Cisco IOS XE Layer 4 Redirect DoS

2015-04-06T00:00:00
ID CISCO-SN-CSCUQ59131-IOSXE.NASL
Type nessus
Reporter Tenable
Modified 2018-11-15T00:00:00

Description

The Cisco IOS XE software running on the remote device is affected by a denial of service vulnerability due to improper processing of IP packets by the Layer 4 Redirect (L4R) feature. An unauthenticated, remote attacker, using crafted IPv4 or IPv6 packets, can exploit this to cause a device reload.

                                        
                                            #TRUSTED 25494d0af0a39cec65267e4169fb17bb0f73adc20b193ad52930244b0300c9cb3665c3b52d5585cc109c26143be2974672d373c0e6397a75321f0ed20be603d752313966da0f6c13c193bad90e242ce465e71453182eefd458a551b06c5bc0f8055c0de8d7fda2ebbb58ec9d874550d776595e66751979c738a5731a79fc50815d9a800378e6d5c6d01f21d05e9a93a95bdf71e562488acb231ded3f506c92c4783180418f9e5eca16e113b292ffa827123eee4ce683f860f6c367872c3826f7d9e2b524ba692f024f7f8681590fffd24d78b5ada66084f7ec869c51967954f817fe3370bd891b14cfbb98e010983269983cd30d0c9ffe4325e294b588539fcbc5f4db7bb3e3e4ebdf889e098158ee798e1f4b7ff0e651fe36953c31769c6a5f336edab5955cbeb299a8a95758e47705d55adfa87073872da39d1b21e8563645b50a73594f9da6b91599dba5aacd801f16787254ea768f4b36374b460bef4faa5f946b68e52e8c668987ac899781d15b51b75ba47272774ff8e86a8ca7ca2ea8a3ecc8e9347bf63683d22d265f056a3dd2ae9a337d89e53e32451eb63f53c23c9bfaa67b85abbc9e9a88bab50b6ddbd9d45994b451c6ddad304133d0395c35afb007e0f03006809e1feddb6f93d616b28049cd3c8ceef5ea81dabefbbde53c0963898329e6254564e5c76bc61e8066d1d70de07465d2201cde21997de52f7d78
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(82590);
  script_version("1.10");
  script_set_attribute(attribute:"plugin_modification_date", value:"2018/11/15");

  script_cve_id("CVE-2015-0645");
  script_bugtraq_id(73337);
  script_xref(name:"CISCO-BUG-ID", value:"CSCuq59131");

  script_name(english:"Cisco IOS XE Layer 4 Redirect DoS");
  script_summary(english:"Checks the IOS XE version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is affected by a denial of service vulnerability.");
  script_set_attribute(attribute:"description", value:
"The Cisco IOS XE software running on the remote device is affected by
a denial of service vulnerability due to improper processing of IP
packets by the Layer 4 Redirect (L4R) feature. An unauthenticated,
remote attacker, using crafted IPv4 or IPv6 packets, can exploit this
to cause a device reload.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150325-iosxe#@ID
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d4cbb5bb");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCuq59131");
  script_set_attribute(attribute:"solution", value:
"Apply the relevant patch referenced in the Cisco Security Advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/03/25");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/03/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/04/06");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.");

  script_dependencies("cisco_ios_xe_version.nasl");
  script_require_keys("Host/Cisco/IOS-XE/Version", "Host/Cisco/IOS-XE/Model");

  exit(0);
}

include("audit.inc");
include("cisco_func.inc");
include("cisco_kb_cmd_func.inc");

flag = 0;

model = get_kb_item_or_exit("Host/Cisco/IOS-XE/Model");
if ("ASR" >!< model &&
    "ISR" >!< model &&
    "CSR" >!< model
  ) audit(AUDIT_HOST_NOT, "a ASR / ISR / CSR device");

version = get_kb_item_or_exit("Host/Cisco/IOS-XE/Version");

# Bug
if (version == "15.2(4)S0.1") flag++; # Not in map

# CVRF
if (version == "3.1.0S")   flag++;
if (version == "3.1.1S")   flag++;
if (version == "3.1.2S")   flag++;
if (version == "3.1.3S")   flag++;
if (version == "3.1.4S")   flag++;
if (version == "3.1.5S")   flag++;
if (version == "3.1.6S")   flag++;
if (version == "3.10.0S")  flag++;
if (version == "3.10.0aS") flag++;
if (version == "3.10.1S")  flag++;
if (version == "3.10.2S")  flag++;
if (version == "3.10.3S")  flag++;
if (version == "3.11.0S")  flag++;
if (version == "3.11.1S")  flag++;
if (version == "3.11.2S")  flag++;
if (version == "3.12.0S")  flag++;
if (version == "3.12.1S")  flag++;
if (version == "3.13.0S")  flag++;
if (version == "3.2.0S")   flag++;
if (version == "3.2.1S")   flag++;
if (version == "3.2.2S")   flag++;
if (version == "3.2.3S")   flag++;
if (version == "3.3.0S")   flag++;
if (version == "3.3.1S")   flag++;
if (version == "3.3.2S")   flag++;
if (version == "3.4.0S")   flag++;
if (version == "3.4.1S")   flag++;
if (version == "3.4.2S")   flag++;
if (version == "3.4.3S")   flag++;
if (version == "3.4.4S")   flag++;
if (version == "3.4.5S")   flag++;
if (version == "3.4.6S")   flag++;
if (version == "3.5.0S")   flag++;
if (version == "3.5.1S")   flag++;
if (version == "3.5.2S")   flag++;
if (version == "3.6.0S")   flag++;
if (version == "3.6.1S")   flag++;
if (version == "3.6.2S")   flag++;

# From SA (and not covered by Bug or CVRF)
if (version =~ "^2\.") flag++;
if (version =~ "^3\.[789]($|[^0-9])") flag++;

# Check L4 Redirect config
if (flag > 0)
{
  flag = 0;
  buf = cisco_command_kb_item("Host/Cisco/Config/show_running-config", "show running-config");
  if (check_cisco_result(buf))
  {
    if (
      (preg(multiline:TRUE, pattern:"^\s+redirect server-group ", string:buf)) &&
      (preg(multiline:TRUE, pattern:"^\s+redirect to group ", string:buf))
    ) flag = 1;
  } else if (cisco_needs_enable(buf)) { flag = 1; override = 1; }
}

if (flag)
{
  if (report_verbosity > 0)
  {
    report =
    '\n  Cisco bug ID      : CSCuq59131' +
    '\n  Installed release : ' + version;
    security_hole(port:0, extra:report);
  }
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");