CVE-2017-3873

Severity Score

7.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A vulnerability in the Plug-and-Play (PnP) subsystem of the Cisco Aironet 1800, 2800, and 3800 Series Access Points running a Lightweight Access Point (AP) or Mobility Express image could allow an unauthenticated, adjacent attacker to execute arbitrary code with root privileges. The vulnerability is due to insufficient validation of PnP server responses. The PnP feature is only active while the device does not contain a configuration, such as a first time boot or after a factory reset has been issued. An attacker with the ability to respond to PnP configuration requests from the affected device can exploit the vulnerability by returning malicious PnP responses. If a Cisco Application Policy Infrastructure Controller - Enterprise Module (APIC-EM) is available on the network, the attacker would need to exploit the issue in the short window before a valid PnP response was received. If successful, the attacker could gain the ability to execute arbitrary code with root privileges on the underlying operating system of the device. Cisco has confirmed that the only vulnerable software version is 8.3.102.0. Cisco Bug IDs: CSCvb42386.

Una vulnerabilidad en el subsistema Plug-and-Play (PnP) de los Puntos de Acceso Aironet 1800, 2800, y 3800 Series de Cisco que ejecutan una imagen de Lightweight Access Point (AP) o Mobility Express, podría permitir que un atacante adyacente no autenticado ejecute código arbitrario con privilegios root. La vulnerabilidad es debido a la comprobación insuficiente de las respuestas del servidor PnP. La funcionalidad PnP solo está activa mientras que el dispositivo no contenga una configuración, como un arranque por primera vez o después de que se haya emitido un restablecimiento de fábrica. Un atacante con la capacidad de responder a las peticiones de configuración PnP desde el dispositivo afectado puede explotar la vulnerabilidad mediante la devolución de respuestas PnP maliciosas. Si un Application Policy Infrastructure Controller - Enterprise Module (APIC-EM) de Cisco está disponible en la red, el atacante necesitaría explotar el problema en la ventana corta antes de que se recibiera una respuesta válida PnP. Si tiene éxito, el atacante podría conseguir la capacidad de ejecutar código arbitrario con privilegios root en el sistema operativo subyacente del dispositivo. Cisco ha confirmado que la única versión de software vulnerable es 8.3.102.0. ID de bug de Cisco: CSCvb42386.

*Credits: N/A

Attack Vector

Adjacent

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Adjacent

Attack Complexity

Medium

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2016-12-21 CVE Reserved
2017-05-16 CVE Published
2023-03-07 EPSS Updated
2024-08-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation

CAPEC

References (3)

URL	Tag	Source
http://www.securityfocus.com/bid/98296	Third Party Advisory
http://www.securitytracker.com/id/1038394	Vdb Entry

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170503-cme	2017-07-11

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Cisco Search vendor "Cisco"	Aironet Access Point Firmware Search vendor "Cisco" for product "Aironet Access Point Firmware"	8.3_102.0 Search vendor "Cisco" for product "Aironet Access Point Firmware" and version "8.3_102.0"	-	Affected	in	Cisco Search vendor "Cisco"	Aironet 1830e Search vendor "Cisco" for product "Aironet 1830e"	-	-	Safe
Cisco Search vendor "Cisco"	Aironet Access Point Firmware Search vendor "Cisco" for product "Aironet Access Point Firmware"	8.3_102.0 Search vendor "Cisco" for product "Aironet Access Point Firmware" and version "8.3_102.0"	-	Affected	in	Cisco Search vendor "Cisco"	Aironet 1830i Search vendor "Cisco" for product "Aironet 1830i"	-	-	Safe
Cisco Search vendor "Cisco"	Aironet Access Point Firmware Search vendor "Cisco" for product "Aironet Access Point Firmware"	8.3_102.0 Search vendor "Cisco" for product "Aironet Access Point Firmware" and version "8.3_102.0"	-	Affected	in	Cisco Search vendor "Cisco"	Aironet 1850e Search vendor "Cisco" for product "Aironet 1850e"	-	-	Safe
Cisco Search vendor "Cisco"	Aironet Access Point Firmware Search vendor "Cisco" for product "Aironet Access Point Firmware"	8.3_102.0 Search vendor "Cisco" for product "Aironet Access Point Firmware" and version "8.3_102.0"	-	Affected	in	Cisco Search vendor "Cisco"	Aironet 1850i Search vendor "Cisco" for product "Aironet 1850i"	-	-	Safe
Cisco Search vendor "Cisco"	Aironet Access Point Firmware Search vendor "Cisco" for product "Aironet Access Point Firmware"	8.3_102.0 Search vendor "Cisco" for product "Aironet Access Point Firmware" and version "8.3_102.0"	-	Affected	in	Cisco Search vendor "Cisco"	Aironet 2800e Search vendor "Cisco" for product "Aironet 2800e"	-	-	Safe
Cisco Search vendor "Cisco"	Aironet Access Point Firmware Search vendor "Cisco" for product "Aironet Access Point Firmware"	8.3_102.0 Search vendor "Cisco" for product "Aironet Access Point Firmware" and version "8.3_102.0"	-	Affected	in	Cisco Search vendor "Cisco"	Aironet 2800i Search vendor "Cisco" for product "Aironet 2800i"	-	-	Safe
Cisco Search vendor "Cisco"	Aironet Access Point Firmware Search vendor "Cisco" for product "Aironet Access Point Firmware"	8.3_102.0 Search vendor "Cisco" for product "Aironet Access Point Firmware" and version "8.3_102.0"	-	Affected	in	Cisco Search vendor "Cisco"	Aironet 3800e Search vendor "Cisco" for product "Aironet 3800e"	-	-	Safe
Cisco Search vendor "Cisco"	Aironet Access Point Firmware Search vendor "Cisco" for product "Aironet Access Point Firmware"	8.3_102.0 Search vendor "Cisco" for product "Aironet Access Point Firmware" and version "8.3_102.0"	-	Affected	in	Cisco Search vendor "Cisco"	Aironet 3800i Search vendor "Cisco" for product "Aironet 3800i"	-	-	Safe
Cisco Search vendor "Cisco"	Aironet Access Point Firmware Search vendor "Cisco" for product "Aironet Access Point Firmware"	8.3_102.0 Search vendor "Cisco" for product "Aironet Access Point Firmware" and version "8.3_102.0"	-	Affected	in	Cisco Search vendor "Cisco"	Aironet 3800p Search vendor "Cisco" for product "Aironet 3800p"	-	-	Safe