⚠ Actively exploited

Added to CISA KEV on 2022-03-03. Federal agencies required to patch by 2022-03-17. Required action: Apply updates per vendor instructions..

CVE-2018-0155 — Improper Handling of Exceptional Conditions in Cisco IOS

CWE-388 CWE-755 — Improper Handling of Exceptional Conditions6 documents6 sources

Severity

8.6HIGHNVD

EPSS

14.5%

top 5.53%

CISA KEV

KEV

Added 2022-03-03

Due 2022-03-17

Exploit

Exploited in wild

Active exploitation observed

Affected products

Cisco IOS Cisco IOS XE

Timeline

PublishedMar 28

KEV addedMar 3

KEV dueMar 17

Latest updateMay 13

CISA Required Action: Apply updates per vendor instructions.

Description

A vulnerability in the Bidirectional Forwarding Detection (BFD) offload implementation of Cisco Catalyst 4500 Series Switches and Cisco Catalyst 4500-X Series Switches could allow an unauthenticated, remote attacker to cause a crash of the iosd process, causing a denial of service (DoS) condition. The vulnerability is due to insufficient error handling when the BFD header in a BFD packet is incomplete. An attacker could exploit this vulnerability by sending a crafted BFD message to or across an …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:HExploitability: 3.9 | Impact: 4.0

Affected Packages2 packages

▶NVDcisco/ios3.6\(2\)e

▶NVDcisco/ios_xe3.6\(2\)e

🔴Vulnerability Details

GHSA

GHSA-qmg7-32mc-92p9: A vulnerability in the Bidirectional Forwarding Detection (BFD) offload implementation of Cisco Catalyst 4500 Series Switches and Cisco Catalyst 4500-↗2022-05-13

▶

CVEList

CVE-2018-0155: A vulnerability in the Bidirectional Forwarding Detection (BFD) offload implementation of Cisco Catalyst 4500 Series Switches and Cisco Catalyst 4500-↗2018-03-28

▶

VulnCheck

Cisco Catalyst Bidirectional Forwarding Detection Denial-of-Service Vulnerability↗2018

▶

📋Vendor Advisories

CISA

Cisco Catalyst Bidirectional Forwarding Detection Denial-of-Service Vulnerability↗2022-03-03

▶

Cisco

Cisco IOS and IOS XE Software Bidirectional Forwarding Detection Denial of Service Vulnerability↗2018-03-28

▶