Multiple Vulnerabilities in Cisco IOS and IOS XE Software
On March 28, 2018, Cisco released a security advisory regarding multiple remote code execution vulnerabilities in their IOS and IOS XE software. These vulnerabilities, identified as CVE-2018-0171, CVE-2018-0150, and CVE-2018-0151, pose a significant threat to the security of networks that utilize these software versions.
Smart Install Remote Code Execution Vulnerability (CVE-2018-0171)
This vulnerability allows a malicious attacker to send a specially crafted data packet to a Cisco IOS or IOS XE device, which is configured to use the Smart Install feature. The device will listen on TCP port 4786, making it vulnerable to buffer overflow attacks. A successful exploit can result in a reboot or the execution of arbitrary code, ultimately leading to complete control of the device and potential traffic hijacking operations.
The Smart Install feature is enabled by default in some Cisco IOS and IOS XE software versions. To verify the enabled state, users can issue the command show vstack config on the affected device. It is recommended to update the software as soon as possible or configure ACLs to restrict access to the affected port.
Static Credential (Default Password) Vulnerability (CVE-2018-0150)
This vulnerability allows a malicious attacker to log into a Cisco IOS XE device using the default user name and password, which have a privilege level of 15. This can result in complete control of the device, enabling malicious traffic hijacking and other operations that can compromise the security of the network.
The default user and password are present in Cisco IOS XE software versions prior to 16.x. To verify the version number, users can issue the command show version on the affected device. It is recommended to update the software as soon as possible.
Quality of Service Remote Code Execution Vulnerability (CVE-2018-0151)
This vulnerability allows a malicious attacker to send a specially crafted data packet to a Cisco IOS or IOS XE device, which is configured to use the Quality of Service subsystem. The device will listen on UDP port 18999, making it vulnerable to buffer overflow attacks. A successful exploit can result in a reboot or the execution of arbitrary code, ultimately leading to complete control of the device and potential traffic hijacking operations.
Mitigation Measures
To mitigate these vulnerabilities, Cisco recommends updating the software as soon as possible or configuring ACLs to restrict access to the affected ports. Additionally, temporarily disabling the Smart Install feature can also help prevent attacks.
Security Operations Recommendation
Given the severity of these vulnerabilities, it is essential for organizations to stay up-to-date with the latest security patches and updates. Cisco has a history of reporting multiple security vulnerabilities in their software, and it is recommended that enterprises prioritize security updates for their Cisco IOS and IOS XE software.
Verifying Software Versions
To verify the software version number, users can issue the command show version on the affected device. For example:
- Cisco IOS device:
Router> show version Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.5 (2) T1, RELEASE SOFTWARE (fc1) - Cisco IOS XE device:
ios-xe-device # show version Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
By submitting the version number to the Cisco software checker website, users can determine whether their software is affected by these vulnerabilities.