[AusNOG] Cisco Security Advisory: Cisco IOS and IOS XE Software Autonomic Networking Infrastructure Registrar Denial of Service Vulnerability

Tue Mar 21 03:12:09 EST 2017

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Advisory: Cisco IOS and IOS XE Software Autonomic Networking Infrastructure Registrar Denial of Service Vulnerability

Advisory ID: cisco-sa-20170320-ani

Revision: 1.0

For Public Release: 2017 March 20 16:00 GMT

Last Updated: 2017 March 20 16:00 GMT

CVE ID(s): CVE-2017-3849

CVSS Score v(3): 7.4 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

+---------------------------------------------------------------------

Summary
=======
A vulnerability in the Autonomic Networking Infrastructure (ANI) registrar feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition.

The vulnerability is due to incomplete input validation on certain crafted packets. An attacker could exploit this vulnerability by sending a crafted autonomic network channel discovery packet to a device that has all the following characteristics:

Running a Cisco IOS Software or Cisco IOS XE Software release that supports the ANI feature
Configured as an autonomic registrar
Has a whitelist configured
An exploit could allow the attacker to cause the affected device to reload.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170320-ani ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170320-ani"]

Note: Also see the companion advisory for affected devices that support Autonomic Networking: Cisco IOS and IOS XE Software IPv6 Denial of Service Vulnerability ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170320-aniipv6"].