Remote DoS in VPLS functionality in Cisco Catalyst 6800 Series Switches

1) Denial of service

EUVDB-ID: #VU8611

Risk: Low

CVSSv3.1: 7.1 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2017-12238

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a memory management issue when processing MAC entries. A remote attacker with access to local network can create a large number of VPLS-generated MAC entries in the MAC address table of an affected device and cause a C6800-16P10G or C6800-16P10G-XL type line card to crash.

Successful exploitation of the vulnerability may allow an attacker to perform a denial of service (DoS) attack against affected device.

This vulnerability affects Cisco Catalyst 6800 Series Switches that are running a vulnerable release of Cisco IOS Software and have a Cisco C6800-16P10G or C6800-16P10G-XL line card in use with Supervisor Engine 6T. To be vulnerable, the device must also be configured with VPLS and the C6800-16P10G or C6800-16P10G-XL line card needs to be the core-facing MPLS interfaces.

Mitigation

Update to version 15.4(1)IA1.144.

Vulnerable software versions

Cisco Catalyst 6800 Series Switches: 15.4.1 IA1.106

External links

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170927-vpls
http://bst.cloudapps.cisco.com/bugsearch/bug/CSCva61927

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.