External risk intelligence

Cisco IOS SNMP Denial of Service Vulnerability.

CVE advisoryKnown Exploit

CVE-2018-0161

Certain Cisco IOS Software versions on specific Catalyst switches are vulnerable in the SNMP subsystem, allowing authenticated attackers to cause a denial of service. This may lead to device restarts and impact network service availability for affected organizations.

2Halo Surface Signal

Denial of Service

Cisco Ios

15.2\(5\)e

External exposure likelihood

Halo Surface Signal score for CVE-2018-0161

The vulnerability affects the SNMP subsystem of network switches. SNMP is a management protocol typically restricted to internal network segments or management VLANs. While network-reachable, it is not a service that is commonly or safely exposed to the public internet in standard deployment patterns.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H

Horizon Alert

Summary of the vulnerability and why it matters

Certain Cisco IOS Software versions on specific Catalyst switches contain a vulnerability within the SNMP subsystem. This flaw can be triggered by an authenticated user sending a specific SNMP read request. The primary impact is a denial-of-service condition on the affected network device.

  • Vulnerable: Cisco IOS SNMP subsystem
  • Weakness: Improper handling of SNMP read requests
  • Impact: Network device restart

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending a specific SNMP request to an affected network device. This request, targeting the ciscoFlashMIB object ID, would cause the device to enter a state of high CPU usage and subsequently restart. This interruption disrupts network services and impacts operational availability.

  • Exposure: SNMP service configured for authenticated access.
  • Attacker: Authenticated remote access.
  • Trigger: SNMP GET request for ciscoFlashMIB.
  • Impact: Device restart, denial of service.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an authenticated attacker to disrupt operations on specific Cisco network switches. The attack involves sending a crafted network management request, potentially causing a device to restart and leading to a denial-of-service condition. This impacts the availability of network services.

  • Attackers require authenticated access.
  • Difficulty is considered moderate.
  • Business risk involves service disruption.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability could impact the availability of specific Cisco Catalyst switches if they are configured to use SNMPv2 or SNMPv3. An attacker could trigger a device restart, leading to a denial-of-service condition. The impact is limited to organizations using the affected switch models with SNMP enabled.

  • Identify affected switch assets.
  • Restrict SNMP access.
  • Apply vendor updates.

Frequently asked questions

What is the nature of the vulnerability affecting Cisco IOS Software on Catalyst switches?

A denial of service (DoS) vulnerability exists in the SNMP subsystem of Cisco IOS Software on certain Cisco Catalyst switches. This flaw could allow an authenticated, remote attacker to cause a device to restart, leading to a DoS condition. The vulnerability is specifically related to how the software processes SNMP read requests for the ciscoFlashMIB object ID.

What weakness class is associated with CVE-2018-0161?

The primary weakness associated with CVE-2018-0161 is CWE-399, which pertains to "Errors that Could Lead to Resource Consumption." This indicates an improper handling of resources, in this case, leading to excessive CPU usage and a denial-of-service condition due to an SNMP request.

How can an attacker trigger the denial of service and what is the scope of impact?

An attacker can trigger this vulnerability by issuing an authenticated SNMP GET request for the ciscoFlashMIB object ID on an affected device. Successful exploitation can cause the device to restart due to high CPU usage (SYS-3-CPUHOG). The scope is limited to network devices where SNMPv2 or SNMPv3 is configured and the affected Cisco IOS Software is running.

What is the relevance of the Halo Surface Signal to this vulnerability?

The Halo Surface Signal indicates this vulnerability is unlikely to be exploited externally because it affects the SNMP subsystem of network switches. SNMP is typically restricted to internal network segments or management VLANs and is not commonly exposed to the public internet in standard configurations. Therefore, while network-reachable, its exposure pattern limits its broad external exploitability.

What practical steps should be taken to respond to this vulnerability?

Organizations should identify affected Cisco switch assets running vulnerable Cisco IOS Software versions. It is crucial to restrict SNMP access to only necessary personnel and locations. Applying vendor-provided updates for Cisco IOS Software is the recommended remediation to address this vulnerability and prevent potential service disruptions.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified