⚠ Actively exploited
Added to CISA KEV on 2022-03-03. Federal agencies required to patch by 2022-03-24. Required action: Apply updates per vendor instructions..

CVE-2017-12237Uncontrolled Resource Consumption in Cisco IOS

CWE-399CWE-400Uncontrolled Resource Consumption6 documents6 sources
Severity
7.5HIGHNVD
EPSS
5.3%
top 9.95%
CISA KEV
KEV
Added 2022-03-03
Due 2022-03-24
Exploit
Exploited in wild
Active exploitation observed
Affected products
2
Cisco IOSCisco IOS XE
Timeline
PublishedSep 29
KEV addedMar 3
KEV dueMar 24
Latest updateMay 13
CISA Required Action: Apply updates per vendor instructions.

Description

A vulnerability in the Internet Key Exchange Version 2 (IKEv2) module of Cisco IOS 15.0 through 15.6 and Cisco IOS XE 3.5 through 16.5 could allow an unauthenticated, remote attacker to cause high CPU utilization, traceback messages, or a reload of an affected device that leads to a denial of service (DoS) condition. The vulnerability is due to how an affected device processes certain IKEv2 packets. An attacker could exploit this vulnerability by sending specific IKEv2 packets to an affected dev

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

NVDcisco/ios15.015.6
NVDcisco/ios_xe3.5.0e16.5

🔴Vulnerability Details

3
GHSA
GHSA-pcwh-xxqr-qw2j: A vulnerability in the Internet Key Exchange Version 2 (IKEv2) module of Cisco IOS 152022-05-13
CVEList
CVE-2017-12237: A vulnerability in the Internet Key Exchange Version 2 (IKEv2) module of Cisco IOS 152017-09-28
VulnCheck
Cisco IOS and IOS XE Software Internet Key Exchange Denial-of-Service Vulnerability2017

📋Vendor Advisories

2
CISA
Cisco IOS and IOS XE Software Internet Key Exchange Denial-of-Service Vulnerability2022-03-03
Cisco
Cisco IOS and IOS XE Software Internet Key Exchange Denial of Service Vulnerability2017-09-27
CVE-2017-12237 — Uncontrolled Resource Consumption | cvebase