Cisco IOS and IOS XE Software DHCP Remote Code Execution Vulnerability [CVE-2017-12240]

CVE number = CVE-2017-12240

The DHCP relay subsystem of Cisco IOS and Cisco IOS XE Software contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code and gain full control of an affected system.

The attacker could also cause an affected system to reload, resulting in a denial of service (DoS) condition.

The vulnerability is due to a buffer overflow condition in the DHCP relay subsystem of the affected software. An attacker could exploit this vulnerability by sending a crafted DHCP Version 4 (DHCPv4) packet to an affected system.

A successful exploit could allow the attacker to execute arbitrary code and gain full control of the affected system or cause the affected system to reload, resulting in a DoS condition.

DHCP provides a framework for passing configuration information dynamically to hosts on a TCP/IP network. A DHCP client is an Internet host that uses DHCP to obtain configuration parameters such as an IP address. A DHCP server manages and assigns IP addresses from specified address pools to DHCP clients.

A DHCP relay agent is any host that forwards DHCP packets between clients and servers. It is used to forward requests and replies between clients and servers that are not on the same physical subnet. Relay-agent forwarding is distinct from the normal forwarding of an IP router, where IP datagrams are switched between networks somewhat transparently. In contrast, when a relay agent receives a DHCP message, the agent generates a new DHCP message to send through another interface. The relay agent sets the gateway IP address in the giaddr field of the DHCP packet, and, if configured, adds the relay agent information option (option 82) to the packet, and then forwards the packet to the DHCP server. The relay agent subsequently receives the reply from the server and forwards the reply to the client, after removing option 82 from the reply.

The vulnerability described in this security advisory is due to a buffer overflow condition in the DHCP relay subsystem of the affected software. To exploit this vulnerability, the attacker would need to send a crafted DHCPv4 packet to a system that is running a vulnerable release of Cisco IOS or Cisco IOS XE Software and is configured as a DHCP relay agent. This vulnerability can be exploited only by DHCPv4 packets that are directed to an affected system. It cannot be exploited via DHCP Version 6 (DHCPv6) packets.

If successful, the attacker could execute arbitrary code and gain full control of the affected system. The attacker could also cause the affected system to reload, resulting in a DoS condition.

Cisco has released software updates that address this vulnerability.

There are no workarounds that address this vulnerability.