CVE-2017-12238

What Is Cisco Catalyst 6800?

Cisco Catalyst 6800 Series switches are high-performance, modular chassis switches used as campus core and data center aggregation switches in large enterprise and service provider environments. These switches carry high traffic volumes and are often single points of failure for large network segments. Virtual Private LAN Service (VPLS) is a Layer 2 VPN technology used on Catalyst 6800 switches to extend Ethernet LAN segments across WAN infrastructure, commonly used in service provider and enterprise MPLS networks. A DoS vulnerability on a Catalyst 6800 can disrupt connectivity for entire building floors or data center segments.

Overview

CVE-2017-12238 is a denial-of-service vulnerability in the Virtual Private LAN Service (VPLS) code of Cisco IOS for Catalyst 6800 Series switches. An unauthenticated attacker on an adjacent network can send crafted VPLS frames that cause the affected switch to reload, disrupting all traffic on connected network segments. Patched in the Cisco September 2017 advisory bundle. CISA added CVE-2017-12238 to the KEV catalog in March 2022 as part of the batch of Cisco IOS network infrastructure vulnerabilities with confirmed nation-state exploitation.

Affected Versions

Cisco Catalyst 6800 Series switches running IOS versions with VPLS enabled. Use cisco-sa-20170929-vpls and the Cisco IOS Software Checker for specific affected version identification.

Technical Details

Root Cause: VPLS Resource Management Error

CVE-2017-12238 is a resource management vulnerability (CWE-399) in the VPLS implementation on Cisco Catalyst 6800 switches running IOS. When processing crafted VPLS-related frames received from an adjacent network device, the VPLS code encounters a resource management error that causes a switch reload. The AV:A (Adjacent) attack vector requires the attacker to be able to send Layer 2 or Layer 3 frames directly to the switch — either from a connected device on the same physical network or from a compromised system with network access to the switch.

Attack Characteristics

Exploitation Context

• Core infrastructure disruption: Catalyst 6800 switches are deployed as core infrastructure; a reload disrupts connectivity for all downstream users and devices during the reload and reconvergence period
• Nation-state network targeting: Consistent with the broader KEV batch context — the March 2022 addition reflects confirmed exploitation of Cisco network infrastructure by nation-state actors seeking to map, access, or disrupt US critical network infrastructure

Remediation

1. Apply Cisco IOS security update — upgrade Catalyst 6800 switches to IOS versions identified in cisco-sa-20170929-vpls.

2. Disable VPLS if not required — if VPLS is not actively used, disable the feature to eliminate this attack surface.

3. Restrict physical and network access — limit which devices can connect to Catalyst 6800 switch ports; implement 802.1X authentication and port security on all access ports.

4. Deploy redundant core switching — configure Catalyst 6800 switches in redundant pairs (with VSS or StackWise Virtual) so a single switch reload does not cause a complete network outage.