Lucene search

HistoryMay 26, 2016 - 12:00 a.m.

Cisco Web Security Appliance Multiple DoS Vulnerabilities

2016-05-2600:00:00

www.tenable.com

7.8 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.002 Low

EPSS

Percentile

55.7%

JSON

According to its self-reported version, the Cisco Web Security Appliance (WSA) running on the remote host is affected by the following vulnerabilities :

A denial of service vulnerability exists in Cisco AsyncOS due to improper validation of packets when parsing HTTP POST requests. An unauthenticated, remote attacker can exploit this, via a specially crafted POST request, to cause the proxy process to become unresponsive, resulting in the WSA reloading.
(CVE-2016-1380)
A denial of service vulnerability exists in Cisco AsyncOS in the cached file-range request functionality due to a failure to free memory when a file range for cached content is requested through the WSA. An unauthenticated, remote attacker can exploit this, via multiple connections that request file ranges, to cause the WSA to stop passing traffic because of memory exhaustion. (CVE-2016-1381)
A denial of service vulnerability exists in Cisco AsyncOS due to improper allocation of memory for HTTP headers and expected HTTP payloads. An unauthenticated, remote attacker can exploit this, via specially crafted HTTP requests, to cause the proxy process to unexpectedly reload. (CVE-2016-1382)
A denial of service vulnerability exists in Cisco AsyncOS due to a failure to free client and server connection memory and system file descriptors when a certain HTTP response code is received in the HTTP request. An unauthenticated, remote attacker can exploit this, via specially crafted HTTP requests, to cause the WSA to stop accepting new connections because of memory exhaustion. (CVE-2016-1383)

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(91338);
  script_version("1.8");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/05/14");

  script_cve_id(
    "CVE-2016-1380",
    "CVE-2016-1381",
    "CVE-2016-1382",
    "CVE-2016-1383"
  );
  script_bugtraq_id(
    90742,
    90744,
    90746,
    90747
  );
  script_xref(name:"CISCO-BUG-ID", value:"CSCuo12171");
  script_xref(name:"IAVB", value:"2016-B-0093-S");
  script_xref(name:"CISCO-BUG-ID", value:"CSCuw97270");
  script_xref(name:"CISCO-BUG-ID", value:"CSCuu02529");
  script_xref(name:"CISCO-BUG-ID", value:"CSCur28305");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20160518-wsa1");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20160518-wsa2");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20160518-wsa3");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20160518-wsa4");

  script_name(english:"Cisco Web Security Appliance Multiple DoS Vulnerabilities");
  script_summary(english:"Checks the WSA version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote security appliance is missing a vendor-supplied patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, the Cisco Web Security
Appliance (WSA) running on the remote host is affected by the
following vulnerabilities :

  - A denial of service vulnerability exists in Cisco
    AsyncOS due to improper validation of packets when
    parsing HTTP POST requests. An unauthenticated, remote
    attacker can exploit this, via a specially crafted
    POST request, to cause the proxy process to become
    unresponsive, resulting in the WSA reloading.
    (CVE-2016-1380)

  - A denial of service vulnerability exists in Cisco
    AsyncOS in the cached file-range request functionality
    due to a failure to free memory when a file range for
    cached content is requested through the WSA. An
    unauthenticated, remote attacker can exploit this,
    via multiple connections that request file ranges,
    to cause the WSA to stop passing traffic because of
    memory exhaustion. (CVE-2016-1381)

  - A denial of service vulnerability exists in Cisco
    AsyncOS due to improper allocation of memory for HTTP
    headers and expected HTTP payloads. An unauthenticated,
    remote attacker can exploit this, via specially
    crafted HTTP requests, to cause the proxy process to
    unexpectedly reload. (CVE-2016-1382)

  - A denial of service vulnerability exists in Cisco
    AsyncOS due to a failure to free client and server
    connection memory and system file descriptors when a
    certain HTTP response code is received in the HTTP
    request. An unauthenticated, remote attacker can exploit
    this, via specially crafted HTTP requests, to cause the
    WSA to stop accepting new connections because of memory
    exhaustion. (CVE-2016-1383)");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160518-wsa1
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8ce8631d");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160518-wsa2
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?430ceb05");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160518-wsa3
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?708f68af");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160518-wsa4
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?88b96b29");
  script_set_attribute(attribute:"solution", value:
"Apply the relevant updates referenced in Cisco Security Advisories
cisco-sa-20160518-wsa1, cisco-sa-20160518-wsa2, cisco-sa-20160518-wsa3
and cisco-sa-20160518-wsa4.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-1383");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/05/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/05/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/05/26");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:cisco:web_security_appliance");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:web_security_appliance");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:web_security_appliance");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:asyncos");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_wsa_version.nasl");
  script_require_keys("Host/AsyncOS/Cisco Web Security Appliance/DisplayVersion", "Host/AsyncOS/Cisco Web Security Appliance/Version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

display_ver = get_kb_item_or_exit('Host/AsyncOS/Cisco Web Security Appliance/DisplayVersion');
ver = get_kb_item_or_exit('Host/AsyncOS/Cisco Web Security Appliance/Version');

# Prior to 7.7
if (ver =~ "^[0-6]\." || ver =~ "^7\.[0-7]\.") display_fix = '9.0.1-162';
else if (ver =~ "^8\.0\.")     display_fix = '9.0.1-162';
else if (ver =~ "^8\.[5-8]\.") display_fix = '9.0.1-162';
else if (ver =~ "^9\.0\.")     display_fix = '9.0.1-162';
else audit(AUDIT_INST_VER_NOT_VULN, 'Cisco WSA', display_ver);

fix = str_replace(string:display_fix, find:'-', replace:'.');

if (ver_compare(ver:ver, fix:fix, strict:FALSE) >= 0)
  audit(AUDIT_INST_VER_NOT_VULN, 'Cisco WSA', display_ver);

security_report_v4(
  port:0,
  severity:SECURITY_HOLE,
  extra:
    '\n  Installed version : ' + display_ver +
    '\n  Fixed version     : ' + display_fix +
    '\n'
);

VendorProductVersionCPE
ciscoweb_security_appliancecpe:/h:cisco:web_security_appliance
ciscoweb_security_appliancecpe:/a:cisco:web_security_appliance
ciscoweb_security_appliancecpe:/o:cisco:web_security_appliance
ciscoasyncoscpe:/o:cisco:asyncos

Vendor	Product	CPE
cisco	web_security_appliance	cpe:/h:cisco:web_security_appliance
cisco	web_security_appliance	cpe:/a:cisco:web_security_appliance
cisco	web_security_appliance	cpe:/o:cisco:web_security_appliance
cisco	asyncos	cpe:/o:cisco:asyncos

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1380

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1381

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1382

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1383

www.nessus.org/u?430ceb05

www.nessus.org/u?708f68af

www.nessus.org/u?88b96b29

www.nessus.org/u?8ce8631d

7.8 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.002 Low

EPSS

Percentile

55.7%

JSON

Related for CISCO-SA-20160518-WSA1_TO_WSA4.NASL