10
CVSSv2

CVE-2017-3881

Published: 17/03/2017 Updated: 16/08/2017
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 1000
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote malicious user to cause a reload of an affected device or remotely execute code with elevated privileges. The Cluster Management Protocol utilizes Telnet internally as a signaling and command protocol between cluster members. The vulnerability is due to the combination of two factors: (1) the failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device; and (2) the incorrect processing of malformed CMP-specific Telnet options. An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. An exploit could allow an malicious user to execute arbitrary code and obtain full control of the device or cause a reload of the affected device. This affects Catalyst switches, Embedded Service 2020 switches, Enhanced Layer 2 EtherSwitch Service Module, Enhanced Layer 2/3 EtherSwitch Service Module, Gigabit Ethernet Switch Module (CGESM) for HP, IE Industrial Ethernet switches, ME 4924-10GE switch, RF Gateway 10, and SM-X Layer 2/3 EtherSwitch Service Module. Cisco Bug IDs: CSCvd48893.

Vulnerability Trend

Affected Products

Vendor Product Versions
CiscoIos-, 12.1(6)ea1, 12.1(8)ea1c, 12.1(9)ea1, 12.1(11)ea1, 12.1(11)ea1a, 12.1(12c)ea1, 12.1(12c)ea1a, 12.1(13)ea1, 12.1(13)ea1a, 12.1(13)ea1b, 12.1(13)ea1c, 12.1(14)az, 12.1(14)ea1, 12.1(14)ea1a, 12.1(14)ea1b, 12.1(19)ea1, 12.1(19)ea1a, 12.1(19)ea1b, 12.1(19)ea1c, 12.1(19)ea1d, 12.1(20)ea1, 12.1(20)ea1a, 12.1(20)ea2, 12.1(22)ea1, 12.1(22)ea1a, 12.1(22)ea1b, 12.1(22)ea2, 12.1(22)ea3, 12.1(22)ea4, 12.1(22)ea4a, 12.1(22)ea5, 12.1(22)ea5a, 12.1(22)ea6, 12.1(22)ea6a, 12.1(22)ea7, 12.1(22)ea8, 12.1(22)ea8a, 12.1(22)ea9, 12.1(22)ea10, 12.1(22)ea10a, 12.1(22)ea10b, 12.1(22)ea11, 12.1(22)ea12, 12.1(22)ea13, 12.1(22)ea14, 12.2(18)s, 12.2(18)se, 12.2(18)se1, 12.2(20)eu, 12.2(20)eu1, 12.2(20)eu2, 12.2(20)ewa, 12.2(20)ewa1, 12.2(20)ewa2, 12.2(20)ewa3, 12.2(20)ewa4, 12.2(20)ex, 12.2(20)se, 12.2(20)se1, 12.2(20)se2, 12.2(20)se3, 12.2(20)se4, 12.2(25)ew, 12.2(25)ewa, 12.2(25)ewa1, 12.2(25)ewa2, 12.2(25)ewa3, 12.2(25)ewa4, 12.2(25)ewa5, 12.2(25)ewa6, 12.2(25)ewa7, 12.2(25)ewa8, 12.2(25)ewa9, 12.2(25)ewa10, 12.2(25)ewa11, 12.2(25)ewa12, 12.2(25)ewa13, 12.2(25)ewa14, 12.2(25)ey, 12.2(25)ey1, 12.2(25)ey2, 12.2(25)ey3, 12.2(25)ey4, 12.2(25)ez, 12.2(25)ez1, 12.2(25)fx, 12.2(25)fy, 12.2(25)fz, 12.2(25)s, 12.2(25)s1, 12.2(25)se, 12.2(25)se1, 12.2(25)se2, 12.2(25)se3, 12.2(25)sea, 12.2(25)seb, 12.2(25)seb1, 12.2(25)seb2, 12.2(25)seb3, 12.2(25)seb4, 12.2(25)sec, 12.2(25)sec1, 12.2(25)sec2, 12.2(25)sed, 12.2(25)sed1, 12.2(25)see, 12.2(25)see1, 12.2(25)see2, 12.2(25)see3, 12.2(25)see4, 12.2(25)sef1, 12.2(25)sef2, 12.2(25)sef3, 12.2(25)seg, 12.2(25)seg1, 12.2(25)seg3, 12.2(25)sg, 12.2(25)sg1, 12.2(25)sg2, 12.2(25)sg3, 12.2(25)sg4, 12.2(31)sg, 12.2(31)sg1, 12.2(31)sg2, 12.2(31)sg3, 12.2(31)sga, 12.2(31)sga1, 12.2(31)sga2, 12.2(31)sga3, 12.2(31)sga4, 12.2(31)sga5, 12.2(31)sga6, 12.2(31)sga7, 12.2(31)sga8, 12.2(31)sga9, 12.2(31)sga10, 12.2(31)sga11, 12.2(35)se, 12.2(35)se1, 12.2(35)se2, 12.2(35)se3, 12.2(35)se5, 12.2(37)ey, 12.2(37)se, 12.2(37)se1, 12.2(37)sg, 12.2(37)sg1, 12.2(40)ex, 12.2(40)ex1, 12.2(40)ex2, 12.2(40)ex3, 12.2(40)se, 12.2(40)se1, 12.2(40)se2, 12.2(40)sg, 12.2(40)xo, 12.2(44)ex, 12.2(44)ex1, 12.2(44)se, 12.2(44)se1, 12.2(44)se2, 12.2(44)se3, 12.2(44)se4, 12.2(44)se5, 12.2(44)se6, 12.2(44)sg, 12.2(44)sg1, 12.2(44)sq, 12.2(44)sq2, 12.2(46)ex, 12.2(46)ey, 12.2(46)se, 12.2(46)se1, 12.2(46)se2, 12.2(46)sg, 12.2(46)sg1, 12.2(50)se, 12.2(50)se1, 12.2(50)se2, 12.2(50)se3, 12.2(50)se4, 12.2(50)se5, 12.2(50)sg, 12.2(50)sg1, 12.2(50)sg2, 12.2(50)sg3, 12.2(50)sg4, 12.2(50)sg5, 12.2(50)sg6, 12.2(50)sg7, 12.2(50)sg8, 12.2(50)sq, 12.2(50)sq1, 12.2(50)sq2, 12.2(50)sq3, 12.2(50)sq4, 12.2(50)sq5, 12.2(50)sq6, 12.2(50)sq7, 12.2(52)ex, 12.2(52)ex1, 12.2(52)se, 12.2(52)se1, 12.2(52)sg, 12.2(52)xo, 12.2(53)ey, 12.2(53)ez, 12.2(53)se, 12.2(53)se1, 12.2(53)se2, 12.2(53)sg, 12.2(53)sg1, 12.2(53)sg2, 12.2(53)sg3, 12.2(53)sg4, 12.2(53)sg5, 12.2(53)sg6, 12.2(53)sg7, 12.2(53)sg8, 12.2(53)sg9, 12.2(53)sg10, 12.2(53)sg11, 12.2(54)se, 12.2(54)sg, 12.2(54)sg1, 12.2(54)wo, 12.2(54)xo, 12.2(55)ex, 12.2(55)ex1, 12.2(55)ex2, 12.2(55)ex3, 12.2(55)ey, 12.2(55)ez, 12.2(55)se, 12.2(55)se1, 12.2(55)se2, 12.2(55)se3, 12.2(55)se4, 12.2(55)se5, 12.2(55)se6, 12.2(55)se7, 12.2(55)se8, 12.2(55)se9, 12.2(55)se10, 12.2(55)se11, 12.2(58)ex, 12.2(58)ez, 12.2(58)se, 12.2(58)se1, 12.2(58)se2, 12.2(60)ez4, 12.2(60)ez5, 12.2(137)sg, 12.2(144)sg, 15.0(1)ey, 15.0(1)ey1, 15.0(1)ey2, 15.0(1)se, 15.0(1)se1, 15.0(1)se2, 15.0(1)se3, 15.0(1)xo, 15.0(1)xo1, 15.0(2)eb, 15.0(2)ec, 15.0(2)ed, 15.0(2)ej, 15.0(2)ej1, 15.0(2)ex, 15.0(2)ex1, 15.0(2)ex2, 15.0(2)ex3, 15.0(2)ex4, 15.0(2)ex5, 15.0(2)ex8, 15.0(2)ex10, 15.0(2)ey, 15.0(2)ey1, 15.0(2)ey2, 15.0(2)ey3, 15.0(2)ez, 15.0(2)se, 15.0(2)se1, 15.0(2)se2, 15.0(2)se3, 15.0(2)se4, 15.0(2)se5, 15.0(2)se6, 15.0(2)se7, 15.0(2)se8, 15.0(2)se9, 15.0(2)se10, 15.0(2)se10a, 15.0(2)se11, 15.0(2)sg, 15.0(2)sg1, 15.0(2)sg2, 15.0(2)sg3, 15.0(2)sg4, 15.0(2)sg5, 15.0(2)sg6, 15.0(2)sg7, 15.0(2)sg8, 15.0(2)sg9, 15.0(2)sg10, 15.0(2)sg11, 15.0(2)sqd, 15.0(2)sqd1, 15.0(2)sqd2, 15.0(2)sqd3, 15.0(2)sqd4, 15.0(2)sqd5, 15.0(2)xo, 15.0(2a)ex5, 15.0(2a)se9, 15.1(1)sg, 15.1(1)sg1, 15.1(1)sg2, 15.1(2)sg, 15.1(2)sg1, 15.1(2)sg2, 15.1(2)sg3, 15.1(2)sg4, 15.1(2)sg5, 15.1(2)sg6, 15.1(2)sg7, 15.1(2)sg7a, 15.1(2)sg8, 15.1(2)sg9, 15.2(1)e, 15.2(1)e1, 15.2(1)e2, 15.2(1)e3, 15.2(1)ey, 15.2(2)e, 15.2(2)e1, 15.2(2)e2, 15.2(2)e3, 15.2(2)e4, 15.2(2)e5, 15.2(2)e5a, 15.2(2)e5b, 15.2(2)e6, 15.2(2)e7, 15.2(2)eb, 15.2(2)eb1, 15.2(2)eb2, 15.2(2a)e1, 15.2(2a)e2, 15.2(3)e, 15.2(3)e1, 15.2(3)e2, 15.2(3)e3, 15.2(3)e4, 15.2(3)e5, 15.2(3)ex, 15.2(3a)e, 15.2(3a)e1, 15.2(3m)e2, 15.2(3m)e3, 15.2(3m)e6, 15.2(3m)e8, 15.2(4)e, 15.2(4)e1, 15.2(4)e2, 15.2(4)e3, 15.2(4)e4, 15.2(4)ec, 15.2(4)ec1, 15.2(4)ec2, 15.2(4m)e1, 15.2(4m)e3, 15.2(4n)e2, 15.2(4o)e2, 15.2(5)e, 15.2(5)e1, 15.2(5)e2, 15.2(5)ex, 15.2(5a)e, 15.2(5a)e1, 15.2(5b)e, 15.2(5c)e
CiscoIos Xe2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.3.0, 2.3.1, 2.3.1t, 2.3.2, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 3.1.0sg, 3.1.1sg, 3.2.0sg, 3.2.0xo, 3.2.2sg, 3.2.3sg, 3.2.4sg, 3.2.5sg, 3.2.6sg, 3.2.7sg, 3.2.8sg, 3.2.9sg, 3.2.10sg, 3.2.11sg, 3.3.0sg, 3.3.0sq, 3.3.0xo, 3.3.1sg, 3.3.1sq, 3.3.1xo, 3.3.2sg, 3.3.2xo, 3.4.0sg, 3.4.0sq, 3.4.1sg, 3.4.1sq, 3.4.2sg, 3.4.3sg, 3.4.4sg, 3.4.5sg, 3.4.6sg, 3.4.7asg, 3.4.7sg, 3.4.8sg, 3.4.9sg, 3.5.0e, 3.5.0sq, 3.5.1e, 3.5.1sq, 3.5.2e, 3.5.2sq, 3.5.3e, 3.5.3sq, 3.5.4sq, 3.5.5sq, 3.6.0e, 3.6.1e, 3.6.2e, 3.6.3e, 3.6.4e, 3.6.5ae, 3.6.5be, 3.6.5e, 3.6.6e, 3.7.0e, 3.7.1e, 3.7.2e, 3.7.3e, 3.7.4e, 3.7.5e, 3.8.0e, 3.8.0ex, 3.8.1e, 3.8.2e, 3.8.3e, 3.9.0e, 3.9.1e

Vendor Advisories

A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges The Cluster Management Protocol utilizes Telnet internally as a signaling and command protoc ...

Exploits

#!/usr/bin/python # Author: # Artem Kondratenko (@artkond) import socket import sys from time import sleep set_credless = True if len(sysargv) < 3: print sysargv[0] + ' [host] --set/--unset' sysexit() elif sysargv[2] == '--unset': set_credless = False elif sysargv[2] == '--set': pass else: print sysargv[0] + ' [host] --set/--unset ...
#!/usr/bin/python # Exploit Title: Cisco Catalyst 2960 - Buffer Overflow # Exploit Details: artkondcom/2017/04/10/cisco-catalyst-remote-code-execution/ # Date: 04102017 # Exploit Author: twittercom/artkond # Vendor Homepage: wwwciscocom/ # Version: IOS version c2960-lanbasek9-mz122-55SE11) # Tested on: Catalyst 2960 ...

Mailing Lists

Cisco Catalyst 2960 with IOS version 122(55)SE11 ROCEM remote code execution exploit ...

Metasploit Modules

Cisco IOS Telnet Denial of Service

This module triggers a Denial of Service condition in the Cisco IOS telnet service affecting multiple Cisco switches. Tested against Cisco Catalyst 2960 and 3750.

msf > use auxiliary/dos/cisco/ios_telnet_rocem
      msf auxiliary(ios_telnet_rocem) > show actions
            ...actions...
      msf auxiliary(ios_telnet_rocem) > set ACTION <action-name>
      msf auxiliary(ios_telnet_rocem) > show options
            ...show and set options...
      msf auxiliary(ios_telnet_rocem) > run

Github Repositories

A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges The Cluster Management Protocol utilizes Telnet internally as a signaling and command protocol between cluster members The

CVE-2017-3881 Cisco Catalyst RCE Proof-Of-Concept Apr 10, 2017 Do you still have telnet enabled on your Catalyst switches? Think twice, here’s a proof-of-concept remote code execution exploit for Catalyst 2960 switch with latest suggested firmware Check out the exploit code here What follows is a detailed write-up of the exploit development process for the vulnerability

PoC-CVE-2017-3881 Cisco Catalyst Remote Code Execution PoC This repository contains Proof-Of-Concept code for exploiting remote code execution vulnerability disclosed by Cisco Systems on March 17th 2017 - toolsciscocom/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp Description Exploit write-up: errorcybernewscom/2017/05/11/cisco-systems-m

CVE-2017-3881 Cisco IOS remote code execution This repository contains Proof-Of-Concept code for exploiting remote code execution vulnerability disclosed by Cisco Systems on March 17th 2017 - toolsciscocom/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp Description Exploit write-up is available here - artkondcom/2017/04/10/cisco-catalyst-r

CVE-2017-3881 Cisco IOS remote code execution This repository contains Proof-Of-Concept code for exploiting remote code execution vulnerability disclosed by Cisco Systems on March 17th 2017 - toolsciscocom/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp Description Exploit write-up is available here - artkondcom/2017/04/10/cisco-catalyst-r

Easy Linux PWN This is a set of Linux binary exploitation tasks for beginners Right now they are only oriented on stack buffer-overflows I've created these tasks to learn how to do simple binary exploitation on different architectures For educational purposes while solving the tasks you have to follow a set of rules listed below The tasks are made deliberately small an

CVE-in-Ruby It's a repository to import public exploits to be written in Ruby without Metasploit complication Why not Metasploit? To educate people how to write exploits using Ruby To Write exploit for CVEs that doesn't have exploit in a simple way To avoid Metasploit complications But we still LOVE Metasploit To list a common exploit that we face in PT that may or

Awesome Stars A curated list of my GitHub stars! Generated by starred Contents ASP Arduino Assembly AutoHotkey AutoIt Batchfile BitBake Bro C C# C++ CSS CoffeeScript Dockerfile Emacs Lisp Erlang Game Maker Language Go HTML Haskell Java JavaScript Jupyter Notebook KiCad Kotlin Logos Lua M Makefile Markdown Mask

Awesome CVE PoC A curated list of CVE PoCs Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out awesome-web-security Please read the contribution guidelines before contributing This repo is full of PoCs for CVEs If you enjoy this awesome list and would like to support it, check out my Patreon page :

Recent Articles

Cisco Patches Critical Flaw In ASR 9000 Routers
Threatpost • Lindsey O'Donnell • 18 Apr 2019

Cisco has rushed out patches for a critical vulnerability in its ASR 9000 routers that could give remote, unauthenticated attackers access to the devices – as well as the power to launch denial-of-service (DoS) attacks against them.
The flaw is specifically in Cisco Aggregation Services Routers (ASR) 9000 Series, Cisco’s popular carrier Ethernet router intended for service applications. The vulnerability could allow an unauthenticated, remote attacker to access internal applications on...

Insane in the domain: Sea Turtle hackers pwn DNS orgs to dash web surfers on the rocks of phishing pages
The Register • Shaun Nichols in San Francisco • 17 Apr 2019

Website settings altered to point visitors to malicious clones

Internet domain registrars and at least one registry were hijacked to change certain websites' DNS settings so that visitors to said sites were in fact directed to password-stealing phishing pages, researchers detailed on Wednesday.
It is believed this is the first time state-backed miscreants have compromised web domain organizations, including those handling country-code level top-level domains, in order to phish specific targets.
Essentially, once inside a registry or registrar, t...

Cisco Patches IOS XE Vulnerability Leaked in Vault 7 Dump
Threatpost • Michael Mimoso • 10 May 2017

Cisco released an update this week that addresses a vulnerability in software running in more than 300 of its switches. The flaw was disclosed among the WikiLeaks Vault 7 dump of alleged CIA offensive hacking tools, and proof-of-concept exploit code exists that targets the vulnerability.
Cisco said the vulnerability was in the Cluster Management Protocol (CMP) processing code running in its IOS and IOS XE software, the company’s longstanding networking operating system. In an advisory, ...

Cisco patches switch hijacking hole – the one exploited by the CIA
The Register • Shaun Nichols in San Francisco • 09 May 2017

Telnet security flaw fix finally lands – or just use SSH, yeah?

Cisco has patched a critical security flaw in its switches that can be potentially exploited by miscreants to hijack networks – a flaw disclosed in the Vault 7 leak of CIA files.
Switchzilla says the vulnerability, CVE-2017-3881, can be exploited remotely by simply establishing a Telnet connection and sending a cluster management protocol (CMP) command to the target equipment. There is a proof-of-concept exploit here.
"An attacker could exploit this vulnerability by sending malform...

Cisco Warns of Critical Vulnerability Revealed in ‘Vault 7’ Data Dump
Threatpost • Tom Spring • 20 Mar 2017

Cisco Systems warned customers on Friday of a critical vulnerability that could allow an attacker to execute arbitrary code and obtain full control on more than 300 different models of its switches and routers. Cisco said it became aware of the vulnerability after WikiLeaks released its Vault 7 cache of documents that revealed the existence of covert tools allegedly used by the U.S. Central Intelligence Agency.
Cisco said there is currently no patch or workaround for the vulnerability tha...

Cisco's Investigation into Vault 7 Leak Uncovers 0-Day Affecting 318 Products
BleepingComputer • Catalin Cimpanu • 20 Mar 2017

Over 300 Cisco products are affected by a zero-day vulnerability Cisco discovered last week, and for which no patch is available at the time of writing.
Cisco engineers discovered the zero-day following a company-wide effort to investigate how the recently disclosed WikiLeaks "Vault 7" leak affected the company's products.
Vault 7 is a collection of documents WikiLeaks dumped online two weeks ago, alleging they are internal documentation files for some of the CIA's hacking tools. Wik...