Vulnerability Details : CVE-2018-0156
A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition. The vulnerability is due to improper validation of packet data. An attacker could exploit this vulnerability by sending a crafted packet to an affected device on TCP port 4786. Only Smart Install client switches are affected. Cisco devices that are configured as a Smart Install director are not affected by this vulnerability. Cisco Bug IDs: CSCvd40673.
Vulnerability category: Denial of service
Products affected by CVE-2018-0156
- cpe:2.3:o:cisco:ios:15.2\(2a\)ja:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:ios:15.2\(2\)e4:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:ios_xe:15.2\(2\)e4:*:*:*:*:*:*:*
- cpe:2.3:o:cisco:ios_xe:15.2\(2a\)ja:*:*:*:*:*:*:*
Max 200 conditions are displayed on this page, to prevent potential performance issues,
please refer to NVD for more details.
CVE-2018-0156 is in the CISA Known Exploited Vulnerabilities Catalog
CISA vulnerability name:
Cisco IOS Software and Cisco IOS XE Software Smart Install Denial-of-Service Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial-of-service (DoS) condition.
Notes:
https://nvd.nist.gov/vuln/detail/CVE-2018-0156
Added on
2022-03-03
Action due date
2022-03-17
Exploit prediction scoring system (EPSS) score for CVE-2018-0156
16.46%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 94 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-0156
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.8
|
HIGH | AV:N/AC:L/Au:N/C:N/I:N/A:C |
10.0
|
6.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2018-0156
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
-
Assigned by:
- psirt@cisco.com (Secondary)
- ykramarz@cisco.com (Secondary)
References for CVE-2018-0156
-
http://www.securityfocus.com/bid/103569
Cisco IOS and IOS XE Software CVE-2018-0156 Denial of Service VulnerabilityThird Party Advisory;VDB Entry
-
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi
Cisco IOS and IOS XE Software Smart Install Denial of Service VulnerabilityVendor Advisory
-
https://ics-cert.us-cert.gov/advisories/ICSA-18-107-04
Rockwell Automation Stratix and ArmorStratix Switches | CISAThird Party Advisory;US Government Resource
-
http://www.securitytracker.com/id/1040596
Cisco IOS/IOS XE Smart Install Input Validation Flaw Lets Remote Users Cause the Target System to Reload - SecurityTrackerThird Party Advisory;VDB Entry
-
https://ics-cert.us-cert.gov/advisories/ICSA-18-107-05
Rockwell Automation Stratix Industrial Managed Ethernet Switch | CISAThird Party Advisory;US Government Resource
Jump to