{"id": "CISCO-SA-20180418-STAROS", "vendorId": null, "type": "cisco", "bulletinFamily": "software", "title": "Cisco StarOS Interface Forwarding Denial of Service Vulnerability", "description": "A vulnerability in the egress packet processing functionality of the Cisco StarOS operating system for Cisco Aggregation Services Router (ASR) 5700 Series devices and Virtualized Packet Core (VPC) System Software could allow an unauthenticated, remote attacker to cause an interface on the device to cease forwarding packets. The device may need to be manually reloaded to clear the condition.\n\nThe vulnerability is due to the failure to properly check that the length of a packet to transmit does not exceed the maximum supported length of the network interface card (NIC). An attacker could exploit this vulnerability by sending a crafted IP packet or a series of crafted IP fragments through an interface on the targeted device. A successful exploit could allow the attacker to cause the network interface to cease forwarding packets. This vulnerability could be triggered by either IPv4 or IPv6 network traffic.\n\nCisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.\n\nThis advisory is available at the following link:\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-staros [\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-staros\"]", "published": "2018-04-18T16:00:00", "modified": "2018-04-18T16:00:00", "cvss": {"score": 8.6, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H"}, "cvss2": {}, "cvss3": {}, "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-staros", "reporter": "Cisco", "references": ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-staros"], "cvelist": ["CVE-2018-0239"], "immutableFields": [], "lastseen": "2022-03-12T05:39:24", "viewCount": 13, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-0239"]}, {"type": "nessus", "idList": ["CISCO-SA-20180418-STAROS.NASL"]}]}, "score": {"value": 6.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "cisa", "idList": ["CISA:238FF5BE3CFC36D1A37EA36E45E84D99"]}, {"type": "cve", "idList": ["CVE-2018-0239"]}, {"type": "nessus", "idList": ["CISCO-SA-20180418-STAROS.NASL"]}]}, "exploitation": null, "vulnersScore": 6.3}, "_state": {"dependencies": 1647589307, "score": 0}, "_internal": {}, "affectedSoftware": [{"version": "any", "operator": "eq", "name": "cisco asr 5000 series software"}, {"version": "5000 Series Software", "operator": "eq", "name": "cisco asr"}], "vendorCvss": {"score": "8.6", "severity": "high"}}

{"nessus": [{"lastseen": "2021-08-19T12:32:34", "description": "According to its self-reported version and model number, the remote Cisco ASR device is affected by a denial of service vulnerability.\nPlease see the included Cisco BID and the Cisco Security Advisory for more information.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2018-04-27T00:00:00", "type": "nessus", "title": "Cisco ASR StarOS Interface Forwarding Denial of Service Vulnerability (cisco-sa-20180418-staros)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-0239"], "modified": "2020-10-09T00:00:00", "cpe": ["cpe:/o:cisco:staros", "cpe:/h:cisco:asr_5700", "cpe:/a:cisco:asr_5700_series_software"], "id": "CISCO-SA-20180418-STAROS.NASL", "href": "https://www.tenable.com/plugins/nessus/109400", "sourceData": "#TRUSTED 94d8f13969e31015918dd2049263ee8534e6b292b35e70e0217e0a9e3cb493988d257778e40f29d8157a56a3c1bc25701c3bda192621cdefccf6d3f7992256196285e9bd341903b7c3d778154f60fda7d7bd36117fa79997112cf330b90f647fcb2e26c78ced378c55e4260304b2765c83e579e2d3b0f93167ce4a7d8f7bc4fa6f295c1e9ea197db60235e3c4dfd2a2e183273d4b299bb69db1fb3e802da99a1060d3a4169e7b9dcd7c3ed3d8b99795d6dbb37eb6321d8972cb85291bf55c9c77121338735a709913f188db9fb87933a8eb2b78c602d94c0d7e75403b43e1ba6f09a019ffe1f6392b8e28945b84d7a1c54508e846bc480419fccb37af46458d227dc054448bffd5e3628de8363fe38f4e7e8c2917e9edc48b9240a0f999242346aa6d66b261dbfdb168e2abcb3ae96dacbb291ab9b2a80b2dcac337d02205fbf48e066599b8c460083091be0c471065bc4a8cbd359c351a937e4db67db7186402cb2d7a40a01cb9f3a1cd0fe14967addd1b50cabaeb7e4ff5de07e5e26e7d872005bfa28379af87ccaa97aed451573172416be8a361e648b1a95a3278b6ab3cc2c4de012e582ad406fb8b168d3e04ed16128bf37cd2afbe38d51ecaa2c06212432bc3fa95ac1b925d9c88c34673c01697a3b51a18354fd9ed13f86102e2c74edaaf94b40b73474b0291eb56cd76c1b2c7f197841eb80a4345448f921374bd81f\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(109400);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/09\");\n\n script_cve_id(\"CVE-2018-0239\");\n script_bugtraq_id(103923);\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvf32385\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20180418-staros\");\n script_xref(name:\"IAVA\", value:\"2018-A-0137-S\");\n\n script_name(english:\"Cisco ASR StarOS Interface Forwarding Denial of Service Vulnerability (cisco-sa-20180418-staros)\");\n script_summary(english:\"Checks the StarOS version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by a denial of service vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version and model number, the remote\nCisco ASR device is affected by a denial of service vulnerability.\nPlease see the included Cisco BID and the Cisco Security Advisory for\nmore information.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-staros\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b84fc064\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf32385\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in Cisco bug ID\nCSCvf32385.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-0239\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/04/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/04/27\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:cisco:staros\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:cisco:asr_5700\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:asr_5700_series_software\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/Cisco/ASR/Model\", \"Host/Cisco/StarOS\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"cisco_func.inc\");\ninclude(\"cisco_kb_cmd_func.inc\");\n\nget_kb_item_or_exit(\"Host/Cisco/StarOS\");\n\nversion = get_kb_item_or_exit(\"Host/Cisco/StarOS/Version\");\nmodel = get_kb_item_or_exit(\"Host/Cisco/ASR/Model\");\n\nmajor = NULL;\nbuild = NULL;\nfix = NULL;\ntrain = NULL;\n\n# only affects ASR 5700 series systems\nif (model !~ \"^57\\d{2}$\")\n audit(AUDIT_DEVICE_NOT_VULN, 'The ASR ' + model);\n\n# Normalize train characters\nversion= toupper(version);\n\n# For newer versions, We may be able to get the build number during detection\nbuild = get_kb_item(\"Host/Cisco/StarOS/Build\");\nif (!empty_or_null(build))\n version += \".\" + build;\n\n# defensive check for the pregmatches below\nif (version !~ \"^[\\d\\.]+\\([\\d\\.]+\" &&\n version !~ \"^[\\d\\.]+([A-Z]{1,2}\\d+)?\\.\\d+$\")\n audit(AUDIT_VER_FORMAT, version);\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# old style of versioning 15.0(5439), style change mid 16.1, making\n# all of the old style versions fall into the vulnerable range.\nif (\"(\" >< version)\n{\n major = pregmatch(pattern:\"^([\\d\\.]+)\\(\", string:version);\n\n if(!isnull(major))\n {\n major = major[1];\n\n if (isnull(build))\n {\n build = pregmatch(pattern:\"^[\\d\\.]+\\(([\\d\\.]+)\", string:version);\n if(!isnull(build))\n {\n build = build[1];\n\n # Set the train to an empty string, or it causes issues when\n # seeing if a patched version exists using NULL as the value\n train = '';\n }\n else\n exit(1, \"Unable to extract build number.\");\n }\n }\n else\n exit(1, \"Unable to extract version number.\");\n}\nelse\n{\n # extract major, train, and build for new style\n extract = pregmatch(pattern:\"^([\\d\\.]+)\\.([A-Z]{1,2}\\d+)?\\.?(\\d+)?\", string:version);\n if (!isnull(extract))\n {\n major = extract[1];\n train = extract[2];\n if (isnull(build))\n build = extract[3];\n }\n}\n\n# Defensive checking for versions that we haven't yet seen\nif(empty_or_null(major) || empty_or_null(build))\n exit(1, \"An error occurred during version extraction.\");\n\nfix_array = make_array(\n \"21.0\", make_array(\"v4\", 67670),\n \"21.1\", make_array(\"v6\", 67740),\n \"21.4\", make_array(\"C0\", 68000, \"D0\", 67675, \"M0\", 67671)\n);\n\nif (major == \"21.3.1\" && int(build) < 67739)\n fix = \"21.3.1.67739\";\nelse if (major == \"21.4.0\" && int(build) < 68051)\n fix = \"21.4.0.68051\";\nelse if (!empty_or_null(fix_array[major]) &&\n !empty_or_null(train) &&\n int(build) < fix_array[major][train])\n fix = major + \".\" + train + \".\" + fix_array[major][train];\nelse audit(AUDIT_DEVICE_NOT_VULN, \"ASR \" + model, version);\n\noverride = FALSE;\nflag = FALSE;\n\nif (get_kb_item(\"Host/local_checks_enabled\"));\n{\n buf = cisco_command_kb_item(\n \"Host/Cisco/Config/show_support_details_grep_Cisco_VIC\",\n \"show support details | grep 'Cisco VIC'\"\n );\n if (check_cisco_result(buf))\n {\n if (preg(multiline:TRUE, pattern:\"Cisco VIC\", string:buf))\n flag = TRUE;\n }\n else if (cisco_needs_enable(buf)) override = TRUE;\n\n if (!flag && !override) audit(AUDIT_HOST_NOT, \"affected because vulnerable features are not enabled\");\n}\n\nsecurity_report_cisco(\n port : 0,\n severity : SECURITY_WARNING,\n override : override,\n version : version,\n fix : fix,\n bug_id : 'CSCvf32385'\n);\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "cve": [{"lastseen": "2022-03-23T11:32:55", "description": "A vulnerability in the egress packet processing functionality of the Cisco StarOS operating system for Cisco Aggregation Services Router (ASR) 5700 Series devices and Virtualized Packet Core (VPC) System Software could allow an unauthenticated, remote attacker to cause an interface on the device to cease forwarding packets. The device may need to be manually reloaded to clear this Interface Forwarding Denial of Service condition. The vulnerability is due to the failure to properly check that the length of a packet to transmit does not exceed the maximum supported length of the network interface card (NIC). An attacker could exploit this vulnerability by sending a crafted IP packet or a series of crafted IP fragments through an interface on the targeted device. A successful exploit could allow the attacker to cause the network interface to cease forwarding packets. This vulnerability could be triggered by either IPv4 or IPv6 network traffic. This vulnerability affects the following Cisco products when they are running the StarOS operating system and a virtual interface card is installed on the device: Aggregation Services Router (ASR) 5700 Series, Virtualized Packet Core-Distributed Instance (VPC-DI) System Software, Virtualized Packet Core-Single Instance (VPC-SI) System Software. Cisco Bug IDs: CSCvf32385.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-04-19T20:29:00", "type": "cve", "title": "CVE-2018-0239", "cwe": ["CWE-770"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-0239"], "modified": "2020-09-04T18:28:00", "cpe": ["cpe:/o:cisco:staros:21.0.v4", "cpe:/o:cisco:staros:21.1.v6", "cpe:/o:cisco:staros:21.3.1", "cpe:/o:cisco:staros:21.4.0", "cpe:/o:cisco:staros:21.0.v0.65819"], "id": "CVE-2018-0239", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0239", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:cisco:staros:21.0.v0.65819:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:staros:21.1.v6:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:staros:21.0.v4:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:staros:21.3.1:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:staros:21.4.0:*:*:*:*:*:*:*"]}]}