Cyber Resilience

CVE-2017-12231

HighCISA KEVActive ExploitationEUVD Exploited

Published: 29 September 2017

Published
29 September 2017
Modified
21 April 2026
KEV Added
03 March 2022
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0935 93.0th percentile
Risk Priority 41 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2017-12231 is a high-severity an unspecified weakness vulnerability in Cisco Asr 9010. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 7.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Deeper analysis

A vulnerability in the Network Address Translation (NAT) implementation within Cisco IOS versions 12.4 through 15.6 could permit an unauthenticated remote attacker to trigger a denial of service condition. The flaw stems from improper translation of H.323 messages that rely on the Registration, Admission, and Status (RAS) protocol when those messages arrive via IPv4. It affects devices configured for NAT application layer gateway (ALG) processing of H.323 RAS traffic, a capability enabled by default, and is tracked under Cisco Bug ID CSCvc57217.

An attacker can exploit the issue by sending a specially crafted H.323 RAS packet through an affected device. Successful exploitation causes the device to crash and reload, producing a denial of service. The attack requires no authentication or user interaction and is rated 7.5 on the CVSS 3.1 scale with a high impact on availability.

The referenced Cisco Security Advisory cisco-sa-20170927-nat provides official guidance on addressing the vulnerability.

EU & UK References

Vulnerability details

A vulnerability in the implementation of Network Address Translation (NAT) functionality in Cisco IOS 12.4 through 15.6 could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to…

more

the improper translation of H.323 messages that use the Registration, Admission, and Status (RAS) protocol and are sent to an affected device via IPv4 packets. An attacker could exploit this vulnerability by sending a crafted H.323 RAS packet through an affected device. A successful exploit could allow the attacker to cause the affected device to crash and reload, resulting in a DoS condition. This vulnerability affects Cisco devices that are configured to use an application layer gateway with NAT (NAT ALG) for H.323 RAS messages. By default, a NAT ALG is enabled for H.323 RAS messages. Cisco Bug IDs: CSCvc57217.

CWE(s)
KEV Date Added
03 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cisco
ios
12.4 — 15.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor patch or upgrade that eliminates the H.323 RAS NAT ALG parsing flaw described in CSCvc57217.

prevent

Enforces disabling the NAT ALG for H.323 RAS (enabled by default) when the protocol is not required, removing the attack surface exploited by the crafted IPv4 packets.

prevent

Requires implementation of DoS protection mechanisms on network devices that can limit or drop malformed H.323 RAS traffic before it triggers the IOS crash.

References