Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.CISCO-SA-20161102-TL1.NASL
HistoryNov 10, 2016 - 12:00 a.m.

Cisco IOS XE TL1 Request Handling RCE (cisco-sa-20161102-tl1)

2016-11-1000:00:00
This script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
www.tenable.com
32
JSON

According to its self-reported version and model, the Cisco IOS XE software running on the remote ASR device is affected by a remote code execution vulnerability in the Transaction Language 1 (TL1) code due to an overflow condition caused by improper bounds checking on certain input when handling TL1 requests. An unauthenticated, remote attacker can exploit this, via a specially crafted request to the TL1 port, to cause a denial of service condition or the execution of arbitrary code.

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(94680);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/08");

  script_cve_id("CVE-2016-6441");
  script_bugtraq_id(94072);
  script_xref(name:"CISCO-SA", value:"cisco-sa-20161102-tl1");
  script_xref(name:"IAVA", value:"2017-A-0002-S");
  script_xref(name:"CISCO-BUG-ID", value:"CSCuy15175");

  script_name(english:"Cisco IOS XE TL1 Request Handling RCE (cisco-sa-20161102-tl1)");
  script_summary(english:"Checks the IOS XE version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version and model, the Cisco IOS XE
software running on the remote ASR device is affected by a remote code
execution vulnerability in the Transaction Language 1 (TL1) code due
to an overflow condition caused by improper bounds checking on certain
input when handling TL1 requests. An unauthenticated, remote attacker
can exploit this, via a specially crafted request to the TL1 port, to
cause a denial of service condition or the execution of arbitrary
code.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-tl1
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1cb66121");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy15175");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID
CSCuy15175. Alternatively, as a mitigation, deploy infrastructure
access control lists (iACLs) to prevent TL1 packets from reaching the
device.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/11/02");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/11/02");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/11/10");

  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2016-2020 Tenable Network Security, Inc.");
  script_family(english:"CISCO");

  script_dependencies("cisco_ios_xe_version.nasl");
  script_require_keys("Host/Cisco/IOS-XE/Version");

  exit(0);
}

include("audit.inc");
include("cisco_func.inc");
include("cisco_kb_cmd_func.inc");

ver = get_kb_item_or_exit("Host/Cisco/IOS-XE/Version");

# Check model
# Affected: ASR902, ASR903, ASR907
model = get_kb_item("CISCO/model");
if(empty_or_null(model)) model = get_kb_item_or_exit("Host/Cisco/IOS-XE/Model");
if(model && model !~ "^ASR90[237]([^0-9]|$)") audit(AUDIT_DEVICE_NOT_VULN, model);

app = "Cisco IOS XE";
cbi = "CSCuy15175";
fix = NULL;

if (
  ver == "3.17.0S" ||
  ver == "3.17.1S" ||
  ver == "3.17.2S"
)
  fix = '3.17.3S';
if (
  ver == "3.18.0S" ||
  ver == "3.18.1S"
)
  fix = '3.18.2S';

if(!empty_or_null(fix))
{

  security_report_cisco(
  port     : 0,
  severity : SECURITY_HOLE,
  version  : ver,
  bug_id   : cbi,
  fix      : fix
  );

}
else audit(AUDIT_HOST_NOT, "affected");
VendorProductVersionCPE
ciscoios_xecpe:/o:cisco:ios_xe

Related

openvas 1
cve 1
cvelist 1
prion 1
cisco 1
threatpost 1
openvas
openvas
Cisco ASR 900 Series Aggregation Services Routers Buffer Overflow Vulnerability
2016-11-03 00:00:00
cve
cve
CVE-2016-6441
2016-11-03 21:59:00
cvelist
cvelist
CVE-2016-6441
2016-11-03 21:00:00
prion
prion
Design/Logic Flaw
2016-11-03 21:59:00
cisco
cisco
Cisco ASR 900 Series Aggregation Services Routers Buffer Overflow Vulnerability
2016-11-02 16:00:00
threatpost
threatpost
Cisco Patches Critical Bugs in 900 Series Routers, Prime Home Server
2016-11-03 11:06:28
JSON
Related for CISCO-SA-20161102-TL1.NASL
openvas1cve1cvelist1prion1cisco1threatpost1