in an attack can also lead to a denial-of-service condition (watchdog crash) by triggering indefinite loop on the affected devices. That’s not all, though. All devices that may fall into the Smart Install Client type are potentially vulnerable to the bug, such as:
– Catalyst 4500 Supervisor Engines
– Catalyst 3850 Series
– Catalyst 3750 Series
– Catalyst 3650 Series
– Catalyst 3560 Series
– Catalyst 2960 Series
– Catalyst 2975 Series
– IE 2000
– IE 3000
– IE 3010
– IE 4000
– IE 4010
– IE 5000
– SM-ES2 SKUs
– SM-ES3 SKUs
– SM-X-ES3 SKUs
Fortunately, the bug has been fixed, and admins are urged to apply the patch as soon as possible.