Three critical vulnerabilities impacting Cisco IOS, and ISO XE software have recently been disclosed. First released on March 28th, all three vulnerabilities were given a CVS Score of 9.8. They were disclosed by Cisco as part of a security advisory dealing with a total of 22 vulnerabilities ranging from high to critical. 1
What are the Vulnerabilities Identified and What Devices Are Impacted?
CVE-2018-0151 / Cisco IOS and IOS XE Software Quality of Service Remote Code Execution Vulnerability: Elevation of privilege or denial-of-service vulnerability. Through exploitation of this vulnerability, an attacker could create a denial-of-service attack or execution of arbitrary code with elevated privileges.
Vulnerable devices include all devices running Cisco IOS and Cisco IOS XE software. Cisco has released a software fix, however, it is understood that a workaround is also available for this vulnerability. Please refer to the full Cisco advisory for further detail on this workaround. 2
CVE-2018-0171 / Cisco IOS and IOS XE Software Smart Install Remote Code Execution Vulnerability: Denial-of-Service vulnerability. Exploitation of this vulnerability could allow for a DoS attack through the triggering of a device reload and for arbitrary code execution. Exploitation relies on leveraging an improper validation of packet data, which is the root of this vulnerability.
Vulnerable devices include all devices running Cisco IOS and Cisco IOS XE software which have the Smart Install client feature enabled. 3
CVE-2018-0150 / Cisco ISO XE Software Static Credential Vulnerability: Escalation of privilege vulnerability. This vulnerability could allow an attacker to log into impacted devices with the initial boot’s default username and password. This is as a result of an undocumented, privileged user account which retains the default username and password.
Devices running impacted versions of Cisco IOS and Cisco IOS XE software are vulnerable. No versions prior to 16.x are impacted and Cisco has shared an online tool to allow administrators to confirm if they’re running an impacted version of 16.x. Please see the link at the bottom of the advisory for details on this tool. Both workarounds and software fixes are available to remediate this critical vulnerability. 4
Although none of the above vulnerabilities has as yet been reported to have been exploited in the wild, given that the above vulnerabilities allow for privileged access; Cisco is urging administrators to take prompt remediative action.
How do I Remediate?
Cisco has released software updates for all three critical vulnerabilities which are available through the usual channels. As with all upgrades Cisco recommends that administrators confirm their Cisco devices have sufficient memory and that their current hardware and software configurations are supported in the new release
How Can Ward Help?
For Managed Service customers, the Ward Support team will be reviewing individual environments and making recommendations on appropriate patching for all supported devices.
For all other customers, if you would like additional information or would like support in assessing and protecting your environment, please contact us to discuss your unique requirement.