Vulnerabilities > CVE-2017-3859 - Use of Externally-Controlled Format String vulnerability in Cisco IOS XE
Summary
A vulnerability in the DHCP code for the Zero Touch Provisioning feature of Cisco ASR 920 Series Aggregation Services Routers could allow an unauthenticated, remote attacker to cause an affected device to reload. The vulnerability is due to a format string vulnerability when processing a crafted DHCP packet for Zero Touch Provisioning. An attacker could exploit this vulnerability by sending a specially crafted DHCP packet to an affected device. An exploit could allow the attacker to cause the device to reload, resulting in a denial of service (DoS) condition. This vulnerability affects Cisco ASR 920 Series Aggregation Services Routers that are running an affected release of Cisco IOS XE Software (3.13 through 3.18) and are listening on the DHCP server port. By default, the devices do not listen on the DHCP server port. Cisco Bug IDs: CSCuy56385.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Format String Injection An attacker includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An attacker can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the attacker can write to the program stack.
- String Format Overflow in syslog() This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted.
Nessus
NASL family | CISCO |
NASL id | CISCO-SA-20170322-ZTP.NASL |
description | According to its self-reported version, the Cisco IOS XE software running on the remote Cisco ASR 920 Series device is affected by a denial of service vulnerability due to a format string flaw when processing DHCP packets for Zero Touch Provisioning. An unauthenticated, remote attacker can exploit this issue, via a specially crafted DHCP packet, to cause the device to reload. Note that for this vulnerability to be exploited, the device must be configured to listen on the DHCP server port. By default, the device does not listen on this port. |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 99033 |
published | 2017-03-29 |
reporter | This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/99033 |
title | Cisco IOS XE for Cisco ASR 920 Series Routers Zero Touch Provisioning DoS (cisco-sa-20170322-ztp) |
code |
|
References
- http://www.securityfocus.com/bid/97008
- http://www.securityfocus.com/bid/97008
- http://www.securitytracker.com/id/1038104
- http://www.securitytracker.com/id/1038104
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-ztp
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-ztp