Zero-day vulnerability in Cisco IOS

The vulnerability was disclosed by WikiLeaks in documents dubbed CIA Vault 7. It is believed that this vulnerability was used by CIA agents to penetrate government and corporate networks.

Advisory: SB2017031702 - Remote code execution in Cluster Management Protocol in Cisco IOS and IOS XE

Vulnerable component: Cisco IOS

CVE-ID: CVE-2017-3881

CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-20 - Improper input validation

Description:

The vulnerability allows a remote attacker to gain access to vulnerable device.

The vulnerability exists due to improper input validation in Cisco Cluster Management Protocol (CMP) implementation and failure to restrict usage of CMP-specific Telnet options only to internal, local communications between cluster members. A remote unauthenticated attacker can send specially crafted CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections and cause the affected device to reload or obtain full control over vulnerable device.

Successful exploitation of this vulnerability may allow an attacker to gain full access to vulnerable device.

Note: information about this vulnerability was publicly disclosed by WikiLeaks documents dubbed CIA Vault 7.

- Cisco Catalyst 2960 IOS 12.2(55)SE1 - 'ROCEM' Remote Code Execution [Exploit-DB]

- Cisco Catalyst 2960 IOS 12.2(55)SE11 - 'ROCEM' Remote Code Execution [Exploit-DB]

- Cisco Catalyst 2960 IOS 12.2(55)SE1 - 'ROCEM' Remote Code Execution [Exploit-DB]

External links:

https://www.theregister.co.uk/2017/03/19/cisco_goes_public_with_its_first_vault7_response/
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp