Cisco IOS SIP Memory Leak DoS (CSCuj23293)

2016-04-01T00:00:00
ID CISCO-SA-20160323-SIP-IOS.NASL
Type nessus
Reporter Tenable
Modified 2018-08-09T00:00:00

Description

According to its self-reported version, the Cisco IOS software running on the remote device is affected by a denial of service vulnerability in the Session Initiation Protocol (SIP) gateway implementation due to improper handling of malformed SIP messages. An unauthenticated, remote attacker can exploit this, via crafted SIP messages, to cause memory leakage, resulting in an eventual reload of the affected device.

                                        
                                            #TRUSTED 3586094c93a7e6ac0d5414c7072414b3a7e52812d914d8ce0cc668b6b12e625a1ce70a2bd440d34c3b6659873c00c7ca5f3c1fbb943ce9299581761f75c2000d35d04b16b93c0e8504a87a541329cace426d8fa493fc0e16b57fab0ef9cde9d703ead0524cdba1a2de20c85356e9a8398f5d90570e81e89aa0d93050da6712f09612df7c8bc54d02cc225ec38e8640a03d2f50988cc8e08a1cf9eaa060830d927b65cb2da118d1b3747b0a007b7fdaeb93c4b5e29445f1c134139f949d3152f67cc580eda96460cf4d15af003b5867c57940031415890fa72ade61a2b7228526a0ad7e98efe2a3ef684b87b398f97b5890cd97842b850dd521c4fc82ceb4a711ebc32823000fabf4c1a81637359591bb598f042df5b851a9d12da7df6818d87b68fc6874434107d465136675f9e33a1337d00b8735a48fd99a006fe1a32d87af0044c1f09545e8b25ea8a291d5674f60dedd4d4a6d6b7ea4be330405286c8001527547deaef7115ac4509f1255b9c27f22231859fb386bf79df7dccc5812c54910c52e932da2a86721f26e01e91508e67f13d0b68721357bf4fa9d4aa94f1c2887b81b269912326aa96a0df2cec87dad57175ef2aa02bc698406dc0b0c1b4f309a8af9eca591d0e5886903fa8ae7d84ed156cb8db630c9621f537958887cff4101a9448e5ed8eb90134d657fd8c4f04cb038d17c148ec86844879aecc62a8b2a
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(90310);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2018/08/09");

  script_cve_id("CVE-2016-1350");
  script_xref(name:"CISCO-BUG-ID", value:"CSCuj23293");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20160323-sip");

  script_name(english:"Cisco IOS SIP Memory Leak DoS (CSCuj23293)");
  script_summary(english:"Checks the IOS version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is affected by denial of service vulnerability.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, the Cisco IOS software running
on the remote device is affected by a denial of service vulnerability
in the Session Initiation Protocol (SIP) gateway implementation due to
improper handling of malformed SIP messages. An unauthenticated,
remote attacker can exploit this, via crafted SIP messages, to cause
memory leakage, resulting in an eventual reload of the affected
device.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160323-sip
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ddc3f527");
  script_set_attribute(attribute:"see_also", value:"https://quickview.cloudapps.cisco.com/quickview/bug/CSCuj23293");
  script_set_attribute(attribute:"solution", value:
"Apply the relevant patch referenced in the Cisco security advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/03/23");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/03/23");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/04/01");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.");

  script_dependencies("cisco_ios_version.nasl");
  script_require_keys("Host/Cisco/IOS/Version");

  exit(0);
}

include("audit.inc");
include("cisco_func.inc");
include("cisco_kb_cmd_func.inc");

flag = 0;
override = 0;

ver = get_kb_item_or_exit("Host/Cisco/IOS/Version");

affected = make_list(
  "15.3(3)M",
  "15.3(3)M1",
  "15.3(3)M2",
  "15.3(1)S1",
  "15.3(1)S2",
  "15.3(2)S0a",
  "15.3(2)S2",
  "15.3(1)T",
  "15.3(1)T1",
  "15.3(1)T2",
  "15.3(1)T3",
  "15.3(1)T4",
  "15.3(2)T",
  "15.3(2)T1",
  "15.3(2)T2",
  "15.3(2)T3",
  "15.3(2)T4",
  "15.4(1)CG",
  "15.4(2)CG",
  "15.4(1)T",
  "15.4(1)T1",
  "15.4(2)T"
);

flag = 0;
foreach badver (affected)
{
  if (badver == ver)
  {
    flag = 1;
    break;
  }
}

# Configuration check
if (flag && get_kb_item("Host/local_checks_enabled"))
{
  pat = " CCSIP_(UDP|TCP)_SOCKET(\r?\n|$)";
  flag = 0;
  buf = cisco_command_kb_item("Host/Cisco/Config/show_processes_include_sip","show processes | include SIP ");
  if (check_cisco_result(buf))
  {
    if (
      preg(multiline:TRUE, pattern:pat, string:buf)
    ) flag = 1;
  }
  else if (cisco_needs_enable(buf))
  {
    flag = 1;
    override = 1;
  }
}

if (flag)
{
    order  = make_list('Cisco bug ID', 'Installed release');
    report = make_array(
      order[0], "CSCuj23293",
      order[1], ver
    );
    
    if (report_verbosity > 0)
      report = report_items_str(report_items:report, ordered_fields:order) + cisco_caveat(override);
    else # Cisco Caveat is always reported
      report = cisco_caveat(override);
    security_hole(port:0, extra:report);
    exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");