CVE-2018-0161
Published: 28 March 2018
Summary
CVE-2018-0161 is a medium-severity an unspecified weakness vulnerability in Cisco Ios. Its CVSS base score is 6.3 (Medium).
Operationally, ranked in the top 23.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).
Deeper analysis
A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS Software on specific Catalyst switch models allows an authenticated remote attacker to trigger a denial of service condition. The flaw, tracked as CSCvd89541 and described as a GET MIB Object ID Denial of Service Vulnerability, occurs when the software processes an SNMP read request containing the ciscoFlashMIB object identifier. Affected devices include Cisco Catalyst 2960-L Series Switches and Cisco Catalyst Digital Building Series Switches (8P and 8U models) running vulnerable IOS releases and configured for SNMPv2 or SNMPv3.
An attacker with valid SNMP credentials can exploit the issue by issuing a crafted SNMP GET request for the ciscoFlashMIB OID. Successful exploitation causes the device to experience a SYS-3-CPUHOG condition and restart, producing a denial of service. The CVSS 3.1 score of 6.3 reflects the need for low-privileged network access combined with high attack complexity and a scope change affecting availability.
The referenced Cisco Security Advisory (cisco-sa-20180328-snmp) and associated security trackers provide details on vulnerable software releases along with recommended mitigation steps, including software updates that address the SNMP processing flaw. No information on observed in-the-wild exploitation is supplied in the source data.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2018-0984
Vulnerability details
A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS Software running on certain models of Cisco Catalyst Switches could allow an authenticated, remote attacker to cause a denial of service (DoS) condition, aka a GET MIB…
more
Object ID Denial of Service Vulnerability. The vulnerability is due to a condition that could occur when the affected software processes an SNMP read request that contains a request for the ciscoFlashMIB object ID (OID). An attacker could trigger this vulnerability by issuing an SNMP GET request for the ciscoFlashMIB OID on an affected device. A successful exploit could cause the affected device to restart due to a SYS-3-CPUHOG. This vulnerability affects the following Cisco devices if they are running a vulnerable release of Cisco IOS Software and are configured to use SNMP Version 2 (SNMPv2) or SNMP Version 3 (SNMPv3): Cisco Catalyst 2960-L Series Switches, Cisco Catalyst Digital Building Series Switches 8P, Cisco Catalyst Digital Building Series Switches 8U. Cisco Bug IDs: CSCvd89541.
- CWE(s)
- KEV Date Added
- 03 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the root cause by requiring installation of the vendor patch that fixes the ciscoFlashMIB OID processing flaw in IOS.
Limits SNMP user privileges so that even authenticated accounts cannot issue arbitrary GET requests against sensitive OIDs such as ciscoFlashMIB.
Enforces disabling SNMPv2/v3 or restricting allowed MIB views on the affected Catalyst switches, eliminating the attack vector entirely.