Lucene search
This script is Copyright (C) 2017-2023 and is owned by Tenable, Inc. or an Affiliate thereof.CISCO-SA-20170317-CMP-IOS.NASLHistoryMar 27, 2017 - 12:00 a.m.
Cisco IOS Cluster Management Protocol Telnet Option Handling RCE (cisco-sa-20170317-cmp)
2017-03-2700:00:00
This script is Copyright (C) 2017-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
859
CVSS2
10
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
9.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
0.975
Percentile
100.0%
According to its self-reported version and configuration, the Cisco IOS software running on the remote device is affected by a remote code execution vulnerability in the Cluster Management Protocol (CMP) subsystem due to improper handling of CMP-specific Telnet options. An unauthenticated, remote attacker can exploit this by establishing a Telnet session with malformed CMP-specific telnet options, to execute arbitrary code.
#TRUSTED 444f975a1a4211c43dc1ecaf0e46f9b86dfadc3e2accde60ee35f6744ce9a7c7659d22be0da40d1bf3cbc1769b23a98f848d7defa893f6654d1b33ae6dc09dd4aa08f827469f95f99fdf820ebef9994de55ece4da91116159305be560830f70e5e5d4e39767dc38c0531695c3e601fbac3d4860822d257422544a4e73b33f9be7f4df2877074c8f725a1c06e8c343bb5d1df38a28112f4951f0041d60680f8ab1eaab9e1ca2013262b536204a186c816bd1de4d2bcce15a045784a83b27bf3ddf051a6e99079c19be5946b45042d280ec0e495a8da53f343415c236b69b7c9b65195be874593e8ccf4fde8ffea57e5d0ae029d2ac110889faa25296b4b47fe9bdc521b1b730b6baa445f4c325f53fbb60e2a029c37b4bdadb2cc82aecf238b587cc12b7b6fe643b95b1c4adc8335aab31aa891abd3182e2d60e5aeb3dedec75805f58e527cd1284aab8795f842f1605bd744836e3a27656630e407cbd81eb59b2e66d9f436928306b59186e3e6414fa439e763d05ee57c7e91a05489bef1e8f8854a381d1b70d315ac2115cc0b846ebcafe323df18f8145f90ee80c9a6e5e2cb808b1ab36ad307a476d97a28c541e43e058cce0724509a8f6912d20c4b1ae3680488fb4f3879ab46c14fd19af80a812632d07da7b5fce0141e7e799c1cd58199fadeb172c36e9917cdadf5b36b06e7bffa37f8c3faede9afd2d6b736ca8f6b7a
#TRUST-RSA-SHA256 59194918423f85a44b1039320adba6f5162921eebf2e0e8bece87d694b32853f7c11abfbec2073ebf8cbc5faf05212635fa1de32f60c4c388e62041fa2cbc11f6ba090cafaa9ca5a85d8c86b3004d6483f48c4f434d15e71b97872d0d1705c91c0f38ddf6f32ebdda54458124c97e072f71ca36a97e14d3e548fbd5bb4187a801561d06c31e214cfaef042d9fc8076744f2f9341aaabf512b02a4c0f7104457ed73103f1dfde3a86c017805a2ff3d0eb916ce0d0d7aad542c9806bb46e8e075d249ff0e83cf06be4192d37c921fa2f8d1dfa4a5e2674265c55c0a2905e96a95998402c8f7f1000b138eeb1cf03688ac8b76762839614e4a15250e4b19cafa07d426b25cf1f765d3dcda8e9330f91bf5ab31da3dc33a50732b813d90c733b801468168d57c7efe8586d4f2ea1cb46c092d1df93d0b5b7534d5aaa1f7b5067aca4af13af4df7672cb4ede1464288a7e2a3649033c2dc448e5e14c1387262b55e15b8acb32f4c5eb8ead7c49983524c99cb3a4fd552758993c69883b1279687960e1dabe2d1b76abad195e0000a7fd17fb3c311b499b32a75e80d08a5636cb2b4a4c575bf62a58d4ebb09311e8f3b83526c50716b180d5b7bccd196cf3cfd749c524fe1249b14af01c1240aebfa242a910aceb8146911d8a95110a00fa8cfa8afadf12a12bb9d1d84892e61352ff25146b6e136730aec75864a9ebc85ff24c28d59
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(97991);
script_version("1.18");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/04/25");
script_cve_id("CVE-2017-3881");
script_bugtraq_id(96960);
script_xref(name:"CISCO-BUG-ID", value:"CSCvd48893");
script_xref(name:"IAVA", value:"2017-A-0073");
script_xref(name:"CISCO-SA", value:"cisco-sa-20170317-cmp");
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/04/15");
script_xref(name:"CEA-ID", value:"CEA-2019-0240");
script_name(english:"Cisco IOS Cluster Management Protocol Telnet Option Handling RCE (cisco-sa-20170317-cmp)");
script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
script_set_attribute(attribute:"description", value:
"According to its self-reported version and configuration, the Cisco IOS software running on the remote device is
affected by a remote code execution vulnerability in the Cluster Management Protocol (CMP) subsystem due to improper
handling of CMP-specific Telnet options. An unauthenticated, remote attacker can exploit this by establishing a Telnet
session with malformed CMP-specific telnet options, to execute arbitrary code.");
# https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7cb68237");
script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvd48893. Alternatively, as a workaround, disable
the Telnet protocol for incoming connections.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-3881");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/17");
script_set_attribute(attribute:"patch_publication_date", value:"2017/03/17");
script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/27");
script_set_attribute(attribute:"plugin_type", value:"combined");
script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CISCO");
script_copyright(english:"This script is Copyright (C) 2017-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("cisco_ios_version.nasl");
script_require_keys("Host/Cisco/IOS/Version");
exit(0);
}
include('cisco_workarounds.inc');
include('ccf.inc');
var product_info = cisco::get_product_info(name:'Cisco IOS');
var version_list=make_list(
'12.2(22)S',
'12.2(20)S',
'12.2(18)S',
'12.2(25)S',
'12.2(20)S2a',
'12.2(20)S4a',
'12.2(20)S5',
'12.2(18)S1',
'12.2(20)S4',
'12.2(18)S2',
'12.2(18)S4',
'12.2(25)S2',
'12.2(20)S2',
'12.2(18)S3',
'12.2(20)S6',
'12.2(20)S3',
'12.2(25)S1',
'12.2(20)S1',
'12.1(9)EX',
'12.2(14)SZ',
'12.2(14)SZ5',
'12.2(14)SZ6',
'12.2(14)SZ3',
'12.2(14)SZ4',
'12.2(14)SZ1',
'12.2(14)SZ2',
'12.2(25)EW',
'12.2(20)EWA',
'12.2(25)EWA',
'12.2(25)EWA6',
'12.2(25)EWA5',
'12.2(25)EWA1',
'12.2(25)EWA10',
'12.2(25)EWA8',
'12.2(20)EWA1',
'12.2(25)EWA11',
'12.2(25)EWA9',
'12.2(25)EWA2',
'12.2(25)EWA14',
'12.2(25)EWA4',
'12.2(20)EWA3',
'12.2(25)EWA3',
'12.2(25)EWA7',
'12.2(20)EWA4',
'12.2(25)EWA12',
'12.2(25)EWA13',
'12.2(20)EWA2',
'12.2(35)SE',
'12.2(18)SE',
'12.2(20)SE',
'12.2(25)SE',
'12.2(37)SE',
'12.2(53)SE1',
'12.2(55)SE',
'12.2(25)SE2',
'12.2(40)SE2',
'12.2(46)SE',
'12.2(46)SE2',
'12.2(50)SE2',
'12.2(35)SE5',
'12.2(50)SE1',
'12.2(44)SE2',
'12.2(20)SE3',
'12.2(35)SE1',
'12.2(50)SE5',
'12.2(44)SE1',
'12.2(53)SE',
'12.2(37)SE1',
'12.2(25)SE3',
'12.2(35)SE3',
'12.2(44)SE4',
'12.2(55)SE3',
'12.2(55)SE2',
'12.2(40)SE',
'12.2(44)SE',
'12.2(52)SE',
'12.2(58)SE',
'12.2(50)SE3',
'12.2(55)SE1',
'12.2(35)SE2',
'12.2(18)SE1',
'12.2(40)SE1',
'12.2(20)SE1',
'12.2(44)SE6',
'12.2(44)SE3',
'12.2(53)SE2',
'12.2(52)SE1',
'12.2(46)SE1',
'12.2(20)SE2',
'12.2(54)SE',
'12.2(44)SE5',
'12.2(50)SE4',
'12.2(50)SE',
'12.2(20)SE4',
'12.2(58)SE1',
'12.2(55)SE4',
'12.2(58)SE2',
'12.2(55)SE5',
'12.2(55)SE6',
'12.2(55)SE7',
'12.2(55)SE8',
'12.2(55)SE9',
'12.2(55)SE10',
'12.2(55)SE11',
'12.1(14)AZ',
'12.2(20)EU',
'12.2(20)EU1',
'12.2(20)EU2',
'12.2(20)EX',
'12.2(44)EX',
'12.2(40)EX3',
'12.2(40)EX',
'12.2(52)EX',
'12.2(44)EX1',
'12.2(40)EX2',
'12.2(40)EX1',
'12.2(55)EX',
'12.2(46)EX',
'12.2(52)EX1',
'12.2(55)EX1',
'12.2(55)EX2',
'12.2(55)EX3',
'12.2(58)EX',
'12.2(25)SEB',
'12.2(25)SEB2',
'12.2(25)SEB1',
'12.2(25)SEB4',
'12.2(25)SEB3',
'12.2(25)SEA',
'12.2(25)EY',
'12.2(46)EY',
'12.2(55)EY',
'12.2(25)EY1',
'12.2(53)EY',
'12.2(25)EY3',
'12.2(37)EY',
'12.2(25)EY2',
'12.2(25)EY4',
'12.2(25)EZ',
'12.2(25)EZ1',
'12.2(58)EZ',
'12.2(53)EZ',
'12.2(55)EZ',
'12.2(60)EZ4',
'12.2(60)EZ5',
'12.2(25)SEC',
'12.2(25)SEC2',
'12.2(25)SEC1',
'12.2(31)SG',
'12.2(25)SG',
'12.2(37)SG',
'12.2(44)SG',
'12.2(50)SG3',
'12.2(31)SG1',
'12.2(53)SG',
'12.2(31)SG3',
'12.2(50)SG6',
'12.2(53)SG1',
'12.2(46)SG',
'12.2(25)SG1',
'12.2(53)SG2',
'12.2(50)SG5',
'12.2(37)SG1',
'12.2(53)SG3',
'12.2(50)SG8',
'12.2(25)SG3',
'12.2(50)SG2',
'12.2(40)SG',
'12.2(25)SG2',
'12.2(54)SG1',
'12.2(44)SG1',
'12.2(50)SG1',
'12.2(52)SG',
'12.2(54)SG',
'12.2(31)SG2',
'12.2(50)SG',
'12.2(25)SG4',
'12.2(50)SG7',
'12.2(53)SG4',
'12.2(50)SG4',
'12.2(46)SG1',
'12.2(53)SG5',
'12.2(53)SG6',
'12.2(53)SG7',
'12.2(53)SG8',
'12.2(53)SG9',
'12.2(53)SG10',
'12.2(53)SG11',
'12.2(25)FX',
'12.2(25)FY',
'12.2(25)SEF',
'12.2(25)SEF1',
'12.2(25)SEF2',
'12.2(25)SEF3',
'12.2(25)SEE',
'12.2(25)SEE1',
'12.2(25)SEE3',
'12.2(25)SEE4',
'12.2(25)SEE2',
'12.2(25)SED',
'12.2(25)SED1',
'12.2(31)SGA',
'12.2(31)SGA3',
'12.2(31)SGA2',
'12.2(31)SGA10',
'12.2(31)SGA5',
'12.2(31)SGA4',
'12.2(31)SGA11',
'12.2(31)SGA6',
'12.2(31)SGA1',
'12.2(31)SGA7',
'12.2(31)SGA8',
'12.2(31)SGA9',
'12.2(25)SEG',
'12.2(25)SEG1',
'12.2(25)SEG3',
'12.2(25)FZ',
'12.2(44)SQ',
'12.2(44)SQ2',
'12.2(50)SQ2',
'12.2(50)SQ1',
'12.2(50)SQ',
'12.2(50)SQ3',
'12.2(50)SQ4',
'12.2(50)SQ5',
'12.2(50)SQ6',
'12.2(50)SQ7',
'15.0(1)XO1',
'15.0(1)XO',
'15.0(2)XO',
'15.0(1)EY',
'15.0(1)EY1',
'15.0(1)EY2',
'15.0(2)EY',
'15.0(2)EY1',
'15.0(2)EY2',
'15.0(2)EY3',
'12.2(54)WO',
'12.2(27)SBK9',
'15.0(1)SE',
'15.0(2)SE',
'15.0(1)SE1',
'15.0(1)SE2',
'15.0(1)SE3',
'15.0(2)SE1',
'15.0(2)SE2',
'15.0(2)SE3',
'15.0(2)SE4',
'15.0(2)SE5',
'15.0(2)SE6',
'15.0(2)SE7',
'15.0(2)SE8',
'15.0(2)SE9',
'15.0(2a)SE9',
'15.0(2)SE10',
'15.0(2)SE10a',
'15.1(1)SG',
'15.1(2)SG',
'15.1(1)SG1',
'15.1(1)SG2',
'15.1(2)SG1',
'15.1(2)SG2',
'15.1(2)SG3',
'15.1(2)SG4',
'15.1(2)SG5',
'15.1(2)SG6',
'15.1(2)SG7',
'15.1(2)SG8',
'15.0(2)SG',
'15.0(2)SG1',
'15.0(2)SG2',
'15.0(2)SG3',
'15.0(2)SG4',
'15.0(2)SG5',
'15.0(2)SG6',
'15.0(2)SG7',
'15.0(2)SG8',
'15.0(2)SG9',
'15.0(2)SG10',
'15.0(2)SG11',
'15.0(2)EX',
'15.0(2)EX1',
'15.0(2)EX2',
'15.0(2)EX3',
'15.0(2)EX4',
'15.0(2)EX5',
'15.0(2)EX6',
'15.0(2)EX7',
'15.0(2)EX8',
'15.0(2a)EX5',
'15.0(2)EX10',
'15.0(2)EX11',
'15.0(2)EX13',
'15.0(2)EX12',
'15.2(1)E',
'15.2(2)E',
'15.2(1)E1',
'15.2(3)E',
'15.2(1)E2',
'15.2(1)E3',
'15.2(2)E1',
'15.2(2b)E',
'15.2(4)E',
'15.2(3)E1',
'15.2(2)E2',
'15.2(2a)E1',
'15.2(2)E3',
'15.2(2a)E2',
'15.2(3)E2',
'15.2(3a)E',
'15.2(3)E3',
'15.2(3m)E2',
'15.2(4)E1',
'15.2(2)E4',
'15.2(2)E5',
'15.2(4)E2',
'15.2(4m)E1',
'15.2(3)E4',
'15.2(5)E',
'15.2(3m)E7',
'15.2(4)E3',
'15.2(2)E6',
'15.2(5a)E',
'15.2(5)E1',
'15.2(5b)E',
'15.2(4m)E3',
'15.2(3m)E8',
'15.2(2)E5a',
'15.2(5c)E',
'15.2(3)E5',
'15.2(2)E5b',
'15.2(4n)E2',
'15.2(4o)E2',
'15.2(5a)E1',
'15.2(4p)E1',
'15.2(4m)E2',
'15.2(4o)E3',
'15.2(4q)E1',
'15.2(4s)E1',
'15.2(4s)E2',
'15.0(2)EZ',
'15.2(2)SC3',
'15.2(1)EY',
'15.0(2)EJ',
'15.0(2)EJ1',
'15.2(2)EB',
'15.2(2)EB1',
'15.2(2)EB2',
'15.2(2)EA',
'15.2(2)EA1',
'15.2(2)EA2',
'15.2(3)EA',
'15.2(4)EA',
'15.2(4)EA1',
'15.2(2)EA3',
'15.2(4)EA3',
'15.2(5)EA',
'15.2(4)EA4',
'15.2(4)EA2',
'15.2(4)EA5',
'15.0(2)SQD',
'15.0(2)SQD1',
'15.0(2)SQD2',
'15.0(2)SQD3',
'15.0(2)SQD4',
'15.0(2)SQD5',
'15.2(4)EC1',
'15.2(4)EC2',
'15.1(3)SVS',
'15.1(3)SVT1'
);
var workarounds = make_list(
CISCO_WORKAROUNDS['ios_iosxe_telnet']
);
var reporting = make_array(
'port' , product_info['port'],
'severity' , SECURITY_HOLE,
'bug_id' , 'CSCvd48893',
'cmds' , make_list('show running-config'),
'version' , product_info['version']
);
cisco::check_and_report(
product_info:product_info,
workarounds:workarounds,
reporting:reporting,
vuln_versions:version_list
);
Related
attackerkb
attackerkb
CVE-2017-3881
2017-03-17 00:00:00
prion
prion
Design/Logic Flaw
2017-03-17 22:59:00
threatpost
threatpost
Cisco Patches IOS XE Vulnerability Leaked in Vault 7 Dump
2017-05-10 10:10:35
Cisco Patches Critical Flaw In ASR 9000 Routers
2019-04-18 13:04:33
exploitpack
exploitpack
Cisco Catalyst 2960 IOS 12.2(55)SE11 - ROCEM Remote Code Execution
2017-04-12 00:00:00
exploitdb
exploitdb
Cisco Catalyst 2960 IOS 12.2(55)SE1 - 'ROCEM' Remote Code Execution
2017-04-12 00:00:00
cvelist
cvelist
CVE-2017-3881
2017-03-17 22:00:00
zdt
zdt
Cisco Catalyst 2960 IOS 12.2(55)SE1 - ROCEM Remote Code Execution Exploit
2017-06-06 00:00:00
Cisco Catalyst 2960 IOS 12.2(55)SE11 - ROCEM Remote Code Execution Exploit
2017-04-12 00:00:00
nvd
nvd
CVE-2017-3881
2017-03-17 22:59:00
cisa_kev
cisa_kev
Cisco IOS and IOS XE Remote Code Execution Vulnerability
2022-03-25 00:00:00
cisco
cisco
packetstorm
packetstorm
Cisco Catalyst 2960 IOS 12.2(55)SE11 Remote Code Execution
2017-04-13 00:00:00
Cisco Catalyst 2960 IOS 12.2(55)SE1 Remote Code Execution
2017-04-13 00:00:00
Cisco IOS Telnet Denial of Service
2024-08-31 00:00:00
ics
ics
Rockwell Automation Allen-Bradley Stratix and Allen-Bradley ArmorStratix
2017-04-04 12:00:00
myhack58
myhack58
thn
thn
checkpoint_advisories
checkpoint_advisories
Cisco IOS Remote Code Execution (CVE-2017-3881) - Ver2
2018-04-15 00:00:00
openvas
openvas
seebug
seebug
metasploit
metasploit
Cisco IOS Telnet Denial of Service
2017-06-27 06:53:23
nessus
nessus
cve
cve
CVE-2017-3881
2017-03-17 22:59:00
rapid7community
rapid7community
Metasploit Wrapup
2017-06-30 19:09:11
pentestit
pentestit
UPDATED VERSION: RouterSploit 3.4.0
2018-10-18 18:13:04
talosblog
talosblog
DNS Hijacking Abuses Trust In Core Internet Service
2019-04-18 16:08:25
CVSS2
10
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
9.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
0.975
Percentile
100.0%
Related for CISCO-SA-20170317-CMP-IOS.NASL