CVE-2017-12228

Name of the Vulnerable Software and Affected Versions Cisco IOS versions 12.4 through 15.6 Cisco IOS XE versions 3.3 through 16.4

Description A vulnerability in the Cisco Network Plug and Play application could allow an unauthenticated, remote attacker to gain unauthorized access to sensitive data by using an invalid certificate. The vulnerability is due to insufficient certificate validation by the affected software. An attacker could exploit this vulnerability by supplying a crafted certificate to an affected device. A successful exploit could allow the attacker to conduct man-in-the-middle attacks to decrypt confidential information on user connections to the affected software.

Recommendations For Cisco IOS versions 12.4 through 15.6, update to a fixed software version. For Cisco IOS XE versions 3.3 through 16.4, update to a fixed software version. As a general mitigation measure, ensure that all software updates are applied as soon as they become available, and consider implementing additional security measures to detect and prevent man-in-the-middle attacks.