CVE-2017-12235
Published: 29 September 2017
Summary
CVE-2017-12235 is a high-severity Improper Input Validation (CWE-20) vulnerability in Cisco Ios. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 9.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SC-7 (Boundary Protection).
Deeper analysis
A vulnerability in the PROFINET Discovery and Configuration Protocol (PN-DCP) implementation within Cisco IOS versions 12.2 through 15.6 allows an unauthenticated remote attacker to trigger a device reload and resulting denial of service. The flaw stems from improper parsing of specially crafted ingress PN-DCP Identify Request packets and affects any device configured to process PROFINET messages, with PROFINET enabled by default on base switch module and expansion-unit Ethernet ports beginning in release 12.2(52)SE. The issue is tracked as Cisco Bug ID CSCuz47179 and carries a CVSS 3.1 base score of 7.5 due to its impact on availability.
An attacker can exploit the weakness by sending a single crafted PN-DCP Identify Request packet followed by continued legitimate PN-DCP Identify Request traffic, causing the affected device to reload without requiring authentication or user interaction. Successful exploitation produces only a denial-of-service condition and does not permit arbitrary code execution or information disclosure.
The Cisco Security Advisory cisco-sa-20170927-profinet recommends upgrading to a fixed IOS release or disabling PROFINET processing on affected interfaces where feasible, and provides workarounds such as infrastructure access control lists to limit exposure to trusted PROFINET sources.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2017-3808
Vulnerability details
A vulnerability in the implementation of the PROFINET Discovery and Configuration Protocol (PN-DCP) for Cisco IOS 12.2 through 15.6 could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition.…
more
The vulnerability is due to the improper parsing of ingress PN-DCP Identify Request packets destined to an affected device. An attacker could exploit this vulnerability by sending a crafted PN-DCP Identify Request packet to an affected device and then continuing to send normal PN-DCP Identify Request packets to the device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition. This vulnerability affects Cisco devices that are configured to process PROFINET messages. Beginning with Cisco IOS Software Release 12.2(52)SE, PROFINET is enabled by default on all the base switch module and expansion-unit Ethernet ports. Cisco Bug IDs: CSCuz47179.
- CWE(s)
- KEV Date Added
- 03 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enables infrastructure ACLs to filter untrusted PN-DCP Identify Request packets before they reach affected interfaces.
Directly counters the root cause of improper ingress PN-DCP packet parsing that triggers the reload.
Allows disabling PROFINET processing on switch ports when the protocol is not required, eliminating the attack surface.