Cisco has published a security advisory informing users about a zero-day vulnerability that is detected in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software. This vulnerability (CVE-2017-3881) could allow an unauthenticated, remote attacker to execute malicious code with elevated privileges and obtain full control of the affected device or cause a reload of the device.

In CMP, Telnet is used internally as a signaling and command protocol between cluster members. The CVE-2017-3881 vulnerability may occur due to the following reasons:

• If the use of CMP-specific Telnet options is not restricted only to internal communications among cluster members
• If the malformed CMP-specific Telnet options are processed incorrectly

The vulnerability is likely to affect over 300 Cisco devices. The list of the affected Cisco devices is available at the following location:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp

As per the Cisco advisory, software updates will be released to address this vulnerability. However, currently, there are no workarounds that address this vulnerability.

Disabling the Telnet protocol as an allowed protocol for incoming connections would eliminate the exploit vector. Disabling Telnet and using SSH is recommended by Cisco. For information on how to do both, refer to the Cisco Guide to Harden Cisco IOS Devices.

Customers who are unable or unwilling to disable the Telnet protocol can reduce the attack surface by implementing infrastructure access control lists (iACLs). For information about iACLs, refer to the following document: Protecting Your Core: Infrastructure Protection Access Control Lists

To verify whether Telnet is disabled on your Cisco devices, you must create a customized check in the CCS Standards Manager and run it. The evaluation results from the check run will help you take informed decisions and secure your Cisco environment.

To create a customized simple check, refer to the following steps:

1. For detailed steps to create a command-based customized check, refer to the Creating a standard and checks for Generic Devices data collector section in the CCS Security Content Update (SCU) Getting Started Guide (Versions: CCS 11.1 and CCS 11.5)
2. Select the target type GenericDevices > All Generic Devices.
3. Use the following check expression for evaluation:

CommandOutput does not contain match with

(line\svty\s\d+[\s\d]*\r?\n\s+transport\sinput(\spad|\smop|\sudptn|\sv120|\sssh)*\stelnet(\spad|\smop|\sudptn|\sv120|\sssh)*)|(line\svty\s\d+[\s\d]*\r?\n\s+transport\sinput\sall)|(line\svty\s\d+[\s\d]*\r?\nline)|(line\svty\s\d+[\s\d]*\r?\n?$)

4. In the Standards workspace, on the Command tab, add the following command text:

show running-config | include ^line vty|transport input

5. Add the following commands in the CommandWhitelist.ini file:

• show
• section
• include
• transport

Note: The CommandWhitelist.ini file is present at <CCS Installation Directory>\Symantec\CCS\Reporting and Analytics\Application Server\PlatformSettings\Global\GenericDevices\Control\GenericDevices\ConfigFiles

Note: Whenever you modify the whitelisted commands in the configuration file, you must run the Sync Configuration job to make sure that the change is applied to future scans. The job updates the changes on all the CCS Managers.

6. Run the Collection-Evaluation-Reporting (CER) job against the Cisco targets in your environment by using the customized check that you create.

Disclaimer: The information in this article is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. For detailed information about the Cisco IOS and IOS XE Software Cluster Management Protocol Remote Code Execution Vulnerability, indicators of compromise, and the possible remediation, refer to the advisory published by Cisco.