CVE-2017-6627
Published: 07 September 2017
Summary
CVE-2017-6627 is a high-severity Improper Resource Shutdown or Release (CWE-404) vulnerability in Cisco Ios Xe. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 6.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Deeper analysis
A vulnerability in the UDP processing code of Cisco IOS versions 15.1, 15.2, and 15.4 as well as IOS XE 3.14 through 3.18 stems from application changes that create UDP sockets and leave them idle without closing them. This flaw, tracked under Cisco Bug IDs CSCup10024, CSCva55744, and CSCva95506, can cause an affected device's input interface queue to retain UDP packets, resulting in a wedge condition and denial of service.
An unauthenticated remote attacker can exploit the issue by sending crafted UDP packets destined for port 0. Successful exploitation holds packets in the input queue until the limit of 250 packets is reached, producing a sustained DoS impact on the affected interface with no requirement for authentication or user interaction. The CVSS 3.1 score of 7.5 reflects the network attack vector and high availability consequences.
The referenced Cisco Security Advisory cisco-sa-20170906-ios-udp provides official guidance on mitigation steps and affected software updates. No information on observed in-the-wild exploitation is included in the supplied details.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2017-15681
Vulnerability details
A vulnerability in the UDP processing code of Cisco IOS 15.1, 15.2, and 15.4 and IOS XE 3.14 through 3.18 could allow an unauthenticated, remote attacker to cause the input queue of an affected system to hold UDP packets, causing…
more
an interface queue wedge and a denial of service (DoS) condition. The vulnerability is due to Cisco IOS Software application changes that create UDP sockets and leave the sockets idle without closing them. An attacker could exploit this vulnerability by sending UDP packets with a destination port of 0 to an affected device. A successful exploit could allow the attacker to cause UDP packets to be held in the input interfaces queue, resulting in a DoS condition. The input interface queue will stop holding UDP packets when it receives 250 packets. Cisco Bug IDs: CSCup10024, CSCva55744, CSCva95506.
- CWE(s)
- KEV Date Added
- 03 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying vendor patches that close the idle UDP socket flaw (CSCup10024 et al.) so crafted port-0 packets no longer wedge the input queue.
Mandates technical controls that detect and drop malformed or excessive UDP traffic before it can exhaust the interface input queue on affected IOS/IOS-XE devices.
Boundary-protection mechanisms can be configured to filter UDP packets destined for port 0 at network ingress, blocking the unauthenticated attack vector before it reaches the vulnerable stack.