CVE-2017-12237
Published: 29 September 2017
Summary
CVE-2017-12237 is a high-severity an unspecified weakness vulnerability in Cisco Ios. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 7.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-7 (Boundary Protection).
Deeper analysis
The vulnerability CVE-2017-12237 resides in the Internet Key Exchange Version 2 (IKEv2) module of Cisco IOS 15.0 through 15.6 and Cisco IOS XE 3.5 through 16.5. It arises from how affected devices process certain IKEv2 packets and is present on any system with the Internet Security Association and Key Management Protocol (ISAKMP) enabled, regardless of whether IKEv2-specific features are configured. This encompasses devices using LAN-to-LAN VPN, remote-access VPN (excluding SSL VPN), Dynamic Multipoint VPN (DMVPN), or FlexVPN.
An unauthenticated remote attacker can trigger the flaw by sending crafted IKEv2 packets to an exposed device. Successful exploitation produces high CPU utilization, traceback messages, or a reload, resulting in a denial-of-service condition. The issue carries a CVSS 3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is tracked under Cisco Bug ID CSCvc41277.
The referenced Cisco Security Advisory cisco-sa-20170927-ike, along with associated security bulletins, details mitigation steps and available software updates for the affected releases.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2017-3810
Vulnerability details
A vulnerability in the Internet Key Exchange Version 2 (IKEv2) module of Cisco IOS 15.0 through 15.6 and Cisco IOS XE 3.5 through 16.5 could allow an unauthenticated, remote attacker to cause high CPU utilization, traceback messages, or a reload…
more
of an affected device that leads to a denial of service (DoS) condition. The vulnerability is due to how an affected device processes certain IKEv2 packets. An attacker could exploit this vulnerability by sending specific IKEv2 packets to an affected device to be processed. A successful exploit could allow the attacker to cause high CPU utilization, traceback messages, or a reload of the affected device that leads to a DoS condition. This vulnerability affects Cisco devices that have the Internet Security Association and Key Management Protocol (ISAKMP) enabled. Although only IKEv2 packets can be used to trigger this vulnerability, devices that are running Cisco IOS Software or Cisco IOS XE Software are vulnerable when ISAKMP is enabled. A device does not need to be configured with any IKEv2-specific features to be vulnerable. Many features use IKEv2, including different types of VPNs such as the following: LAN-to-LAN VPN; Remote-access VPN, excluding SSL VPN; Dynamic Multipoint VPN (DMVPN); and FlexVPN. Cisco Bug IDs: CSCvc41277.
- CWE(s)
- KEV Date Added
- 03 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires mechanisms to protect against or limit effects of DoS attacks from crafted network packets such as the malicious IKEv2 packets in this CVE.
Boundary-protection devices can filter or drop IKEv2/ISAKMP traffic from untrusted sources before it reaches the vulnerable IOS/IOS-XE IKEv2 module.
Requires prompt installation of vendor patches that remediate the IKEv2 packet-processing flaw (Cisco Bug CSCvc41277) described in the advisory.