10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.7 High
AI Score
Confidence
High
0.975 High
EPSS
Percentile
100.0%
A vulnerability in the Cisco Cluster Management Protocol (CMP) processing
code in Cisco IOS Software could allow an unauthenticated, remote attacker to cause a reload of an affected
device or remotely execute code with elevated privileges.
# SPDX-FileCopyrightText: 2017 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
CPE = "cpe:/o:cisco:ios";
if (description)
{
script_oid("1.3.6.1.4.1.25623.1.0.106670");
script_xref(name:"CISA", value:"Known Exploited Vulnerability (KEV) catalog");
script_xref(name:"URL", value:"https://www.cisa.gov/known-exploited-vulnerabilities-catalog");
script_cve_id("CVE-2017-3881");
script_tag(name:"cvss_base", value:"10.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_version("2023-07-25T05:05:58+0000");
script_name("Cisco IOS Software Cluster Management Protocol Remote Code Execution Vulnerability");
script_xref(name:"URL", value:"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp");
script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");
script_tag(name:"solution", value:"See the referenced vendor advisory for a solution.");
script_tag(name:"summary", value:"A vulnerability in the Cisco Cluster Management Protocol (CMP) processing
code in Cisco IOS Software could allow an unauthenticated, remote attacker to cause a reload of an affected
device or remotely execute code with elevated privileges.");
script_tag(name:"insight", value:"The Cluster Management Protocol utilizes Telnet internally as a signaling
and command protocol between cluster members. The vulnerability is due to the combination of two factors:
- The failure to restrict the use of CMP-specific Telnet options only to internal, local communications between
cluster members and instead accept and process such options over any Telnet connection to an affected device, and
- The incorrect processing of malformed CMP-specific Telnet options.
An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing
a Telnet session with an affected Cisco device configured to accept Telnet connections.");
script_tag(name:"impact", value:"An exploit could allow an attacker to execute arbitrary code and obtain full
control of the device or cause a reload of the affected device.");
script_tag(name:"qod_type", value:"package");
script_tag(name:"solution_type", value:"VendorFix");
script_tag(name:"last_modification", value:"2023-07-25 05:05:58 +0000 (Tue, 25 Jul 2023)");
script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_tag(name:"severity_origin", value:"NVD");
script_tag(name:"severity_date", value:"2020-08-07 20:08:00 +0000 (Fri, 07 Aug 2020)");
script_tag(name:"creation_date", value:"2017-03-20 09:25:26 +0700 (Mon, 20 Mar 2017)");
script_category(ACT_GATHER_INFO);
script_family("CISCO");
script_copyright("Copyright (C) 2017 Greenbone AG");
script_dependencies("gb_ssh_cisco_ios_get_version.nasl");
script_mandatory_keys("cisco_ios/version", "cisco_ios/image");
exit(0);
}
include("host_details.inc");
include("version_func.inc");
image = get_kb_item("cisco_ios/image");
if (!image || (image !~ "^C23(5|6)0" && image !~ "^C29(18|28|60|70|75)" && image !~ "^C35(50|60)" &&
image !~ "^C3750" && image !~ "^C4(0|5)00" && image !~ "^C49(00|28|48)" &&
image !~ "^WS-CBS30(12|20|30|32|40)" && image !~ "^WS-CBS31(1|2|3)0" && image !~ "^IE(2|3|4|5)000" &&
image !~ "^IE(3|4)010"))
exit(99);
if( ! version = get_app_version( cpe:CPE ) ) exit( 0 );
affected = make_list(
'12.1(11)EA1',
'12.1(11)EA1a',
'12.1(12c)EA1',
'12.1(12c)EA1a',
'12.1(13)EA1',
'12.1(13)EA1a',
'12.1(13)EA1b',
'12.1(13)EA1c',
'12.1(14)AZ',
'12.1(14)EA1',
'12.1(14)EA1a',
'12.1(14)EA1b',
'12.1(19)EA1',
'12.1(19)EA1a',
'12.1(19)EA1b',
'12.1(19)EA1c',
'12.1(19)EA1d',
'12.1(20)EA1',
'12.1(20)EA1a',
'12.1(20)EA2',
'12.1(22)EA1',
'12.1(22)EA10',
'12.1(22)EA10a',
'12.1(22)EA10b',
'12.1(22)EA11',
'12.1(22)EA12',
'12.1(22)EA13',
'12.1(22)EA14',
'12.1(22)EA1a',
'12.1(22)EA1b',
'12.1(22)EA2',
'12.1(22)EA3',
'12.1(22)EA4',
'12.1(22)EA4a',
'12.1(22)EA5',
'12.1(22)EA5a',
'12.1(22)EA6',
'12.1(22)EA6a',
'12.1(22)EA7',
'12.1(22)EA8',
'12.1(22)EA8a',
'12.1(22)EA9',
'12.1(6)EA1',
'12.1(8)EA1c',
'12.1(9)EA1',
'12.2(137)SG',
'12.2(144)SG',
'12.2(18)S',
'12.2(18)SE',
'12.2(18)SE1',
'12.2(20)EU',
'12.2(20)EU1',
'12.2(20)EU2',
'12.2(20)EWA',
'12.2(20)EWA1',
'12.2(20)EWA2',
'12.2(20)EWA3',
'12.2(20)EWA4',
'12.2(20)EX',
'12.2(20)SE',
'12.2(20)SE1',
'12.2(20)SE2',
'12.2(20)SE3',
'12.2(20)SE4',
'12.2(25)EW',
'12.2(25)EWA',
'12.2(25)EWA1',
'12.2(25)EWA10',
'12.2(25)EWA11',
'12.2(25)EWA12',
'12.2(25)EWA13',
'12.2(25)EWA14',
'12.2(25)EWA2',
'12.2(25)EWA3',
'12.2(25)EWA4',
'12.2(25)EWA5',
'12.2(25)EWA6',
'12.2(25)EWA7',
'12.2(25)EWA8',
'12.2(25)EWA9',
'12.2(25)EY',
'12.2(25)EY1',
'12.2(25)EY2',
'12.2(25)EY3',
'12.2(25)EY4',
'12.2(25)EZ',
'12.2(25)EZ1',
'12.2(25)FX',
'12.2(25)FY',
'12.2(25)FZ',
'12.2(25)S',
'12.2(25)S1',
'12.2(25)SE',
'12.2(25)SE1',
'12.2(25)SE2',
'12.2(25)SE3',
'12.2(25)SEA',
'12.2(25)SEB',
'12.2(25)SEB1',
'12.2(25)SEB2',
'12.2(25)SEB3',
'12.2(25)SEB4',
'12.2(25)SEC',
'12.2(25)SEC1',
'12.2(25)SEC2',
'12.2(25)SED',
'12.2(25)SED1',
'12.2(25)SEE',
'12.2(25)SEE1',
'12.2(25)SEE2',
'12.2(25)SEE3',
'12.2(25)SEE4',
'12.2(25)SEF1',
'12.2(25)SEF2',
'12.2(25)SEF3',
'12.2(25)SEG',
'12.2(25)SEG1',
'12.2(25)SEG3',
'12.2(25)SG',
'12.2(25)SG1',
'12.2(25)SG2',
'12.2(25)SG3',
'12.2(25)SG4',
'12.2(31)SG',
'12.2(31)SG1',
'12.2(31)SG2',
'12.2(31)SG3',
'12.2(31)SGA',
'12.2(31)SGA1',
'12.2(31)SGA10',
'12.2(31)SGA11',
'12.2(31)SGA2',
'12.2(31)SGA3',
'12.2(31)SGA4',
'12.2(31)SGA5',
'12.2(31)SGA6',
'12.2(31)SGA7',
'12.2(31)SGA8',
'12.2(31)SGA9',
'12.2(35)SE',
'12.2(35)SE1',
'12.2(35)SE2',
'12.2(35)SE3',
'12.2(35)SE5',
'12.2(37)EY',
'12.2(37)SE',
'12.2(37)SE1',
'12.2(37)SG',
'12.2(37)SG1',
'12.2(40)EX',
'12.2(40)EX1',
'12.2(40)EX2',
'12.2(40)EX3',
'12.2(40)SE',
'12.2(40)SE1',
'12.2(40)SE2',
'12.2(40)SG',
'12.2(40)XO',
'12.2(44)EX',
'12.2(44)EX1',
'12.2(44)SE',
'12.2(44)SE1',
'12.2(44)SE2',
'12.2(44)SE3',
'12.2(44)SE4',
'12.2(44)SE5',
'12.2(44)SE6',
'12.2(44)SG',
'12.2(44)SG1',
'12.2(44)SQ',
'12.2(44)SQ2',
'12.2(46)EX',
'12.2(46)EY',
'12.2(46)SE',
'12.2(46)SE1',
'12.2(46)SE2',
'12.2(46)SG',
'12.2(46)SG1',
'12.2(50)SE',
'12.2(50)SE1',
'12.2(50)SE2',
'12.2(50)SE3',
'12.2(50)SE4',
'12.2(50)SE5',
'12.2(50)SG',
'12.2(50)SG1',
'12.2(50)SG2',
'12.2(50)SG3',
'12.2(50)SG4',
'12.2(50)SG5',
'12.2(50)SG6',
'12.2(50)SG7',
'12.2(50)SG8',
'12.2(50)SQ',
'12.2(50)SQ1',
'12.2(50)SQ2',
'12.2(50)SQ3',
'12.2(50)SQ4',
'12.2(50)SQ5',
'12.2(50)SQ6',
'12.2(50)SQ7',
'12.2(52)EX',
'12.2(52)EX1',
'12.2(52)SE',
'12.2(52)SE1',
'12.2(52)SG',
'12.2(52)XO',
'12.2(53)EY',
'12.2(53)EZ',
'12.2(53)SE',
'12.2(53)SE1',
'12.2(53)SE2',
'12.2(53)SG',
'12.2(53)SG1',
'12.2(53)SG10',
'12.2(53)SG11',
'12.2(53)SG2',
'12.2(53)SG3',
'12.2(53)SG4',
'12.2(53)SG5',
'12.2(53)SG6',
'12.2(53)SG7',
'12.2(53)SG8',
'12.2(53)SG9',
'12.2(54)SE',
'12.2(54)SG',
'12.2(54)SG1',
'12.2(54)WO',
'12.2(54)XO',
'12.2(55)EX',
'12.2(55)EX1',
'12.2(55)EX2',
'12.2(55)EX3',
'12.2(55)EY',
'12.2(55)EZ',
'12.2(55)SE',
'12.2(55)SE1',
'12.2(55)SE10',
'12.2(55)SE11',
'12.2(55)SE2',
'12.2(55)SE3',
'12.2(55)SE4',
'12.2(55)SE5',
'12.2(55)SE6',
'12.2(55)SE7',
'12.2(55)SE8',
'12.2(55)SE9',
'12.2(58)EX',
'12.2(58)EZ',
'12.2(58)SE',
'12.2(58)SE1',
'12.2(58)SE2',
'12.2(60)EZ4',
'12.2(60)EZ5',
'15.0(1)EY',
'15.0(1)EY1',
'15.0(1)EY2',
'15.0(1)SE',
'15.0(1)SE1',
'15.0(1)SE2',
'15.0(1)SE3',
'15.0(1)XO',
'15.0(1)XO1',
'15.0(2)EB',
'15.0(2)EC',
'15.0(2)ED',
'15.0(2)EJ',
'15.0(2)EJ1',
'15.0(2)EX',
'15.0(2)EX1',
'15.0(2)EX10',
'15.0(2)EX2',
'15.0(2)EX3',
'15.0(2)EX4',
'15.0(2)EX5',
'15.0(2)EX8',
'15.0(2)EY',
'15.0(2)EY1',
'15.0(2)EY2',
'15.0(2)EY3',
'15.0(2)EZ',
'15.0(2)SE',
'15.0(2)SE1',
'15.0(2)SE10',
'15.0(2)SE10a',
'15.0(2)SE11',
'15.0(2)SE2',
'15.0(2)SE3',
'15.0(2)SE4',
'15.0(2)SE5',
'15.0(2)SE6',
'15.0(2)SE7',
'15.0(2)SE8',
'15.0(2)SE9',
'15.0(2)SG',
'15.0(2)SG1',
'15.0(2)SG10',
'15.0(2)SG11',
'15.0(2)SG2',
'15.0(2)SG3',
'15.0(2)SG4',
'15.0(2)SG5',
'15.0(2)SG6',
'15.0(2)SG7',
'15.0(2)SG8',
'15.0(2)SG9',
'15.0(2)SQD',
'15.0(2)SQD1',
'15.0(2)SQD2',
'15.0(2)SQD3',
'15.0(2)SQD4',
'15.0(2)SQD5',
'15.0(2)XO',
'15.0(2a)EX5',
'15.0(2a)SE9',
'15.1(1)SG',
'15.1(1)SG1',
'15.1(1)SG2',
'15.1(2)SG',
'15.1(2)SG1',
'15.1(2)SG2',
'15.1(2)SG3',
'15.1(2)SG4',
'15.1(2)SG5',
'15.1(2)SG6',
'15.1(2)SG7',
'15.1(2)SG7a',
'15.1(2)SG8',
'15.1(2)SG9',
'15.2(1)E',
'15.2(1)E1',
'15.2(1)E2',
'15.2(1)E3',
'15.2(1)EY',
'15.2(2)E',
'15.2(2)E1',
'15.2(2)E2',
'15.2(2)E3',
'15.2(2)E4',
'15.2(2)E5',
'15.2(2)E5a',
'15.2(2)E5b',
'15.2(2)E6',
'15.2(2)EB',
'15.2(2)EB1',
'15.2(2)EB2',
'15.2(2a)E1',
'15.2(2a)E2',
'15.2(3)E',
'15.2(3)E1',
'15.2(3)E2',
'15.2(3)E3',
'15.2(3)E4',
'15.2(3)E5',
'15.2(3)EX',
'15.2(3a)E',
'15.2(3a)E1',
'15.2(3m)E2',
'15.2(3m)E3',
'15.2(3m)E6',
'15.2(3m)E8',
'15.2(4)E',
'15.2(4)E1',
'15.2(4)E2',
'15.2(4)E3',
'15.2(4)EC',
'15.2(4)EC1',
'15.2(4)EC2',
'15.2(4m)E1',
'15.2(4m)E3',
'15.2(4n)E2',
'15.2(4o)E2',
'15.2(4p)E1',
'15.2(5)E',
'15.2(5)E1',
'15.2(5)EX',
'15.2(5a)E',
'15.2(5a)E1',
'15.2(5b)E',
'15.2(5c)E' );
foreach af ( affected )
{
if( version == af )
{
report = report_fixed_ver( installed_version:version, fixed_version: "See advisory" );
security_message( port:0, data:report );
exit( 0 );
}
}
exit( 99 );
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.7 High
AI Score
Confidence
High
0.975 High
EPSS
Percentile
100.0%