Cisco IOS XE Software Internet Group Management Protocol Memory Leak Vulnerability

2018-03-2816:00:00

tools.cisco.com

0.001 Low

EPSS

Percentile

42.1%

JSON

A vulnerability in the Internet Group Management Protocol (IGMP) packet-processing functionality of Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to exhaust buffers on an affected device, resulting in a denial of service (DoS) condition.

The vulnerability is due to the affected software insufficiently processing IGMP Membership Query packets that are sent to an affected device. An attacker could exploit this vulnerability by sending a large number of IGMP Membership Query packets, which contain certain values, to an affected device. A successful exploit could allow the attacker to exhaust buffers on the affected device, resulting in a DoS condition that requires the device to be reloaded manually.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-igmp [“https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-igmp”]
This advisory is part of the March 28, 2018, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 20 Cisco Security Advisories that describe 22 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: March 2018 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication [“https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-66682”].

Affected configurations

Vulners

Node

ciscorvs4000_softwareMatch3.7e

ciscorvs4000_softwareMatch16.2

ciscorvs4000_softwareMatch3.8e

ciscorvs4000_softwareMatch16.3

ciscorvs4000_softwareMatch16.4

ciscorvs4000_softwareMatch3.7.0e

ciscorvs4000_softwareMatch3.7.1e

ciscorvs4000_softwareMatch3.7.2e

ciscorvs4000_softwareMatch3.7.3e

ciscorvs4000_softwareMatch3.7.4e

ciscorvs4000_softwareMatch3.7.5e

ciscorvs4000_softwareMatch16.2.1

ciscorvs4000_softwareMatch16.2.2

ciscorvs4000_softwareMatch3.8.0e

ciscorvs4000_softwareMatch16.3.1

ciscorvs4000_softwareMatch16.3.2

ciscorvs4000_softwareMatch16.3.3

ciscorvs4000_softwareMatch16.3.1a

ciscorvs4000_softwareMatch16.4.1

ciscorvs4000_softwareMatch16.4.2

CPENameOperatorVersion
cisco ios xe softwareeq3.7E
cisco ios xe softwareeq16.2
cisco ios xe softwareeq3.8E
cisco ios xe softwareeq16.3
cisco ios xe softwareeq16.4
cisco ios xe softwareeq3.7.0E
cisco ios xe softwareeq3.7.1E
cisco ios xe softwareeq3.7.2E
cisco ios xe softwareeq3.7.3E
cisco ios xe softwareeq3.7.4E

Name	Operator	Version
cisco ios xe software	eq	3.7E
cisco ios xe software	eq	16.2
cisco ios xe software	eq	3.8E
cisco ios xe software	eq	16.3
cisco ios xe software	eq	16.4
cisco ios xe software	eq	3.7.0E
cisco ios xe software	eq	3.7.1E
cisco ios xe software	eq	3.7.2E
cisco ios xe software	eq	3.7.3E
cisco ios xe software	eq	3.7.4E