Cisco IOS SSL VPN Vulnerability (cisco-sa-20100922-sslvpn)

2012-01-10T00:00:00
ID CISCO-SA-20100922-SSLVPN.NASL
Type nessus
Reporter Tenable
Modified 2018-07-06T00:00:00

Description

Cisco IOS Software contains a vulnerability when the Cisco IOS SSL VPN feature is configured with an HTTP redirect. Exploitation could allow a remote, unauthenticated user to cause a memory leak on the affected devices, that could result in a memory exhaustion condition that may cause device reloads, the inability to service new TCP connections, and other denial of service (DoS) conditions. Cisco has released free software updates that address this vulnerability. There is a workaround to mitigate this vulnerability.

                                        
                                            #TRUSTED 0e5f84ce3ff9bbf50b09c987015ee84771e4fad89ad72db4ded30363314be64876adb4b23c49d1aaee13aa4aa7ac88b1f00e2b7b9e9235086c2c38bfa838695d905b0791f21411a3bf2b611ace949d98de0b01ff93f7be1dbb106c416ca972f3a8d10dfce87e456cff078ada37524c038e82a25b24482844c3842ef2466cbf82c89929b954af1623655faf2231245b25fe2c8a5f1aaaa125e63db309f6c6d10a75793bbb3cfeb930ae3e657c0dc8077424c6ad4e28fa5ae474bc97539acab121f5d022bdc54142d614b1bce02b91322f3fdb8b73104e3a3072e0d385153a625ba2e972e6878c0e306acdd49d7c39fb86024275a6100dc38f5286015787523b515bda0af833648dd4dc9a64b9b504e732043dfb7b9827d299aff963909d2f00fe1b2d9970fc55f19acc6c9138915f98a3bb707ac61b8dde27237b8024580347af3d75038f7fccfe49b71396961e31525b1841caf10eb56591715ccb502ecad496f032bd6560791eb980ad52c716bf44acc7aa54cf909062d82fb8a146e5858b2abc5199e8c1fe6ff05c2fa399fa4685db44707f3e058e8d8ccff3393a7b3c128b4936af02fabd3d82c5c754e959fdf6221e3a277ee2bbdaca618cde4fac94ae352f638c27b11451970e04ba084139653bd3cfc17bb15170e5857fdaff577ed285d7597347ce5b56c05c54790bdc17cdd7ae56c699ccdf567bb20350f213cf63d4
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Cisco Security Advisory cisco-sa-20100922-sslvpn.
# The text itself is copyright (C) Cisco
#

include("compat.inc");

if (description)
{
  script_id(17785);
  script_version("1.14");
  script_set_attribute(attribute:"plugin_modification_date", value:"2018/07/06");

  script_cve_id("CVE-2010-2836");
  script_bugtraq_id(43390);
  script_xref(name:"CISCO-BUG-ID", value:"CSCtg21685");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20100922-sslvpn");

  script_name(english:"Cisco IOS SSL VPN Vulnerability (cisco-sa-20100922-sslvpn)");
  script_summary(english:"Checks the IOS version.");

  script_set_attribute(
    attribute:"synopsis",
    value:"The remote device is missing a vendor-supplied security patch."
  );
  script_set_attribute(
    attribute:"description",
    value:
"Cisco IOS Software contains a vulnerability when the Cisco IOS SSL VPN
feature is configured with an HTTP redirect. Exploitation could allow
a remote, unauthenticated user to cause a memory leak on the affected
devices, that could result in a memory exhaustion condition that may
cause device reloads, the inability to service new TCP connections,
and other denial of service (DoS) conditions. Cisco has released free
software updates that address this vulnerability. There is a
workaround to mitigate this vulnerability."
  );
  # http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20100922-sslvpn
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?61c2aff8"
  );
  script_set_attribute(
    attribute:"solution",
    value:
"Apply the relevant patch referenced in Cisco Security Advisory
cisco-sa-20100922-sslvpn."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios");

  script_set_attribute(attribute:"vuln_publication_date", value:"2010/09/22");
  script_set_attribute(attribute:"patch_publication_date", value:"2012/09/21");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/01/10");

  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.");
  script_family(english:"CISCO");

  script_dependencies("cisco_ios_version.nasl");
  script_require_keys("Host/Cisco/IOS/Version");

  exit(0);
}



include("audit.inc");
include("cisco_func.inc");
include("cisco_kb_cmd_func.inc");

flag = 0;
override = 0;

version = get_kb_item_or_exit("Host/Cisco/IOS/Version");
if ( version == '12.4(15)T13' ) flag++;
if ( version == '12.4(20)T5' ) flag++;
if ( version == '12.4(20)T5a' ) flag++;
if ( version == '12.4(22)T5' ) flag++;
if ( version == '12.4(24)T2' ) flag++;
if ( version == '12.4(24)T3' ) flag++;
if ( version == '15.0(1)M' ) flag++;
if ( version == '15.0(1)M1' ) flag++;
if ( version == '15.0(1)M2' ) flag++;
if ( version == '15.1(1)T' ) flag++;
if ( version == '15.1(1)XB1' ) flag++;
if (get_kb_item("Host/local_checks_enabled"))
{
  if (flag)
  {
    flag = 0;
    buf = cisco_command_kb_item("Host/Cisco/Config/show_running-config", "show running-config");
    if (check_cisco_result(buf))
    {
      if (preg(pattern:"\s+http-redirect\s+port.*", multiline:TRUE, string:buf)) { flag = 1; }
      if (preg(pattern:"webvpn", multiline:TRUE, string:buf)) { flag = 1; }
    } else if (cisco_needs_enable(buf)) { flag = 1; override = 1; }
  }

  if (flag)
  {
    flag = 0;
    buf = cisco_command_kb_item("Host/Cisco/Config/show_running-config", "show running-config");
    if (check_cisco_result(buf))
    {
      m = eregmatch(pattern:"webvpn gateway([^!]+)!", string:buf);
      if ( (!isnull(m)) && ("inservice" >< m[1]) ) { flag = 1; }
    } else if (cisco_needs_enable(buf)) { flag = 1; override = 1; }
  }
}


if (flag)
{
  security_hole(port:0, extra:cisco_caveat(override));
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");