⚠ Actively exploited
Added to CISA KEV on 2022-03-03. Federal agencies required to patch by 2022-03-17. Required action: Apply updates per vendor instructions..

CVE-2018-0175Improper Restriction of Operations within the Bounds of a Memory Buffer in Cisco IOS

CWE-119Improper Restriction of Operations within the Bounds of a Memory BufferCWE-134Use of Externally-Controlled Format String6 documents6 sources
Severity
8.0HIGHNVD
EPSS
2.9%
top 13.58%
CISA KEV
KEV
Added 2022-03-03
Due 2022-03-17
Exploit
Exploited in wild
Active exploitation observed
Affected products
3
Cisco IOSCisco IOS XECisco IOS XR
Timeline
PublishedMar 28
KEV addedMar 3
KEV dueMar 17
Latest updateMay 13
CISA Required Action: Apply updates per vendor instructions.

Description

Format String vulnerability in the Link Layer Discovery Protocol (LLDP) subsystem of Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition or execute arbitrary code with elevated privileges on an affected device. Cisco Bug IDs: CSCvd73664.

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.1 | Impact: 5.9

Affected Packages3 packages

NVDcisco/ios15.2\(4a\)ea5+3
NVDcisco/ios_xe15.2\(4a\)ea5+3
NVDcisco/ios_xr15.4\(3\)m4.1

🔴Vulnerability Details

3
GHSA
GHSA-f6hc-7357-x73w: Format String vulnerability in the Link Layer Discovery Protocol (LLDP) subsystem of Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Softw2022-05-13
CVEList
CVE-2018-0175: Format String vulnerability in the Link Layer Discovery Protocol (LLDP) subsystem of Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Softw2018-03-28
VulnCheck
Cisco IOS, XR, and XE Software Buffer Overflow Vulnerability2018

📋Vendor Advisories

2
CISA
Cisco IOS, XR, and XE Software Buffer Overflow Vulnerability2022-03-03
Cisco
Cisco IOS, IOS XE, and IOS XR Software Link Layer Discovery Protocol Buffer Overflow Vulnerabilities2018-03-28
CVE-2018-0175 — Cisco IOS vulnerability | cvebase