Cisco IOS Software Firewall Application Inspection Control Vulnerability

2010-09-01T00:00:00
ID CISCO-SA-20080924-IOSFWHTTP.NASL
Type nessus
Reporter Tenable
Modified 2018-07-02T00:00:00

Description

Cisco IOS software configured for IOS firewall Application Inspection Control (AIC) with a HTTP configured, application-specific policy are vulnerable to a denial of service when processing a specific, malformed HTTP transit packet. Successful exploitation of the vulnerability may result in a reload of the affected device.

Cisco has released free software updates that address this vulnerability.

A mitigation for this vulnerability is available. See the 'Workarounds' section for details.

                                        
                                            #TRUSTED 1c84c7abf7b3eacf97e2c5426c0da696e8297116c9776d956edbf5d63ca7f73440e5c2e3179b3ba7fcece2246317379da8f3fd9d1be654e8c4358c085672db3313b5ecde3cd2a9f5baccd37b9644149aade7b500998e712e648d8df2a84b63fd9a203821fb815e05aaddf92baf846545a7ed65a59b9cd318d93513649782a788350d52cb0d045fed1f538da3e2e9b4ae956f7f53fc46486ff0be11a9004f97ba0a593e7f41f664e42463e9ff5e00a2de23a97d8f50ec61fca9546ce2a191369a6e27b393cf2206ec906638c5b38d1a087e93af5f46936bb7958497355fe608d4993b5fb7bb6cba4f1826026d1033a2919e8ca3e8f46cd39c64187a6e209452e3a026afcf1d93fd53795b754a6124b3f59391ea75a3671e976e56c3c72f70b789223aa41095604f4d0a568289045c160779c5a1ee654c95963960164894282c638ee14ffcaf09cec81746ff0cff2727fa040b49d7f129e9f689d28f543265de82674647da5580559c49c297fa3d7336701dc34ec0228cdc1390611175961f3dee787e3b813bfaffd1fff727d2b6e748d33538d5e64baf94fb487d9b035b6eec350464987ef2fe71038a51e72f07ca75b1d6c1163187f267980632b2047fb04ebe4e54534d21402efca2e41068ba69f0c5dff05abc9214d18fde663d08523457e9b2a95bbf6e15f37545f7c962dd81b5e3f81becaba5c59c7f818ed7c0de778301
#
# (C) Tenable Network Security, Inc.
#
# Security advisory is (C) CISCO, Inc.
# See http://www.cisco.com/en/US/products/products_security_advisory09186a0080a01545.shtml

include("compat.inc");

if (description)
{
 script_id(49018);
 script_version("1.20");
 script_set_attribute(attribute:"plugin_modification_date", value:"2018/07/02");

 script_cve_id("CVE-2008-3812");
 script_bugtraq_id(31354);
 script_xref(name:"CISCO-BUG-ID", value:"CSCsh12480");
 script_xref(name:"CISCO-SA", value:"cisco-sa-20080924-iosfw");

 script_name(english:"Cisco IOS Software Firewall Application Inspection Control Vulnerability");
 script_summary(english:"Checks IOS version");

 script_set_attribute(attribute:"synopsis", value:"The remote device is missing a vendor-supplied security patch.");
 script_set_attribute(attribute:"description", value:
"Cisco IOS software configured for IOS firewall Application Inspection
Control (AIC) with a HTTP configured, application-specific policy are
vulnerable to a denial of service when processing a specific, malformed
HTTP transit packet.  Successful exploitation of the vulnerability may
result in a reload of the affected device.

Cisco has released free software updates that address this
vulnerability.

A mitigation for this vulnerability is available. See the 'Workarounds'
section for details.");
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b20ad075");
 # http://www.cisco.com/en/US/products/products_security_advisory09186a0080a01545.shtml
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d2e005ae");
 script_set_attribute(attribute:"solution", value:
"Apply the relevant patch referenced in Cisco Security Advisory
cisco-sa-20080924-iosfw.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_cwe_id(20);

 script_set_attribute(attribute:"vuln_publication_date", value:"2008/09/24");
 script_set_attribute(attribute:"patch_publication_date", value:"2008/09/24");
 script_set_attribute(attribute:"plugin_publication_date", value:"2010/09/01");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is (C) 2010-2018 Tenable Network Security, Inc.");
 script_family(english:"CISCO");

 script_dependencie("cisco_ios_version.nasl");
 script_require_keys("Host/Cisco/IOS/Version");
 exit(0);
}

include("audit.inc");
include("cisco_func.inc");
include("cisco_kb_cmd_func.inc");

flag = 0;
override = 0;
version = get_kb_item_or_exit("Host/Cisco/IOS/Version");

if (version == '12.4(11)XW') flag++;
else if (version == '12.4(11)XV1') flag++;
else if (version == '12.4(11)XV') flag++;
else if (version == '12.4(14)XK') flag++;
else if (version == '12.4(11)XJ4') flag++;
else if (version == '12.4(11)XJ3') flag++;
else if (version == '12.4(11)XJ2') flag++;
else if (version == '12.4(11)XJ') flag++;
else if (version == '12.4(6)XE3') flag++;
else if (version == '12.4(6)XE2') flag++;
else if (version == '12.4(6)XE1') flag++;
else if (version == '12.4(6)XE') flag++;
else if (version == '12.4(11)T3') flag++;
else if (version == '12.4(11)T2') flag++;
else if (version == '12.4(11)T1') flag++;
else if (version == '12.4(11)T') flag++;
else if (version == '12.4(9)T6') flag++;
else if (version == '12.4(9)T5') flag++;
else if (version == '12.4(9)T4') flag++;
else if (version == '12.4(9)T3') flag++;
else if (version == '12.4(9)T2') flag++;
else if (version == '12.4(9)T1') flag++;
else if (version == '12.4(9)T') flag++;

if (get_kb_item("Host/local_checks_enabled"))
{
  if (flag)
  {
    flag = 0;
    buf = cisco_command_kb_item("Host/Cisco/Config/show_policy-map_type_inspect_zone-pair", "show policy-map type inspect zone-pair");
    if (check_cisco_result(buf))
    {
      if (preg(pattern:"Policy: http layer7-policymap", multiline:TRUE, string:buf)) { flag = 1; }
    } else if (cisco_needs_enable(buf)) { flag = 1; override = 1; }
  }
}

if (flag)
{
  security_hole(port:0, extra:cisco_caveat(override));
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");