cbcvebase.
CVE-2017-12236
published 2017-09-29

CVE-2017-12236: A vulnerability in the implementation of the Locator/ID Separation Protocol (LISP) in Cisco IOS XE 3.2 through 16.5 could allow an unauthenticated, remote…

PriorityP266critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
3.12%
86.2th percentile
A vulnerability in the implementation of the Locator/ID Separation Protocol (LISP) in Cisco IOS XE 3.2 through 16.5 could allow an unauthenticated, remote attacker using an x tunnel router to bypass authentication checks performed when registering an Endpoint Identifier (EID) to a Routing Locator (RLOC) in the map server/map resolver (MS/MR). The vulnerability is due to a logic error introduced via a code regression for the affected software. An attacker could exploit this vulnerability by sending specific valid map-registration requests, which will be accepted by the MS/MR even if the authentication keys do not match, to the affected software. A successful exploit could allow the attacker to inject invalid mappings of EIDs to RLOCs in the MS/MR of the affected software. This vulnerability affects Cisco devices that are configured with LISP acting as an IPv4 or IPv6 map server. This vulnerability affects Cisco IOS XE Software release trains 3.9E and Everest 16.4. Cisco Bug IDs: CSCvc18008.

Affected

4 ranges
VendorProductVersion rangeFixed in
ciscoios_xe
ciscoios_xe
ciscoios_xe
ciscoios_xe

Detection & IOCsextracted from sources · hover to see the quote

  • Detect unauthenticated LISP map-registration requests sent to a map server/map resolver (MS/MR) where authentication keys do not match but the request is accepted — indicative of CVE-2017-12236 exploitation
  • Monitor for unexpected or invalid EID-to-RLOC mapping injections in the LISP map server/map resolver, which may indicate successful exploitation of the authentication bypass
  • Focus detection on Cisco IOS XE devices configured as LISP IPv4 or IPv6 map servers running release trains 3.9E or Everest 16.4, as these are the confirmed vulnerable versions
  • Flag LISP map-registration traffic originating from an 'x tunnel router' (xTR) that successfully registers EID-RLOC mappings despite mismatched authentication credentials
  • ·Vulnerability is only exploitable on Cisco IOS XE devices explicitly configured with LISP in the map server/map resolver (MS/MR) role for IPv4 or IPv6; devices not running LISP or not acting as MS/MR are not affected
  • ·The vulnerability is scoped to IOS XE release trains 3.9E and Everest 16.4 specifically; other release trains within the broader 3.2–16.5 range may not be affected
  • ·There are no workarounds available for this vulnerability; mitigation requires applying Cisco's software updates
  • ·The root cause is a logic error introduced by a code regression, meaning the flaw is specific to the affected release trains and not a fundamental LISP protocol weakness

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_cisco8.3HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.