CVE-2016-6385

Name of the Vulnerable Software and Affected Versions Cisco IOS versions 12.2 and 15.0 through 15.2 Cisco IOS XE versions 3.2 through 3.8

Description The Smart Install client feature in Cisco IOS and IOS XE Software contains a vulnerability that could allow an unauthenticated, remote attacker to cause a memory leak and eventual denial of service (DoS) condition on an affected device. The vulnerability is due to incorrect handling of image-list parameters. An attacker could exploit this vulnerability by sending crafted Smart Install packets to TCP port 4786. A successful exploit could cause a Cisco Catalyst switch to leak memory and eventually reload, resulting in a DoS condition.

Recommendations For Cisco IOS versions 12.2 and 15.0 through 15.2, update to a newer version that addresses this vulnerability. For Cisco IOS XE versions 3.2 through 3.8, update to a newer version that addresses this vulnerability. As a temporary workaround, consider disabling Smart Install functionality on the affected device until a patch is available.