^{CVE-2017-3819:}Privilege escalation vulnerability in the Cisco StarOS SSH subsystem that could allow an authenticated attacker with valid credentials to obtain an unrestricted root shell on affected Cisco ASR 5000/5500/5700 Series devices and Cisco Virtualized Packet Core systems.

CVE-2017-3819 describes a privilege escalation risk in the Secure Shell (SSH) subsystem of Cisco StarOS. The issue arises from missing input validation of parameters passed during SSH or SFTP login, which could let an authenticated attacker with valid credentials craft input via the SSH or SFTP CLI to escalate privileges to root on the router. Exploitation requires an established SSH connection (port 22) directed at the affected system and can be triggered over either IPv4 or IPv6 traffic. The vulnerability affects Cisco StarOS on Cisco ASR 5000/5500/5700 Series devices running certain StarOS versions (vulnerable in some releases after 17.7.0 before fixed releases) and Cisco Virtualized Packet Core (VPC-SI/DI) devices running StarOS prior to specified N-series builds. The CVE is CWE-264 (Privilege Escalation). Cisco’s advisory CSCva65853 documents the affected products and versions.

Overview

This CVE highlights a privilege escalation flaw in Cisco StarOS’s SSH subsystem that permits an authenticated attacker with valid login credentials to gain full root access on affected devices. The vulnerability stems from insufficient input validation during SSH or SFTP login, enabling crafted input to be processed in a way that elevates privileges. Exploitation requires an active SSH session to port 22 on the targeted system, and can be triggered over either IPv4 or IPv6 traffic. The affected products include Cisco ASR 5000/5500/5700 Series devices running StarOS in specific versions, as well as Cisco Virtualized Packet Core (VPC-SI and VPC-DI) devices with StarOS builds prior to certain N-series revisions. The advisory references Cisco Bug ID CSCva65853.

Remediation

• Upgrade to fixed StarOS versions for the affected lines:
  • For Cisco ASR 5000/5500/5700 Series running StarOS: move to 18.7.4 or later, or to the appropriate fixed track (e.g., 19.5 or 20.2.3+ as applicable per release branch).
  • For Cisco Virtualized Packet Core (VPC-SI/DI): upgrade to StarOS builds at or beyond the fixed N4.2.7 (19.3.v7) and N4.7 (20.2.v0) or newer.
• If immediate upgrade is not possible, apply compensating controls:
  • Restrict SSH access to trusted management networks only (ACLs or firewall rules limiting source IPs).
  • Disable SSH or SFTP access if they are not essential for operations, or require more stringent authentication mechanisms.
  • Enforce strong, unique credentials and rotate credentials where appropriate.
• Validate patch status and configuration:
  • Verify that devices are running fixed StarOS builds as described in Cisco advisories.
  • Confirm SSH-related parameters and access controls are correctly configured post-upgrade.
• Monitor and detect:
  • Review SSH/SFTP login attempts and unusual input patterns in logs.
  • Enable enhanced auditing on SSH sessions to identify potential exploitation attempts.
• After patching:
  • Conduct functional testing to ensure SSH/SFTP login works as expected without privilege escalation.
  • Periodically review for new advisories or updated fixed versions from Cisco.

References

• Cisco Security Advisory: Cisco security advisory cisco-sa-20170315-asr, https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170315-asr
• SecurityFocus BID: 96913, http://www.securityfocus.com/bid/96913
• SecurityTracker: 1038050, http://www.securitytracker.com/id/1038050