CVE-2016-9223 – This vulnerability allows unauthenticated remot... (How to Fix)

Q: What is the severity of CVE-2016-9223?

CVE-2016-9223 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated remote attackers to install Docker containers with high privileges on Cisco CloudCenter Orchestrator systems. It affects all CCO deployments where Docker Engine TCP port 2375 is open and bound to 0.0.0.0. Attackers can exploit this to gain full control of affected systems.

📋 TL;DR

This vulnerability allows unauthenticated remote attackers to install Docker containers with high privileges on Cisco CloudCenter Orchestrator systems. It affects all CCO deployments where Docker Engine TCP port 2375 is open and bound to 0.0.0.0. Attackers can exploit this to gain full control of affected systems.

💻 Affected Systems

Products:

Cisco CloudCenter Orchestrator (CCO), formerly CliQr

Versions: All releases

Operating Systems: Linux (Docker host systems)

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when Docker Engine TCP port 2375 is open and bound to 0.0.0.0 (listening on all interfaces).

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to install malicious containers, exfiltrate data, pivot to other systems, and establish persistent backdoors.

🟠

Likely Case

Attackers gain root-level access to deploy containers, potentially stealing sensitive data, disrupting services, or using the system for further attacks.

🟢

If Mitigated

No impact if Docker Engine is properly secured with authentication and network restrictions.

🌐 Internet-Facing: HIGH - Directly exploitable from the internet without authentication when exposed.

🏢 Internal Only: HIGH - Even internally, any network-accessible system can be compromised without credentials.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple Docker API calls can exploit this vulnerability without authentication. Public exploit scripts exist for Docker API vulnerabilities.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not version-specific - configuration fix required

Vendor Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161221-cco

Restart Required: Yes

Instructions:

1. Secure Docker Engine configuration. 2. Disable TCP port 2375 or restrict binding. 3. Enable TLS authentication. 4. Restart Docker service.

🔧 Temporary Workarounds

Disable Docker TCP Port

linux

Remove or disable Docker Engine TCP port 2375 exposure

Edit /etc/docker/daemon.json to remove -H tcp://0.0.0.0:2375
systemctl restart docker

Bind to Localhost Only

linux

Change Docker binding to localhost only instead of all interfaces

Edit Docker config to use -H tcp://127.0.0.1:2375 instead of 0.0.0.0
systemctl restart docker

🧯 If You Can't Patch

Implement strict network ACLs to block external access to port 2375
Deploy host-based firewall rules to restrict Docker port access to trusted IPs only

🔍 How to Verify

Check if Vulnerable:

Check if Docker is listening on TCP port 2375 bound to 0.0.0.0: netstat -tlnp | grep 2375 or ss -tlnp | grep 2375

Check Version:

docker version

Verify Fix Applied:

Verify port 2375 is not listening on external interfaces: netstat -tlnp | grep 2375 should show only localhost or no output

📡 Detection & Monitoring

Log Indicators:

Unauthenticated Docker API calls in Docker logs
Unexpected container creation events
Connection attempts to port 2375 from unauthorized sources

Network Indicators:

External connections to TCP port 2375
Docker API requests without authentication headers

SIEM Query:

source_port=2375 AND (dest_ip!=127.0.0.1 OR protocol=TCP)

📊 Metadata

CVE ID: CVE-2016-9223

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-264

Published: December 26, 2016

Last Updated: April 12, 2025

🔗 References

http://www.securityfocus.com/bid/95024 Third Party Advisory,VDB Entry
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161221-cco Mitigation,Vendor Advisory
http://www.securityfocus.com/bid/95024 Third Party Advisory,VDB Entry
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161221-cco Mitigation,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2016-9223, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Cloudcenter Orchestrator by Cisco

Cloudcenter Orchestrator by Cisco

Cloudcenter Orchestrator by Cisco

Cloudcenter Orchestrator by Cisco

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Docker TCP Port

Bind to Localhost Only

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities