製品・ソフトウェアに関する情報

JVN脆弱性詳細

Cisco IOS および Cisco IOS XE の Layer 2 Tunneling Protocol の構文解析機能におけるリソース管理に関する脆弱性

Title	Cisco IOS および Cisco IOS XE の Layer 2 Tunneling Protocol の構文解析機能におけるリソース管理に関する脆弱性
Summary	Cisco IOS および Cisco IOS XE の Layer 2 Tunneling Protocol (L2TP) の構文解析機能には、リソース管理に関する脆弱性が存在します。ベンダは、本脆弱性を Bug ID CSCuy82078 として公開しています。
Possible impacts	サービス運用妨害 (DoS) 攻撃が行われる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	March 22, 2017, midnight
Registration Date	April 26, 2017, 5:54 p.m.
Last Update	April 26, 2017, 5:54 p.m.

Affected System

シスコシステムズ

Cisco IOS

Cisco IOS XE

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2017-3857	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3857
National Vulnerability Database (NVD)
2	CVE-2017-3857	https://nvd.nist.gov/vuln/detail/CVE-2017-3857

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-399	https://jvndb.jvn.jp/ja/cwe/CWE-399.html

ベンダー情報

No	Name	URL
Cisco Security Advisory
1	cisco-sa-20170322-l2tp	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-l2tp

Change Log

No	Changed Details	Date of change
0	[2017年04月26日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2017-3857

Summary	A vulnerability in the Layer 2 Tunneling Protocol (L2TP) parsing function of Cisco IOS (12.0 through 12.4 and 15.0 through 15.6) and Cisco IOS XE (3.1 through 3.18) could allow an unauthenticated, remote attacker to cause an affected device to reload. The vulnerability is due to insufficient validation of L2TP packets. An attacker could exploit this vulnerability by sending a crafted L2TP packet to an affected device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a denial of service (DoS) condition. This vulnerability affects Cisco devices that are running a vulnerable release of Cisco IOS or Cisco IOS XE Software if the L2TP feature is enabled for the device and the device is configured as an L2TP Version 2 (L2TPv2) or L2TP Version 3 (L2TPv3) endpoint. By default, the L2TP feature is not enabled. Cisco Bug IDs: CSCuy82078.
Publication Date	March 23, 2017, 4:59 a.m.
Registration Date	Jan. 26, 2021, 1:24 p.m.
Last Update	Nov. 21, 2024, 12:26 p.m.

Affected software configurations

Related information, measures and tools

No	URL	タグ
1	http://www.securityfocus.com/bid/97010	Third Party Advisory VDB Entry
2	http://www.securityfocus.com/bid/97010	Third Party Advisory VDB Entry
3	http://www.securitytracker.com/id/1038100	Third Party Advisory VDB Entry
4	http://www.securitytracker.com/id/1038100	Third Party Advisory VDB Entry
5	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-l2tp	VDB Entry
6	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-l2tp	VDB Entry

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-400	リソースの枯渇	https://cwe.mitre.org/data/definitions/400.html