CVE-2017-6627

What Is Cisco IOS UDP Processing?

Cisco IOS and IOS XE handle UDP traffic across all network interfaces. The UDP processing subsystem manages incoming UDP packets queued for delivery to processes or forwarded to their destination. A resource management error in this subsystem allows an attacker to wedge the input queue of a targeted interface by sending specially crafted UDP packets — causing the interface to stop processing traffic and effectively denying service on that interface.

Overview

CVE-2017-6627 is a denial-of-service vulnerability in the UDP processing code of Cisco IOS and IOS XE. A remote, unauthenticated attacker can cause the input queue of an affected interface to fill with UDP packets — creating an interface queue wedge that causes the interface to stop processing normal traffic. Unlike a complete device reload, a queue wedge selectively denies service on the affected interface while the device may continue operating. Patched in cisco-sa-20170906-ios-udp (September 2017). CISA added CVE-2017-6627 to the KEV catalog in March 2022 as part of the Cisco IOS vulnerability batch.

Affected Versions

Cisco IOS and IOS XE software on devices processing UDP traffic. Use Cisco advisory cisco-sa-20170906-ios-udp and the Cisco IOS Software Checker for specific affected version identification.

Technical Details

Root Cause: UDP Input Queue Wedge

CVE-2017-6627 is a resource management error (CWE-399) in the IOS UDP processing code. When the router receives a crafted sequence of UDP packets, the input queue for the receiving interface enters a wedged state — packets accumulate in the queue but are not processed or released. The wedge persists until a device reload, causing the interface to drop all legitimate traffic during the wedge period.

Exploitation Context

• Infrastructure disruption: Selective interface denial-of-service on core routers can disrupt connectivity for all downstream hosts; in service provider environments, a single router interface wedge affects all customers on that segment
• Nation-state infrastructure targeting: Added March 3, 2022 as part of the CISA campaign to address nation-state exploitation of Cisco infrastructure vulnerabilities
• CISA KEV (2022): Added alongside other Cisco IOS DoS vulnerabilities from the September 2017 advisory batch

Remediation

1. Apply Cisco IOS security update — upgrade to IOS/IOS XE versions patched per cisco-sa-20170906-ios-udp; use the Cisco Software Checker to identify the appropriate upgrade path for your device model and IOS train.

2. Implement UDP rate limiting — configure interface-level rate limiting for UDP traffic to reduce the impact of UDP flooding and queue wedge attacks; Cisco IOS rate-limit commands on input interfaces can cap UDP traffic rates.

3. Apply infrastructure ACLs — deploy infrastructure ACLs (iACLs) that permit only expected management protocols and block unexpected UDP traffic directed at router infrastructure addresses.