A Cisco internal investigation has discovered a vulnerability in the Cluster Management Protocol code for Cisco IOS and IOS XE that could lead to two remote execution issues on dozens of Cisco products running that software.
The investigation was prompted by the Wikileaks Vault 7 data dump earlier this month, wrote Cisco researcher Omar Santos. The company found the Cluster Management Protocol was processing code unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges.
These flaws are due to a failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device and the incorrect processing of malformed CMP-specific Telnet options, Cisco wrote in a security advisory.
“An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device,” the advisory warned.
There is no workaround currently available, but Cisco plans to release updates patching the problems. The company did not specify when this would happen.