Cisco IOS Denial of Service Vulnerability (cisco-sa-20190925-sip-dos)

2019-10-08T00:00:00
ID CISCO-SA-20190925-SIP-DOS-IOS.NASL
Type nessus
Reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2020-10-02T00:00:00

Description

A denial of service (DoS) vulnerability exists in the Session Initiation Protocol (SIP) component of Cisco IOS due to insufficient checks on an internal data structure which is populated with user submitted data. An unauthenticated, remote attacker can exploit this issue to force a restart of the system.

                                        
                                            #TRUSTED 3a94a38b0ccf49a7b8a246b60efc039295e7f50f792d12ef6111980ab4263197c04981701c1063a7c9f15a950de8adc6f4271047c35fc4d3d89258d278e32b5277e0521e47864976ae6a1a52630953615426ea21ff94a817a762cf625e26e70ef3e21a0cedfff1b442acf563e08aa4b7ba577519e3bd90e4c0d3de0245a2effee8949cffffbe23e5148295b6df5ed1d91f335a4ac28e3f8fe4f7f67733ef91305f03e0f7c3bc6ffbee9f52ad1035afe50775d7d074d354b46925899302b892daa5a78990cdd8c7e826786d6743c09074f1e8967116ea7b3863714c800c5d2bac47117e6ee6a39f13dc2716078f6d592ac18f5610c5de764001f3a924fbaddfece0a2242cc71d68b3b0218f5ae474bf404d87ca704801112bbae15a959d85b1ac9b0a4face3d56418f7a6fe556bcf5c56092a6d0d78ef1b7af13fe4d23961300c00d937ab79156611c046eb3e913adbaa8910d0fa1b20b5a4747a90c7c68d8c5e6d0266f9fd06b77616fb6b28850fb647edcd8cd07207365e6fa69ad02b30007a3d3bf7c9022f2b6d042635a6d067a38c5f4260bdefef01611f3d14d3f11253ebef7642e4d0b6603848fce7da01603b1abaee46d89fa387ea28988557da3786b142b723a2a475b86608f64a72b1211983d79f9ccce7df593ae604002844b5c47e64c8f7b2d28b877da137b7d17b6c0c6896c6fd1b3b45bb01cc4d724c426c76f6
#
# (C) Tenable Network Security, Inc.
#
include('compat.inc');

if (description)
{
  script_id(129694);
  script_version("1.8");
  script_cvs_date("Date: 2020/01/09");

  script_cve_id("CVE-2019-12654");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvn00218");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20190925-sip-dos");
  script_xref(name:"IAVA", value:"2019-A-0354");

  script_name(english:"Cisco IOS Denial of Service Vulnerability (cisco-sa-20190925-sip-dos)");
  script_summary(english:"Checks the IOS version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"A denial of service (DoS) vulnerability exists in the Session 
  Initiation Protocol (SIP) component of Cisco IOS due to insufficient checks on an internal data structure which 
  is populated with user submitted data. An unauthenticated, remote attacker can exploit this issue to force a restart
  of the system.");
  # https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvn00218
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6e59804f");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-sip-dos
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e0995245");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID(s)CSCvn00218.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-12654");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_cwe_id(476);

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/25");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/09/25");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/08");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_version.nasl");
  script_require_keys("Host/Cisco/IOS/Version");

  exit(0);
}

include('ccf.inc');
include('cisco_workarounds.inc');

product_info = cisco::get_product_info(name:'Cisco IOS');

version_list = make_list(
  '15.0(1)XA2',
  '15.0(1)XA4',
  '15.0(1)XA1',
  '15.0(1)XA3',
  '15.0(1)XA',
  '15.0(1)XA5',
  '15.1(2)T',
  '15.1(1)T4',
  '15.1(3)T2',
  '15.1(1)T1',
  '15.1(2)T0a',
  '15.1(3)T3',
  '15.1(1)T3',
  '15.1(2)T3',
  '15.1(2)T4',
  '15.1(1)T2',
  '15.1(3)T',
  '15.1(2)T2a',
  '15.1(3)T1',
  '15.1(1)T',
  '15.1(2)T2',
  '15.1(2)T1',
  '15.1(2)T5',
  '15.1(3)T4',
  '15.1(1)T5',
  '15.1(1)XB',
  '15.1(1)XB3',
  '15.1(1)XB1',
  '15.1(1)XB2',
  '15.1(4)XB4',
  '15.1(4)XB5',
  '15.1(4)XB6',
  '15.1(4)XB5a',
  '15.1(4)XB7',
  '15.1(4)XB8',
  '15.1(4)XB8a',
  '15.0(1)S2',
  '15.0(1)S1',
  '15.0(1)S',
  '15.0(1)S3a',
  '15.0(1)S4',
  '15.0(1)S5',
  '15.0(1)S4a',
  '15.0(1)S6',
  '15.2(1)S',
  '15.2(2)S',
  '15.2(1)S1',
  '15.2(4)S',
  '15.2(1)S2',
  '15.2(2)S1',
  '15.2(2)S2',
  '15.2(2)S0a',
  '15.2(2)S0c',
  '15.2(2)S0d',
  '15.2(4)S1',
  '15.2(4)S4',
  '15.2(4)S6',
  '15.2(4)S2',
  '15.2(4)S5',
  '15.2(4)S3',
  '15.2(4)S0c',
  '15.2(4)S1c',
  '15.2(4)S3a',
  '15.2(4)S4a',
  '15.2(4)S7',
  '15.2(4)S8',
  '15.3(1)T',
  '15.3(2)T',
  '15.3(1)T1',
  '15.3(1)T2',
  '15.3(1)T3',
  '15.3(1)T4',
  '15.3(2)T1',
  '15.3(2)T2',
  '15.3(2)T3',
  '15.3(2)T4',
  '15.1(2)S',
  '15.1(1)S',
  '15.1(1)S1',
  '15.1(3)S',
  '15.1(1)S2',
  '15.1(2)S1',
  '15.1(2)S2',
  '15.1(3)S1',
  '15.1(3)S0a',
  '15.1(3)S2',
  '15.1(3)S4',
  '15.1(3)S3',
  '15.1(3)S5',
  '15.1(3)S6',
  '15.1(3)S5a',
  '15.1(3)S7',
  '15.1(4)M3',
  '15.1(4)M',
  '15.1(4)M1',
  '15.1(4)M2',
  '15.1(4)M6',
  '15.1(4)M5',
  '15.1(4)M4',
  '15.1(4)M0a',
  '15.1(4)M0b',
  '15.1(4)M7',
  '15.1(4)M3a',
  '15.1(4)M10',
  '15.1(4)M8',
  '15.1(4)M9',
  '15.1(4)M12a',
  '15.1(2)GC',
  '15.1(2)GC1',
  '15.1(2)GC2',
  '15.1(4)GC',
  '15.1(4)GC1',
  '15.1(4)GC2',
  '15.0(1)MR',
  '15.0(2)MR',
  '15.2(4)M',
  '15.2(4)M1',
  '15.2(4)M2',
  '15.2(4)M4',
  '15.2(4)M3',
  '15.2(4)M5',
  '15.2(4)M8',
  '15.2(4)M10',
  '15.2(4)M7',
  '15.2(4)M6',
  '15.2(4)M9',
  '15.2(4)M6b',
  '15.2(4)M6a',
  '15.2(4)M11',
  '15.2(1)GC',
  '15.2(1)GC1',
  '15.2(1)GC2',
  '15.2(2)GC',
  '15.2(3)GC',
  '15.2(3)GC1',
  '15.2(4)GC',
  '15.2(4)GC1',
  '15.2(4)GC2',
  '15.2(4)GC3',
  '15.3(1)S',
  '15.3(2)S',
  '15.3(3)S',
  '15.3(1)S2',
  '15.3(1)S1',
  '15.3(2)S2',
  '15.3(2)S1',
  '15.3(1)S1e',
  '15.3(3)S1',
  '15.3(3)S2',
  '15.3(3)S3',
  '15.3(3)S6',
  '15.3(3)S4',
  '15.3(3)S1a',
  '15.3(3)S5',
  '15.3(3)S2a',
  '15.3(3)S7',
  '15.3(3)S8',
  '15.3(3)S6a',
  '15.3(3)S9',
  '15.3(3)S10',
  '15.3(3)S8a',
  '15.4(1)T',
  '15.4(2)T',
  '15.4(1)T2',
  '15.4(1)T1',
  '15.4(1)T3',
  '15.4(2)T1',
  '15.4(2)T3',
  '15.4(2)T2',
  '15.4(1)T4',
  '15.4(2)T4',
  '15.1(3)MRA',
  '15.1(3)MRA1',
  '15.1(3)MRA2',
  '15.1(3)MRA3',
  '15.1(3)MRA4',
  '15.1(3)SVB1',
  '15.1(3)SVB2',
  '15.2(2)JB1',
  '15.2(2)JB',
  '15.2(2)JB2',
  '15.2(4)JB',
  '15.2(2)JB3',
  '15.2(4)JB1',
  '15.2(4)JB2',
  '15.2(4)JB3',
  '15.2(4)JB3a',
  '15.2(2)JB4',
  '15.2(4)JB4',
  '15.2(4)JB3h',
  '15.2(4)JB3b',
  '15.2(4)JB3s',
  '15.2(4)JB5h',
  '15.2(4)JB5',
  '15.2(4)JB5m',
  '15.2(4)JB6',
  '15.2(2)JB5',
  '15.2(2)JB6',
  '15.4(1)S',
  '15.4(2)S',
  '15.4(3)S',
  '15.4(1)S1',
  '15.4(1)S2',
  '15.4(2)S1',
  '15.4(1)S3',
  '15.4(3)S1',
  '15.4(2)S2',
  '15.4(3)S2',
  '15.4(3)S3',
  '15.4(1)S4',
  '15.4(2)S3',
  '15.4(2)S4',
  '15.4(3)S0d',
  '15.4(3)S4',
  '15.4(3)S0e',
  '15.4(3)S5',
  '15.4(3)S0f',
  '15.4(3)S6',
  '15.4(3)S7',
  '15.4(3)S6a',
  '15.4(3)S8',
  '15.4(3)S9',
  '15.4(3)S10',
  '15.2(2)JAX',
  '15.2(2)JAX1',
  '15.3(3)M',
  '15.3(3)M1',
  '15.3(3)M2',
  '15.3(3)M3',
  '15.3(3)M5',
  '15.3(3)M4',
  '15.3(3)M6',
  '15.3(3)M7',
  '15.3(3)M8',
  '15.3(3)M9',
  '15.3(3)M10',
  '15.3(3)M8a',
  '15.2(4)JN',
  '15.2(1)SC1a',
  '15.2(2)SC',
  '15.2(2)SC1',
  '15.2(2)SC3',
  '15.2(2)SC4',
  '15.1(3)SVD',
  '15.1(3)SVD1',
  '15.1(3)SVD2',
  '15.1(3)SVD3',
  '15.1(3)SVF',
  '15.1(3)SVF1',
  '15.1(3)SVF2',
  '15.1(3)SVF2a',
  '15.1(3)SVF4b',
  '15.1(3)SVF4d',
  '15.1(3)SVF4e',
  '15.1(3)SVF4f',
  '15.1(3)SVF4c',
  '15.1(3)SVE',
  '15.4(3)M',
  '15.4(3)M1',
  '15.4(3)M2',
  '15.4(3)M3',
  '15.4(3)M4',
  '15.4(3)M5',
  '15.4(3)M6',
  '15.4(3)M7',
  '15.4(3)M6a',
  '15.4(3)M7a',
  '15.4(3)M8',
  '15.4(3)M9',
  '15.4(3)M10',
  '15.2(1)SD1',
  '15.2(1)SD2',
  '15.2(1)SD3',
  '15.2(1)SD4',
  '15.2(1)SD6',
  '15.2(1)SD6a',
  '15.2(1)SD7',
  '15.2(1)SD8',
  '15.2(4)JAZ',
  '15.2(4)JAZ1',
  '15.3(3)XB12',
  '15.4(1)CG',
  '15.4(1)CG1',
  '15.4(2)CG',
  '15.5(1)S',
  '15.5(2)S',
  '15.5(1)S1',
  '15.5(3)S',
  '15.5(1)S2',
  '15.5(1)S3',
  '15.5(2)S1',
  '15.5(2)S2',
  '15.5(3)S1',
  '15.5(3)S1a',
  '15.5(2)S3',
  '15.5(3)S2',
  '15.5(3)S0a',
  '15.5(3)S3',
  '15.5(1)S4',
  '15.5(2)S4',
  '15.5(3)S4',
  '15.5(3)S5',
  '15.5(3)S6',
  '15.5(3)S6a',
  '15.5(3)S7',
  '15.5(3)S6b',
  '15.5(3)S8',
  '15.5(3)S9',
  '15.1(3)SVG',
  '15.1(3)SVG2',
  '15.1(3)SVG3',
  '15.1(3)SVG1b',
  '15.1(3)SVG1c',
  '15.1(3)SVG3a',
  '15.1(3)SVG3b',
  '15.1(3)SVG3c',
  '15.1(3)SVG2a',
  '15.1(3)SVG1a',
  '15.5(1)T',
  '15.5(1)T1',
  '15.5(2)T',
  '15.5(1)T2',
  '15.5(1)T3',
  '15.5(2)T1',
  '15.5(2)T2',
  '15.5(2)T3',
  '15.5(2)T4',
  '15.5(1)T4',
  '15.4(2)SN',
  '15.4(2)SN1',
  '15.4(3)SN1',
  '15.4(3)SN1a',
  '15.3(3)JN',
  '15.3(3)JN1',
  '15.3(3)JN2',
  '15.3(3)JN3',
  '15.3(3)JN4',
  '15.3(3)JN6',
  '15.3(3)JN7',
  '15.3(3)JN8',
  '15.3(3)JN9',
  '15.3(3)JN11',
  '15.3(3)JN13',
  '15.3(3)JN14',
  '15.3(3)JN15',
  '15.1(3)SVH',
  '15.1(3)SVH2',
  '15.1(3)SVH4',
  '15.1(3)SVH4a',
  '15.5(3)M',
  '15.5(3)M1',
  '15.5(3)M0a',
  '15.5(3)M2',
  '15.5(3)M2a',
  '15.5(3)M3',
  '15.5(3)M4',
  '15.5(3)M4a',
  '15.5(3)M5',
  '15.5(3)M4b',
  '15.5(3)M4c',
  '15.5(3)M6',
  '15.5(3)M5a',
  '15.5(3)M7',
  '15.5(3)M6a',
  '15.5(3)M8',
  '15.5(3)M9',
  '15.3(3)JA',
  '15.3(3)JA1n',
  '15.3(3)JA1m',
  '15.3(3)JA1',
  '15.3(3)JA2',
  '15.3(3)JA3',
  '15.3(3)JA4',
  '15.3(3)JA5',
  '15.3(3)JA6',
  '15.3(3)JA7',
  '15.3(3)JA8',
  '15.3(3)JA10',
  '15.3(3)JA11',
  '15.3(3)JA12',
  '15.3(3)JAA',
  '15.3(3)JAA11',
  '15.3(3)JAA1',
  '15.3(3)JAA12',
  '15.3(3)JAB',
  '15.3(3)JB',
  '15.5(1)SN',
  '15.5(1)SN1',
  '15.5(2)SN',
  '15.5(3)SN0a',
  '15.5(3)SN',
  '15.6(1)S',
  '15.6(2)S',
  '15.6(2)S1',
  '15.6(1)S1',
  '15.6(1)S2',
  '15.6(2)S2',
  '15.6(1)S3',
  '15.6(2)S3',
  '15.6(1)S4',
  '15.6(2)S4',
  '15.1(3)SVI2',
  '15.1(3)SVI1a',
  '15.1(3)SVI2a',
  '15.1(3)SVI3',
  '15.1(3)SVI31a',
  '15.1(3)SVI31b',
  '15.1(3)SVI3b',
  '15.1(3)SVI3c',
  '15.6(1)T',
  '15.6(2)T',
  '15.6(1)T0a',
  '15.6(1)T1',
  '15.6(2)T1',
  '15.6(1)T2',
  '15.6(2)T0a',
  '15.6(2)T2',
  '15.6(1)T3',
  '15.6(2)T3',
  '15.3(3)JNB',
  '15.3(3)JNB1',
  '15.3(3)JNB2',
  '15.3(3)JNB3',
  '15.3(3)JNB4',
  '15.3(3)JNB6',
  '15.3(3)JNB5',
  '15.3(3)JAX',
  '15.3(3)JAX1',
  '15.3(3)JAX2',
  '15.3(3)JBB',
  '15.3(3)JBB1',
  '15.3(3)JBB2',
  '15.3(3)JBB4',
  '15.3(3)JBB5',
  '15.3(3)JBB6',
  '15.3(3)JBB8',
  '15.3(3)JBB6a',
  '15.3(3)JC',
  '15.3(3)JC1',
  '15.3(3)JC2',
  '15.3(3)JC3',
  '15.3(3)JC4',
  '15.3(3)JC5',
  '15.3(3)JC6',
  '15.3(3)JC8',
  '15.3(3)JC9',
  '15.3(3)JC14',
  '15.3(3)JNC',
  '15.3(3)JNC1',
  '15.3(3)JNC2',
  '15.3(3)JNC3',
  '15.3(3)JNC4',
  '15.3(3)JNP',
  '15.3(3)JNP1',
  '15.3(3)JNP3',
  '15.5(2)XB',
  '15.6(2)SP',
  '15.6(2)SP1',
  '15.6(2)SP2',
  '15.6(2)SP3',
  '15.6(2)SP4',
  '15.6(2)SP3b',
  '15.6(2)SP5',
  '15.6(2)SP6',
  '15.6(1)SN',
  '15.6(1)SN1',
  '15.6(2)SN',
  '15.6(1)SN2',
  '15.6(1)SN3',
  '15.6(3)SN',
  '15.6(4)SN',
  '15.6(5)SN',
  '15.6(6)SN',
  '15.6(7)SN',
  '15.6(7)SN1',
  '15.3(3)JPB',
  '15.3(3)JPB1',
  '15.3(3)JD',
  '15.3(3)JD2',
  '15.3(3)JD3',
  '15.3(3)JD4',
  '15.3(3)JD5',
  '15.3(3)JD6',
  '15.3(3)JD7',
  '15.3(3)JD8',
  '15.3(3)JD9',
  '15.3(3)JD11',
  '15.3(3)JD12',
  '15.3(3)JD13',
  '15.3(3)JD14',
  '15.3(3)JD16',
  '15.3(3)JD17',
  '15.6(3)M',
  '15.6(3)M1',
  '15.6(3)M0a',
  '15.6(3)M1a',
  '15.6(3)M1b',
  '15.6(3)M2',
  '15.6(3)M2a',
  '15.6(3)M3',
  '15.6(3)M3a',
  '15.6(3)M4',
  '15.6(3)M5',
  '15.6(3)M6',
  '15.6(3)M6a',
  '15.6(3)M6b',
  '15.1(3)SVJ',
  '15.1(3)SVJ2',
  '15.3(3)JPC',
  '15.3(3)JPC1',
  '15.3(3)JPC2',
  '15.3(3)JPC3',
  '15.3(3)JPC5',
  '15.3(3)JND',
  '15.3(3)JND1',
  '15.3(3)JND2',
  '15.3(3)JND3',
  '15.3(3)JE',
  '15.3(3)JPD',
  '15.3(3)JDA7',
  '15.3(3)JDA8',
  '15.3(3)JDA9',
  '15.3(3)JDA11',
  '15.3(3)JDA12',
  '15.3(3)JDA13',
  '15.3(3)JDA14',
  '15.3(3)JDA16',
  '15.3(3)JDA17',
  '15.3(3)JF',
  '15.3(3)JF1',
  '15.3(3)JF2',
  '15.3(3)JF4',
  '15.3(3)JF5',
  '15.3(3)JF6',
  '15.3(3)JF7',
  '15.3(3)JF8',
  '15.3(3)JF9',
  '15.3(3)JCA7',
  '15.3(3)JCA8',
  '15.3(3)JCA9',
  '15.7(3)M',
  '15.7(3)M1',
  '15.7(3)M0a',
  '15.7(3)M3',
  '15.7(3)M2',
  '15.7(3)M4',
  '15.7(3)M4a',
  '15.7(3)M4b',
  '15.3(3)JG',
  '15.3(3)JG1',
  '15.3(3)JH',
  '15.3(3)JH1',
  '15.3(3)JI1',
  '15.3(3)JI3',
  '15.3(3)JI4',
  '15.8(3)M',
  '15.8(3)M1',
  '15.8(3)M0a',
  '15.8(3)M0b',
  '15.8(3)M2',
  '15.8(3)M1a',
  '15.8(3)M2a',
  '15.3(3)JJ',
  '15.1(3)SVR'
);

workarounds = make_list(CISCO_WORKAROUNDS['show_processes']);
workaround_params = {'pat' : 'CCSIP_SPI_CONTRO'};

reporting = make_array(
  'port'     , 0,
  'severity' , SECURITY_HOLE,
  'version'  , product_info['version'],
  'bug_id'   , 'CSCvn00218',
  'cmds'     , make_list('show processes')
);

cisco::check_and_report(
  product_info:product_info,
  workarounds:workarounds,
  workaround_params:workaround_params,
  reporting:reporting,
  vuln_versions:version_list
);