Published on: 23 March 2017
Cisco has released 5 security advisories fixing a number of vulnerabilities in Cisco IOS and IOS XE software. An attacker could exploit the vulnerabilities by sending specially crafted DHCP packets, specially crafted L2TP packets, specially crafted HTTP parameters and excessive requests to an affected device.
The complete list of the affected versions can be found in the "Affected Products" section of individual Cisco Security Advisory available at:
01. Cisco IOS and IOS XE Software DHCP Client Denial of Service Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-dhcpc
02. Cisco IOS and IOS XE Software Layer 2 Tunneling Protocol Denial of Service Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-l2tp
03. Cisco IOS XE Software for Cisco ASR 920 Series Routers Zero Touch Provisioning Denial of Service Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-ztp
04. Cisco IOS XE Software HTTP Command Injection Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-xeci
05. Cisco IOS XE Software Web User Interface Denial of Service Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-webui
Depending on the vulnerability exploited, a successful attack could lead to arbitrary code execution, denial of service (DoS), reload or take control of a vulnerable device.
Patches for affected systems are now available. Users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk. For detailed information of the available patches, please refer to the section "Fixed Software" of corresponding security advisory at vendor's website.
Users should contact their product support vendors for the fixes and assistance.
https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-60851
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-dhcpc
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-l2tp
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-xeci
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-ztp
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-webui
https://www.us-cert.gov/ncas/current-activity/2017/03/22/Cisco-Releases-Security-Updates
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3856 (to CVE-2017-3859)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3864