Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
9.8
CVSSv3

CVE-2017-3881

Published: 17/03/2017 Updated: 07/08/2020
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 1000
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Subscribe to Ios

Vulnerability Summary

A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote malicious user to cause a reload of an affected device or remotely execute code with elevated privileges. The Cluster Management Protocol utilizes Telnet internally as a signaling and command protocol between cluster members. The vulnerability is due to the combination of two factors: (1) the failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device; and (2) the incorrect processing of malformed CMP-specific Telnet options. An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. An exploit could allow an malicious user to execute arbitrary code and obtain full control of the device or cause a reload of the affected device. This affects Catalyst switches, Embedded Service 2020 switches, Enhanced Layer 2 EtherSwitch Service Module, Enhanced Layer 2/3 EtherSwitch Service Module, Gigabit Ethernet Switch Module (CGESM) for HP, IE Industrial Ethernet switches, ME 4924-10GE switch, RF Gateway 10, and SM-X Layer 2/3 EtherSwitch Service Module. Cisco Bug IDs: CSCvd48893.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

cisco ios

cisco ios_xe

Vendor Advisories

Cisco: Cisco IOS and IOS XE Software Cluster Management Protocol Remote Code Execution Vulnerability
A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges The Cluster Management Protocol utilizes Telnet internally as a signaling and command protoc ...

Exploits

Exploit DB: Cisco Catalyst 2960 IOS 12.2(55)SE11 Remote Code Execution
Cisco Catalyst 2960 with IOS version 122(55)SE11 ROCEM remote code execution exploit ...
Exploit DB: Cisco Catalyst 2960 IOS 12.2(55)SE1 - 'ROCEM' Remote Code Execution
#!/usr/bin/python # Author: # Artem Kondratenko (@artkond) import socket import sys from time import sleep set_credless = True if len(sysargv) < 3: print sysargv[0] + ' [host] --set/--unset' sysexit() elif sysargv[2] == '--unset': set_credless = False elif sysargv[2] == '--set': pass else: print sysargv[0] + ' [host] --set/--unset ...
Exploit DB: Cisco Catalyst 2960 IOS 12.2(55)SE11 - 'ROCEM' Remote Code Execution
#!/usr/bin/python # Exploit Title: Cisco Catalyst 2960 - Buffer Overflow # Exploit Details: artkondcom/2017/04/10/cisco-catalyst-remote-code-execution/ # Date: 04102017 # Exploit Author: twittercom/artkond # Vendor Homepage: wwwciscocom/ # Version: IOS version c2960-lanbasek9-mz122-55SE11) # Tested on: Catalyst 2960 ...

Github Repositories

https://github.com/1337g/CVE-2017-3881

credit to artkond

CVE-2017-3881 Cisco IOS remote code execution This repository contains Proof-Of-Concept code for exploiting remote code execution vulnerability disclosed by Cisco Systems on March 17th 2017 - toolsciscocom/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp Description Exploit write-up is available here - artkondcom/2017/04/10/cisco-catalyst-r

https://github.com/xairy/easy-linux-pwn

A set of Linux binary exploitation tasks for beginners on various architectures

Easy Linux PWN This is a set of Linux binary exploitation tasks for beginners Right now they are only oriented on stack buffer-overflows I've created these tasks to learn how to do simple binary exploitation on different architectures For educational purposes while solving the tasks you have to follow a set of rules listed below The tasks are made deliberately small an

https://github.com/homjxi0e/CVE-2017-3881-Cisco

CVE-2017-3881 Cisco Catalyst RCE Proof-Of-Concept Apr 10, 2017 Do you still have telnet enabled on your Catalyst switches? Think twice, here’s a proof-of-concept remote code execution exploit for Catalyst 2960 switch with latest suggested firmware Check out the exploit code here What follows is a detailed write-up of the exploit development process for the vulnerability

https://github.com/zakybstrd21215/PoC-CVE-2017-3881

Cisco Catalyst Remote Code Execution PoC

PoC-CVE-2017-3881 Cisco Catalyst Remote Code Execution PoC This repository contains Proof-Of-Concept code for exploiting remote code execution vulnerability disclosed by Cisco Systems on March 17th 2017 - toolsciscocom/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp Description Exploit write-up: errorcybernewscom/2017/05/11/cisco-systems-m

https://github.com/Phantomn/easy_linux_pwn

easy_linux_pwn modify thank xairy

Easy Linux PWN This is a set of Linux binary exploitation tasks for beginners Right now they are only oriented on stack buffer-overflows I've created these tasks to learn how to do simple binary exploitation on different architectures For educational purposes while solving the tasks you have to follow a set of rules listed below The tasks are made deliberately small an

https://github.com/artkond/cisco-rce

CVE-2017-3881 Cisco Catalyst Remote Code Execution PoC

CVE-2017-3881 Cisco IOS remote code execution This repository contains Proof-Of-Concept code for exploiting remote code execution vulnerability disclosed by Cisco Systems on March 17th 2017 - toolsciscocom/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp Description Exploit write-up is available here - artkondcom/2017/04/10/cisco-catalyst-r

Recent Articles

Insane in the domain: Sea Turtle hackers pwn DNS orgs to dash web surfers on the rocks of phishing pages
The Register • Shaun Nichols in San Francisco • 17 Apr 2019

Website settings altered to point visitors to malicious clones

Internet domain registrars and at least one registry were hijacked to change certain websites' DNS settings so that visitors to said sites were in fact directed to password-stealing phishing pages, researchers detailed on Wednesday. It is believed this is the first time state-backed miscreants have compromised web domain organizations, including those handling country-code level top-level domains, in order to phish specific targets. Essentially, once inside a registry or registrar, the hackers w...

Read more...
Cisco patches switch hijacking hole – the one exploited by the CIA
The Register • Shaun Nichols in San Francisco • 09 May 2017

Telnet security flaw fix finally lands – or just use SSH, yeah?

Cisco has patched a critical security flaw in its switches that can be potentially exploited by miscreants to hijack networks – a flaw disclosed in the Vault 7 leak of CIA files. Switchzilla says the vulnerability, CVE-2017-3881, can be exploited remotely by simply establishing a Telnet connection and sending a cluster management protocol (CMP) command to the target equipment. There is a proof-of-concept exploit here. "An attacker could exploit this vulnerability by sending malformed CMP-speci...

Read more...

References

CWE-20https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmphttp://www.securityfocus.com/bid/96960http://www.securityfocus.com/bid/97391http://www.securitytracker.com/id/1038059https://www.exploit-db.com/exploits/41874/https://www.exploit-db.com/exploits/41872/https://nvd.nist.govhttps://packetstormsecurity.com/files/142121/Cisco-Catalyst-2960-IOS-12.2-55-SE11-Remote-Code-Execution.htmlhttps://www.exploit-db.com/exploits/42122/https://github.com/1337g/CVE-2017-3881https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-3675CVE-2024-3400CVE-2024-23557mass assignmentCVE-2023-1389local file inclusionCVE-2024-32596file uploadCVE-2024-32593
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook