Cisco has published a security advisory informing users about a zero-day vulnerability that is detected in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software. This vulnerability (CVE-2017-3881) could allow an unauthenticated, remote attacker to execute malicious code with elevated privileges and obtain full control of the affected device or cause a reload of the device.
In CMP, Telnet is used internally as a signaling and command protocol between cluster members. The CVE-2017-3881 vulnerability may occur due to the following reasons:
The vulnerability is likely to affect over 300 Cisco devices. The list of the affected Cisco devices is available at the following location:
As per the Cisco advisory, software updates will be released to address this vulnerability. However, currently, there are no workarounds that address this vulnerability.
Disabling the Telnet protocol as an allowed protocol for incoming connections would eliminate the exploit vector. Disabling Telnet and using SSH is recommended by Cisco. For information on how to do both, refer to the Cisco Guide to Harden Cisco IOS Devices.
Customers who are unable or unwilling to disable the Telnet protocol can reduce the attack surface by implementing infrastructure access control lists (iACLs). For information about iACLs, refer to the following document: Protecting Your Core: Infrastructure Protection Access Control Lists
To verify whether Telnet is disabled on your Cisco devices, you must create a customized check in the CCS Standards Manager and run it. The evaluation results from the check run will help you take informed decisions and secure your Cisco environment.
To create a customized simple check, refer to the following steps:
CommandOutput does not contain match with
show running-config | include ^line vty|transport input
Note: The CommandWhitelist.ini file is present at <CCS Installation Directory>\Symantec\CCS\Reporting and Analytics\Application Server\PlatformSettings\Global\GenericDevices\Control\GenericDevices\ConfigFiles
Note: Whenever you modify the whitelisted commands in the configuration file, you must run the Sync Configuration job to make sure that the change is applied to future scans. The job updates the changes on all the CCS Managers.
Disclaimer: The information in this article is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. For detailed information about the Cisco IOS and IOS XE Software Cluster Management Protocol Remote Code Execution Vulnerability, indicators of compromise, and the possible remediation, refer to the advisory published by Cisco.