Lucene search
This script is Copyright (C) 2017-2023 and is owned by Tenable, Inc. or an Affiliate thereof.CISCO-SA-20170317-CMP-IOS.NASLHistoryMar 27, 2017 - 12:00 a.m.
Cisco IOS Cluster Management Protocol Telnet Option Handling RCE (cisco-sa-20170317-cmp)
2017-03-2700:00:00
This script is Copyright (C) 2017-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
821
According to its self-reported version and configuration, the Cisco IOS software running on the remote device is affected by a remote code execution vulnerability in the Cluster Management Protocol (CMP) subsystem due to improper handling of CMP-specific Telnet options. An unauthenticated, remote attacker can exploit this by establishing a Telnet session with malformed CMP-specific telnet options, to execute arbitrary code.
#TRUSTED 444f975a1a4211c43dc1ecaf0e46f9b86dfadc3e2accde60ee35f6744ce9a7c7659d22be0da40d1bf3cbc1769b23a98f848d7defa893f6654d1b33ae6dc09dd4aa08f827469f95f99fdf820ebef9994de55ece4da91116159305be560830f70e5e5d4e39767dc38c0531695c3e601fbac3d4860822d257422544a4e73b33f9be7f4df2877074c8f725a1c06e8c343bb5d1df38a28112f4951f0041d60680f8ab1eaab9e1ca2013262b536204a186c816bd1de4d2bcce15a045784a83b27bf3ddf051a6e99079c19be5946b45042d280ec0e495a8da53f343415c236b69b7c9b65195be874593e8ccf4fde8ffea57e5d0ae029d2ac110889faa25296b4b47fe9bdc521b1b730b6baa445f4c325f53fbb60e2a029c37b4bdadb2cc82aecf238b587cc12b7b6fe643b95b1c4adc8335aab31aa891abd3182e2d60e5aeb3dedec75805f58e527cd1284aab8795f842f1605bd744836e3a27656630e407cbd81eb59b2e66d9f436928306b59186e3e6414fa439e763d05ee57c7e91a05489bef1e8f8854a381d1b70d315ac2115cc0b846ebcafe323df18f8145f90ee80c9a6e5e2cb808b1ab36ad307a476d97a28c541e43e058cce0724509a8f6912d20c4b1ae3680488fb4f3879ab46c14fd19af80a812632d07da7b5fce0141e7e799c1cd58199fadeb172c36e9917cdadf5b36b06e7bffa37f8c3faede9afd2d6b736ca8f6b7a
#TRUST-RSA-SHA256 59194918423f85a44b1039320adba6f5162921eebf2e0e8bece87d694b32853f7c11abfbec2073ebf8cbc5faf05212635fa1de32f60c4c388e62041fa2cbc11f6ba090cafaa9ca5a85d8c86b3004d6483f48c4f434d15e71b97872d0d1705c91c0f38ddf6f32ebdda54458124c97e072f71ca36a97e14d3e548fbd5bb4187a801561d06c31e214cfaef042d9fc8076744f2f9341aaabf512b02a4c0f7104457ed73103f1dfde3a86c017805a2ff3d0eb916ce0d0d7aad542c9806bb46e8e075d249ff0e83cf06be4192d37c921fa2f8d1dfa4a5e2674265c55c0a2905e96a95998402c8f7f1000b138eeb1cf03688ac8b76762839614e4a15250e4b19cafa07d426b25cf1f765d3dcda8e9330f91bf5ab31da3dc33a50732b813d90c733b801468168d57c7efe8586d4f2ea1cb46c092d1df93d0b5b7534d5aaa1f7b5067aca4af13af4df7672cb4ede1464288a7e2a3649033c2dc448e5e14c1387262b55e15b8acb32f4c5eb8ead7c49983524c99cb3a4fd552758993c69883b1279687960e1dabe2d1b76abad195e0000a7fd17fb3c311b499b32a75e80d08a5636cb2b4a4c575bf62a58d4ebb09311e8f3b83526c50716b180d5b7bccd196cf3cfd749c524fe1249b14af01c1240aebfa242a910aceb8146911d8a95110a00fa8cfa8afadf12a12bb9d1d84892e61352ff25146b6e136730aec75864a9ebc85ff24c28d59
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(97991);
script_version("1.18");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/04/25");
script_cve_id("CVE-2017-3881");
script_bugtraq_id(96960);
script_xref(name:"CISCO-BUG-ID", value:"CSCvd48893");
script_xref(name:"IAVA", value:"2017-A-0073");
script_xref(name:"CISCO-SA", value:"cisco-sa-20170317-cmp");
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/04/15");
script_xref(name:"CEA-ID", value:"CEA-2019-0240");
script_name(english:"Cisco IOS Cluster Management Protocol Telnet Option Handling RCE (cisco-sa-20170317-cmp)");
script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
script_set_attribute(attribute:"description", value:
"According to its self-reported version and configuration, the Cisco IOS software running on the remote device is
affected by a remote code execution vulnerability in the Cluster Management Protocol (CMP) subsystem due to improper
handling of CMP-specific Telnet options. An unauthenticated, remote attacker can exploit this by establishing a Telnet
session with malformed CMP-specific telnet options, to execute arbitrary code.");
# https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7cb68237");
script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvd48893. Alternatively, as a workaround, disable
the Telnet protocol for incoming connections.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-3881");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/17");
script_set_attribute(attribute:"patch_publication_date", value:"2017/03/17");
script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/27");
script_set_attribute(attribute:"plugin_type", value:"combined");
script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CISCO");
script_copyright(english:"This script is Copyright (C) 2017-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("cisco_ios_version.nasl");
script_require_keys("Host/Cisco/IOS/Version");
exit(0);
}
include('cisco_workarounds.inc');
include('ccf.inc');
var product_info = cisco::get_product_info(name:'Cisco IOS');
var version_list=make_list(
'12.2(22)S',
'12.2(20)S',
'12.2(18)S',
'12.2(25)S',
'12.2(20)S2a',
'12.2(20)S4a',
'12.2(20)S5',
'12.2(18)S1',
'12.2(20)S4',
'12.2(18)S2',
'12.2(18)S4',
'12.2(25)S2',
'12.2(20)S2',
'12.2(18)S3',
'12.2(20)S6',
'12.2(20)S3',
'12.2(25)S1',
'12.2(20)S1',
'12.1(9)EX',
'12.2(14)SZ',
'12.2(14)SZ5',
'12.2(14)SZ6',
'12.2(14)SZ3',
'12.2(14)SZ4',
'12.2(14)SZ1',
'12.2(14)SZ2',
'12.2(25)EW',
'12.2(20)EWA',
'12.2(25)EWA',
'12.2(25)EWA6',
'12.2(25)EWA5',
'12.2(25)EWA1',
'12.2(25)EWA10',
'12.2(25)EWA8',
'12.2(20)EWA1',
'12.2(25)EWA11',
'12.2(25)EWA9',
'12.2(25)EWA2',
'12.2(25)EWA14',
'12.2(25)EWA4',
'12.2(20)EWA3',
'12.2(25)EWA3',
'12.2(25)EWA7',
'12.2(20)EWA4',
'12.2(25)EWA12',
'12.2(25)EWA13',
'12.2(20)EWA2',
'12.2(35)SE',
'12.2(18)SE',
'12.2(20)SE',
'12.2(25)SE',
'12.2(37)SE',
'12.2(53)SE1',
'12.2(55)SE',
'12.2(25)SE2',
'12.2(40)SE2',
'12.2(46)SE',
'12.2(46)SE2',
'12.2(50)SE2',
'12.2(35)SE5',
'12.2(50)SE1',
'12.2(44)SE2',
'12.2(20)SE3',
'12.2(35)SE1',
'12.2(50)SE5',
'12.2(44)SE1',
'12.2(53)SE',
'12.2(37)SE1',
'12.2(25)SE3',
'12.2(35)SE3',
'12.2(44)SE4',
'12.2(55)SE3',
'12.2(55)SE2',
'12.2(40)SE',
'12.2(44)SE',
'12.2(52)SE',
'12.2(58)SE',
'12.2(50)SE3',
'12.2(55)SE1',
'12.2(35)SE2',
'12.2(18)SE1',
'12.2(40)SE1',
'12.2(20)SE1',
'12.2(44)SE6',
'12.2(44)SE3',
'12.2(53)SE2',
'12.2(52)SE1',
'12.2(46)SE1',
'12.2(20)SE2',
'12.2(54)SE',
'12.2(44)SE5',
'12.2(50)SE4',
'12.2(50)SE',
'12.2(20)SE4',
'12.2(58)SE1',
'12.2(55)SE4',
'12.2(58)SE2',
'12.2(55)SE5',
'12.2(55)SE6',
'12.2(55)SE7',
'12.2(55)SE8',
'12.2(55)SE9',
'12.2(55)SE10',
'12.2(55)SE11',
'12.1(14)AZ',
'12.2(20)EU',
'12.2(20)EU1',
'12.2(20)EU2',
'12.2(20)EX',
'12.2(44)EX',
'12.2(40)EX3',
'12.2(40)EX',
'12.2(52)EX',
'12.2(44)EX1',
'12.2(40)EX2',
'12.2(40)EX1',
'12.2(55)EX',
'12.2(46)EX',
'12.2(52)EX1',
'12.2(55)EX1',
'12.2(55)EX2',
'12.2(55)EX3',
'12.2(58)EX',
'12.2(25)SEB',
'12.2(25)SEB2',
'12.2(25)SEB1',
'12.2(25)SEB4',
'12.2(25)SEB3',
'12.2(25)SEA',
'12.2(25)EY',
'12.2(46)EY',
'12.2(55)EY',
'12.2(25)EY1',
'12.2(53)EY',
'12.2(25)EY3',
'12.2(37)EY',
'12.2(25)EY2',
'12.2(25)EY4',
'12.2(25)EZ',
'12.2(25)EZ1',
'12.2(58)EZ',
'12.2(53)EZ',
'12.2(55)EZ',
'12.2(60)EZ4',
'12.2(60)EZ5',
'12.2(25)SEC',
'12.2(25)SEC2',
'12.2(25)SEC1',
'12.2(31)SG',
'12.2(25)SG',
'12.2(37)SG',
'12.2(44)SG',
'12.2(50)SG3',
'12.2(31)SG1',
'12.2(53)SG',
'12.2(31)SG3',
'12.2(50)SG6',
'12.2(53)SG1',
'12.2(46)SG',
'12.2(25)SG1',
'12.2(53)SG2',
'12.2(50)SG5',
'12.2(37)SG1',
'12.2(53)SG3',
'12.2(50)SG8',
'12.2(25)SG3',
'12.2(50)SG2',
'12.2(40)SG',
'12.2(25)SG2',
'12.2(54)SG1',
'12.2(44)SG1',
'12.2(50)SG1',
'12.2(52)SG',
'12.2(54)SG',
'12.2(31)SG2',
'12.2(50)SG',
'12.2(25)SG4',
'12.2(50)SG7',
'12.2(53)SG4',
'12.2(50)SG4',
'12.2(46)SG1',
'12.2(53)SG5',
'12.2(53)SG6',
'12.2(53)SG7',
'12.2(53)SG8',
'12.2(53)SG9',
'12.2(53)SG10',
'12.2(53)SG11',
'12.2(25)FX',
'12.2(25)FY',
'12.2(25)SEF',
'12.2(25)SEF1',
'12.2(25)SEF2',
'12.2(25)SEF3',
'12.2(25)SEE',
'12.2(25)SEE1',
'12.2(25)SEE3',
'12.2(25)SEE4',
'12.2(25)SEE2',
'12.2(25)SED',
'12.2(25)SED1',
'12.2(31)SGA',
'12.2(31)SGA3',
'12.2(31)SGA2',
'12.2(31)SGA10',
'12.2(31)SGA5',
'12.2(31)SGA4',
'12.2(31)SGA11',
'12.2(31)SGA6',
'12.2(31)SGA1',
'12.2(31)SGA7',
'12.2(31)SGA8',
'12.2(31)SGA9',
'12.2(25)SEG',
'12.2(25)SEG1',
'12.2(25)SEG3',
'12.2(25)FZ',
'12.2(44)SQ',
'12.2(44)SQ2',
'12.2(50)SQ2',
'12.2(50)SQ1',
'12.2(50)SQ',
'12.2(50)SQ3',
'12.2(50)SQ4',
'12.2(50)SQ5',
'12.2(50)SQ6',
'12.2(50)SQ7',
'15.0(1)XO1',
'15.0(1)XO',
'15.0(2)XO',
'15.0(1)EY',
'15.0(1)EY1',
'15.0(1)EY2',
'15.0(2)EY',
'15.0(2)EY1',
'15.0(2)EY2',
'15.0(2)EY3',
'12.2(54)WO',
'12.2(27)SBK9',
'15.0(1)SE',
'15.0(2)SE',
'15.0(1)SE1',
'15.0(1)SE2',
'15.0(1)SE3',
'15.0(2)SE1',
'15.0(2)SE2',
'15.0(2)SE3',
'15.0(2)SE4',
'15.0(2)SE5',
'15.0(2)SE6',
'15.0(2)SE7',
'15.0(2)SE8',
'15.0(2)SE9',
'15.0(2a)SE9',
'15.0(2)SE10',
'15.0(2)SE10a',
'15.1(1)SG',
'15.1(2)SG',
'15.1(1)SG1',
'15.1(1)SG2',
'15.1(2)SG1',
'15.1(2)SG2',
'15.1(2)SG3',
'15.1(2)SG4',
'15.1(2)SG5',
'15.1(2)SG6',
'15.1(2)SG7',
'15.1(2)SG8',
'15.0(2)SG',
'15.0(2)SG1',
'15.0(2)SG2',
'15.0(2)SG3',
'15.0(2)SG4',
'15.0(2)SG5',
'15.0(2)SG6',
'15.0(2)SG7',
'15.0(2)SG8',
'15.0(2)SG9',
'15.0(2)SG10',
'15.0(2)SG11',
'15.0(2)EX',
'15.0(2)EX1',
'15.0(2)EX2',
'15.0(2)EX3',
'15.0(2)EX4',
'15.0(2)EX5',
'15.0(2)EX6',
'15.0(2)EX7',
'15.0(2)EX8',
'15.0(2a)EX5',
'15.0(2)EX10',
'15.0(2)EX11',
'15.0(2)EX13',
'15.0(2)EX12',
'15.2(1)E',
'15.2(2)E',
'15.2(1)E1',
'15.2(3)E',
'15.2(1)E2',
'15.2(1)E3',
'15.2(2)E1',
'15.2(2b)E',
'15.2(4)E',
'15.2(3)E1',
'15.2(2)E2',
'15.2(2a)E1',
'15.2(2)E3',
'15.2(2a)E2',
'15.2(3)E2',
'15.2(3a)E',
'15.2(3)E3',
'15.2(3m)E2',
'15.2(4)E1',
'15.2(2)E4',
'15.2(2)E5',
'15.2(4)E2',
'15.2(4m)E1',
'15.2(3)E4',
'15.2(5)E',
'15.2(3m)E7',
'15.2(4)E3',
'15.2(2)E6',
'15.2(5a)E',
'15.2(5)E1',
'15.2(5b)E',
'15.2(4m)E3',
'15.2(3m)E8',
'15.2(2)E5a',
'15.2(5c)E',
'15.2(3)E5',
'15.2(2)E5b',
'15.2(4n)E2',
'15.2(4o)E2',
'15.2(5a)E1',
'15.2(4p)E1',
'15.2(4m)E2',
'15.2(4o)E3',
'15.2(4q)E1',
'15.2(4s)E1',
'15.2(4s)E2',
'15.0(2)EZ',
'15.2(2)SC3',
'15.2(1)EY',
'15.0(2)EJ',
'15.0(2)EJ1',
'15.2(2)EB',
'15.2(2)EB1',
'15.2(2)EB2',
'15.2(2)EA',
'15.2(2)EA1',
'15.2(2)EA2',
'15.2(3)EA',
'15.2(4)EA',
'15.2(4)EA1',
'15.2(2)EA3',
'15.2(4)EA3',
'15.2(5)EA',
'15.2(4)EA4',
'15.2(4)EA2',
'15.2(4)EA5',
'15.0(2)SQD',
'15.0(2)SQD1',
'15.0(2)SQD2',
'15.0(2)SQD3',
'15.0(2)SQD4',
'15.0(2)SQD5',
'15.2(4)EC1',
'15.2(4)EC2',
'15.1(3)SVS',
'15.1(3)SVT1'
);
var workarounds = make_list(
CISCO_WORKAROUNDS['ios_iosxe_telnet']
);
var reporting = make_array(
'port' , product_info['port'],
'severity' , SECURITY_HOLE,
'bug_id' , 'CSCvd48893',
'cmds' , make_list('show running-config'),
'version' , product_info['version']
);
cisco::check_and_report(
product_info:product_info,
workarounds:workarounds,
reporting:reporting,
vuln_versions:version_list
);
Related
packetstorm
packetstorm
Cisco Catalyst 2960 IOS 12.2(55)SE1 Remote Code Execution
2017-04-13 00:00:00
Cisco Catalyst 2960 IOS 12.2(55)SE11 Remote Code Execution
2017-04-13 00:00:00
myhack58
myhack58
threatpost
threatpost
Cisco Patches IOS XE Vulnerability Leaked in Vault 7 Dump
2017-05-10 10:10:35
Cisco Patches Critical Flaw In ASR 9000 Routers
2019-04-18 13:04:33
ics
ics
Rockwell Automation Allen-Bradley Stratix and Allen-Bradley ArmorStratix
2017-04-04 12:00:00
thn
thn
nessus
nessus
cve
cve
CVE-2017-3881
2017-03-17 22:59:00
exploitdb
exploitdb
Cisco Catalyst 2960 IOS 12.2(55)SE1 - 'ROCEM' Remote Code Execution
2017-04-12 00:00:00
zdt
zdt
Cisco Catalyst 2960 IOS 12.2(55)SE11 - ROCEM Remote Code Execution Exploit
2017-04-12 00:00:00
Cisco Catalyst 2960 IOS 12.2(55)SE1 - ROCEM Remote Code Execution Exploit
2017-06-06 00:00:00
cisco
cisco
cisa_kev
cisa_kev
Cisco IOS and IOS XE Remote Code Execution Vulnerability
2022-03-25 00:00:00
checkpoint_advisories
checkpoint_advisories
Cisco IOS Remote Code Execution (CVE-2017-3881) - Ver2
2018-04-15 00:00:00
openvas
openvas
seebug
seebug
attackerkb
attackerkb
CVE-2017-3881
2017-03-17 00:00:00
prion
prion
Design/Logic Flaw
2017-03-17 22:59:00
exploitpack
exploitpack
Cisco Catalyst 2960 IOS 12.2(55)SE11 - ROCEM Remote Code Execution
2017-04-12 00:00:00
rapid7community
rapid7community
Metasploit Wrapup
2017-06-30 19:09:11
pentestit
pentestit
UPDATED VERSION: RouterSploit 3.4.0
2018-10-18 18:13:04
talosblog
talosblog
DNS Hijacking Abuses Trust In Core Internet Service
2019-04-18 16:08:25
Related for CISCO-SA-20170317-CMP-IOS.NASL