April 18, 2023

High Severity SNMP RCE Vulnerabilities in Cisco IOS and IOS XE Software Exploited in the Wild

Cisco has published that multiple five-years-old high severity RCE vulnerabilities were exploited in the wild. The vulnerabilities are in Cisco’s IOS and IOS XE software’s SNMP (Simple Network Management Protocol) subsystem.

The RCE Vulnerabilities

• CVE-2017-6736, CVE-2017-6737, CVE-2017-6738, CVE-2017-6739, CVE-2017-6740, CVE-2017-6741, CVE-2017-6742, CVE-2017-6743, CVE-2017-6744

High Severity (CVSS score: 8.8) – The vulnerabilities are caused by a buffer overflow condition in the SNMP subsystem of the affected software. An unauthenticated and remote threat actors can exploit in remote code execution (RCE) attacks.

Affected Products

The vulnerabilities affect all previous versions of Cisco IOS and IOS XE software, as well as all SNMP-Versions 1, 2c, and 3.

Mitigation

CYREBRO urges all clients to use the Cisco IOS Software Checker to check whether a release is affected by any published Cisco Security Advisory, and upgrade the products to the latest versions.

Workaround

It is recommended to allow only trusted users to have SNMP access and to monitor affected systems using the show snmp host command.

Mitigation can be done by disabling the following MIBs (Management Information Base) on a device:

• ADSL-LINE-MIB
• ALPS-MIB
• CISCO-ADSL-DMT-LINE-MIB
• CISCO-BSTUN-MIB
• CISCO-MAC-AUTH-BYPASS-MIB
• CISCO-SLB-EXT-MIB
• CISCO-VOICE-DNIS-MIB
• CISCO-VOICE-NUMBER-EXPANSION-MIB
• TN3270E-RT-MIB

Use the snmp-server view global configuration command to create or update a view entry and disable the affected MIBs.

References: Cisco Advisory.