CVE-2017-12231
Published: 29 September 2017
Summary
CVE-2017-12231 is a high-severity an unspecified weakness vulnerability in Cisco Asr 9010. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 7.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).
Deeper analysis
A vulnerability in the Network Address Translation (NAT) implementation within Cisco IOS versions 12.4 through 15.6 could permit an unauthenticated remote attacker to trigger a denial of service condition. The flaw stems from improper translation of H.323 messages that rely on the Registration, Admission, and Status (RAS) protocol when those messages arrive via IPv4. It affects devices configured for NAT application layer gateway (ALG) processing of H.323 RAS traffic, a capability enabled by default, and is tracked under Cisco Bug ID CSCvc57217.
An attacker can exploit the issue by sending a specially crafted H.323 RAS packet through an affected device. Successful exploitation causes the device to crash and reload, producing a denial of service. The attack requires no authentication or user interaction and is rated 7.5 on the CVSS 3.1 scale with a high impact on availability.
The referenced Cisco Security Advisory cisco-sa-20170927-nat provides official guidance on addressing the vulnerability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2017-3804
Vulnerability details
A vulnerability in the implementation of Network Address Translation (NAT) functionality in Cisco IOS 12.4 through 15.6 could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to…
more
the improper translation of H.323 messages that use the Registration, Admission, and Status (RAS) protocol and are sent to an affected device via IPv4 packets. An attacker could exploit this vulnerability by sending a crafted H.323 RAS packet through an affected device. A successful exploit could allow the attacker to cause the affected device to crash and reload, resulting in a DoS condition. This vulnerability affects Cisco devices that are configured to use an application layer gateway with NAT (NAT ALG) for H.323 RAS messages. By default, a NAT ALG is enabled for H.323 RAS messages. Cisco Bug IDs: CSCvc57217.
- CWE(s)
- KEV Date Added
- 03 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor patch or upgrade that eliminates the H.323 RAS NAT ALG parsing flaw described in CSCvc57217.
Enforces disabling the NAT ALG for H.323 RAS (enabled by default) when the protocol is not required, removing the attack surface exploited by the crafted IPv4 packets.
Requires implementation of DoS protection mechanisms on network devices that can limit or drop malformed H.323 RAS traffic before it triggers the IOS crash.