Cisco has published a security advisory informing users about a zero-day vulnerability that is detected in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software. This vulnerability (CVE-2017-3881) could allow an unauthenticated, remote attacker to execute malicious code with elevated privileges and obtain full control of the affected device or cause a reload of the device.
In CMP, Telnet is used internally as a signaling and command protocol between cluster members. The CVE-2017-3881 vulnerability may occur due to the following reasons:
If the use of CMP-specific Telnet options is not restricted only to internal communications among cluster members
If the malformed CMP-specific Telnet options are processed incorrectly
The vulnerability is likely to affect over 300 Cisco devices. The list of the affected Cisco devices is available at the following location:
As per the Cisco advisory, software updates will be released to address this vulnerability. However, currently, there are no workarounds that address this vulnerability.
Disabling the Telnet protocol as an allowed protocol for incoming connections would eliminate the exploit vector. Disabling Telnet and using SSH is recommended by Cisco. For information on how to do both, refer to the Cisco Guide to Harden Cisco IOS Devices.
To verify whether Telnet is disabled on your Cisco devices, you must create a customized check in the CCS Standards Manager and run it. The evaluation results from the check run will help you take informed decisions and secure your Cisco environment.
To create a customized simple check, refer to the following steps:
In the Standards workspace, on the Command tab, add the following command text:
show running-config | include ^line vty|transport input
Add the following commands in the CommandWhitelist.ini file:
Note: The CommandWhitelist.ini file is present at <CCS Installation Directory>\Symantec\CCS\Reporting and Analytics\Application Server\PlatformSettings\Global\GenericDevices\Control\GenericDevices\ConfigFiles
Note: Whenever you modify the whitelisted commands in the configuration file, you must run the Sync Configuration job to make sure that the change is applied to future scans. The job updates the changes on all the CCS Managers.
Run the Collection-Evaluation-Reporting (CER) job against the Cisco targets in your environment by using the customized check that you create.
Disclaimer: The information in this article is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. For detailed information about the Cisco IOS and IOS XE Software Cluster Management Protocol Remote Code Execution Vulnerability, indicators of compromise, and the possible remediation, refer to the advisory published by Cisco.
Subscribing will provide email updates when this Article is updated. Login is required.