Guest

Preview Tool

Cisco Bug: CSCuo17183 - Link Layer Discovery Protocol Buffer Overflow Vulnerability

Last Modified

Oct 22, 2020

Products (1)

  • Cisco ASR 9000 Series Aggregation Services Routers

Known Affected Releases

5.2.0.BASE

Description (partial)

Symptom:
A vulnerability in the Link Layer Discovery Protocol (LLDP) feature of Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an adjacent, unauthenticated attacker to create a DoS condition or execute arbitrary code with elevated privileges.

The vulnerability exists due to improper error handling of malformed LLDP messages. An attacker that is directly connected to an interface of the affected device could exploit this vulnerability by submitting an LLDP protocol data unit (PDU) that is designed to trigger the issue. If successful, an exploitable buffer overflow condition may occur that could result in a DoS condition or the attacker gaining the ability to execute arbitrary code with elevated privileges.

The Common Vulnerabilities and Exposures (CVE) ID for this vulnerability is: CVE-2018-0167

The Security Impact Rating (SIR) for this vulnerability is: High

This advisory is part of the March 28, 2018, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 20 Cisco Security Advisories that describe 22 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: March 2018 Semiannual Cisco IOS and IOS XE Software 
Security Advisory Bundled Publication.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-lldp

Conditions:
Devices running an affected version of Cisco IOS, Cisco IOS XE, or Cisco IOS XR software with the LLDP feature enabled.

To determine whether a release is affected by any published Cisco Security Advisory, use the Cisco IOS Software Checker on Cisco.com at the following link: https://tools.cisco.com/security/center/softwarechecker.x
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.