Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
A vulnerability in the quality of service (QoS) subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to create a denial of service (DoS) condition or execute arbitrary code with elevated privileges. The vulnerability is due to incorrect bounds checking of certain values within packets destined for UDP port 18999 of the affected device. An attacker could exploit this vulnerability by sending malicious packets to the affected device. When the packets are processed, an exploitable buffer overflow condition may occur. A successful exploit could allow the attacker to execute arbitrary code on the affected device with elevated privileges. The attacker could also leverage this vulnerability to cause the device to reload, creating a temporary DoS condition while the device is reloading. The malicious packets must be destined to and processed by an affected device, traffic transiting a device will not trigger the vulnerability. Cisco has released software updates that address this vulnerability. Workarounds that address this vulnerability are available. This advisory is part of the March 28, 2018, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 20 Cisco Security Advisories that describe 22 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: March 2018 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-qos
A device running an affected version of Cisco IOS or Cisco IOS XE Software and listening on UDP Port 18999. Issue 'show udp' command on the CLI of a device to determine if further investigation is required. If the port is open and listening check the Cisco IOS Software Checker: Example: Router> show udp Proto Remote Port Local Port In Out Stat TTY OutputIF 17 0.0.0.0 0 --any-- 18999 0 0 11 0 To determine whether a release is affected by any published Cisco Security Advisory, use the Cisco IOS Software Checker on Cisco.com at the following link: https://tools.cisco.com/security/center/softwarechecker.x
Customers who do not use the Adaptive QoS for DMVPN feature can deny all traffic destined to UDP port 18999 on an affected device by using a Control Plane Policing (CoPP) policy similar to the following: ! -- ACL for CoPP Undesireable UDP class-map ! -- Ignore fragments to prevent them from being misclassified by the policy access-list 199 deny ip any any fragments ! -- Classify traffic destined to UDP Port 18999 so that we can drop it prior to being processed access-list 199 permit udp any any eq 18999 ! -- CoPP Undesireable UDP class-map class-map match-all undesireable-udp match access-group 199 ! -- Undesireable UDP Policy Map policy-map drop-udp class undesireable-udp drop ! -- Apply Undesireable UDP policy Map control-plane service-policy input drop-udp On platforms that do not support the drop keyword within the Policy Map, customers may consider utilizing a policy similar to the following as an alternative: ! -- ACL for CoPP Undesirable UDP class-map ! -- Ignore fragments to prevent them from being misclassified by the policy access-list 199 deny ip any any fragments ! -- Classify traffic destined to UDP Port 18999 so that we can drop it prior to being processed access-list 199 permit udp any any eq 18999 ! -- CoPP Undesireable UDP class-map class-map match-all undesireable-udp match access-group 199 ! -- Undesireable UDP Policy Map - Drop on Police Rate policy-map drop-udp class undesireable-udp police rate 8000 conform-action drop exceed-action drop violate-action drop ! -- Apply Undesireable UDP policy Map control-plane service-policy input drop-udp If the Adaptive QoS for DMVPN feature is later configured, the device must be upgraded to an unaffected release of Cisco IOS Software or Cisco IOS XE Software and the CoPP policy must be removed. Customers integrating this workaround into their environment are encouraged to test the adaptation in their lab prior to deployment and to reference the CoPP Best Practice Document at the following link: https://www.cisco.com/c/en/us/about/security-center/copp-best-practices.html
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 3 score. The Base CVSS score as of the time of evaluation is 9.8: https://tools.cisco.com/security/center/cvssCalculator.x?version=3.0&vector=CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X CVE ID CVE-2018-0151 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html