Published on: 28 September 2017
Cisco has released the security advisories to address the vulnerabilities of input validation flaw from REST API, buffer overflow from DHCP relay subsystem and permission setting flaw from UI in Cisco IOS and IOS XE software. An unauthenticated remote attacker could exploit the first two vulnerabilities by sending specially crafted malicious API request or DHCP Version 4 (DHCPv4) packet to the affected device, while an authenticated remote attacker could exploit the permission setting vulnerability by using the web UI to create a new user on an affected system.
A successful attack could lead to authentication bypass, arbitrary code execution, system reload, denial of services, privilege escalation and complete control of an affected system.
Patches for affected systems are now available. Users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk. For detailed information of the available patches, please refer to the section "Fixed Software" of corresponding security advisory at vendor's website.
Users should contact their product support vendors for the fixes and assistance.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170927-dhcp
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170927-privesc
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170927-restapi
https://www.us-cert.gov/ncas/current-activity/2017/09/27/Cisco-Releases-Security-Updates
https://www.hkcert.org/my_url/en/alert/17092801
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12229
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12230
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12240