Cisco IOS XE up to 16.5 LISP Request improper authentication
CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
---|---|---|
8.2 | $0-$5k | 0.00 |
A vulnerability, which was classified as critical, was found in Cisco IOS XE up to 16.5 (Router Operating System). Affected is an unknown code block of the component LISP. The manipulation as part of a Request leads to a improper authentication vulnerability. CWE is classifying the issue as CWE-287. When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:
A vulnerability in the implementation of the Locator/ID Separation Protocol (LISP) in Cisco IOS XE 3.2 through 16.5 could allow an unauthenticated, remote attacker using an x tunnel router to bypass authentication checks performed when registering an Endpoint Identifier (EID) to a Routing Locator (RLOC) in the map server/map resolver (MS/MR). The vulnerability is due to a logic error introduced via a code regression for the affected software. An attacker could exploit this vulnerability by sending specific valid map-registration requests, which will be accepted by the MS/MR even if the authentication keys do not match, to the affected software. A successful exploit could allow the attacker to inject invalid mappings of EIDs to RLOCs in the MS/MR of the affected software. This vulnerability affects Cisco devices that are configured with LISP acting as an IPv4 or IPv6 map server. This vulnerability affects Cisco IOS XE Software release trains 3.9E and Everest 16.4. Cisco Bug IDs: CSCvc18008.
The bug was discovered 09/27/2017. The weakness was presented 09/29/2017 with Cisco as cisco-sa-20170927-lisp as confirmed advisory (Website). The advisory is available at tools.cisco.com. This vulnerability is traded as CVE-2017-12236 since 08/03/2017. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. The technical details are unknown and an exploit is not available.
The vulnerability scanner Nessus provides a plugin with the ID 103695 (Cisco IOS XE Software Locator/ID Separation Protocol Authentication Bypass Vulnerability), which helps to determine the existence of the flaw in a target environment. It is assigned to the family CISCO and running in the context l. The commercial vulnerability scanner Qualys is able to test this issue with plugin 316156 (Cisco IOS XE Software Locator/ID Separation Protocol Authentication Bypass Vulnerability (cisco-sa-20170927-lisp)).
Upgrading eliminates this vulnerability. A possible mitigation has been published even before and not after the disclosure of the vulnerability.
The vulnerability is also documented in the vulnerability database at Tenable (103695). See 107241 for similar entry.
Product
Type
Vendor
Name
Version
License
Support
- end of life (old version)
CPE 2.3
CPE 2.2
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 8.5VulDB Meta Temp Score: 8.4
VulDB Base Score: 7.3
VulDB Temp Score: 7.0
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 9.8
NVD Vector: 🔍
CVSSv2
AV | AC | Au | C | I | A |
---|---|---|---|---|---|
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
---|---|---|---|---|---|
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Improper authenticationCWE: CWE-287
CAPEC: 🔍
ATT&CK: 🔍
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
0-Day | unlock | unlock | unlock | unlock |
---|---|---|---|---|
Today | unlock | unlock | unlock | unlock |
Nessus ID: 103695
Nessus Name: Cisco IOS XE Software Locator/ID Separation Protocol Authentication Bypass Vulnerability
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Context: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Timeline
08/03/2017 🔍09/27/2017 🔍
09/27/2017 🔍
09/27/2017 🔍
09/28/2017 🔍
09/29/2017 🔍
09/29/2017 🔍
10/06/2017 🔍
01/14/2021 🔍
Sources
Vendor: cisco.comAdvisory: cisco-sa-20170927-lisp
Researcher: Cisco
Organization: Cisco
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2017-12236 (🔍)
OVAL: 🔍
SecurityTracker: 1039448
SecurityFocus: 101033 - Cisco IOS XE Software CVE-2017-12236 Authentication Bypass Vulnerability
scip Labs: https://www.scip.ch/en/?labs.20150108
See also: 🔍
Entry
Created: 09/29/2017 12:01Updated: 01/14/2021 18:02
Changes: 09/29/2017 12:01 (73), 11/20/2019 13:13 (8), 01/14/2021 17:59 (2), 01/14/2021 18:02 (1)
Complete: 🔍
No comments yet. Languages: en.
Please log in to comment.