Symptom
A vulnerability in Layer 2 Tunneling Protocol (L2TP) parsing function of Cisco IOS and Cisco IOS XE software could allow an unauthenticated,
remote attacker to cause the device to reload.
The vulnerability is due to insufficient validation of an L2TP packet. An attacker could exploit this vulnerability by sending a specifically
malformed L2TP packet to the affected device.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-l2tp
This advisory is part of the March 22, 2017, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes
five Cisco Security Advisories that describe five vulnerabilities. All the vulnerabilities have a Security Impact Rating of High. For a complete
list of the advisories and links to them, see Cisco Event Response: March 2017 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled
Publication at the following link http://tools.cisco.com/security/center/viewErp.x?alertId=ERP-60851
Conditions
This vulnerability affects Cisco devices that are running a vulnerable release of a Cisco IOS or IOS XE Software. See the advisory for more
information.
Please see the Cisco IOS XE Software Checker:
http://tools.cisco.com/security/center/selectIOSVersion.x
Workaround
Configuring an Access Control List that only allows L2TP packets from trusted hosts can avoid this vulnerability.
Further Problem Description
Cisco has confirmed that this vulnerability does not affect Cisco IOS XR Software, or Cisco NX-OS Software.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 3 score. The Base CVSS score as of the time of evaluation is 8.6:
https://tools.cisco.com/security/center/cvssCalculator.x?version=3.0&vector=CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
CVE ID CVE-2017-3857 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
