Cisco IOS XE Layer 4 Redirect DoS

2015-04-06T00:00:00
ID CISCO-SN-CSCUQ59131-IOSXE.NASL
Type nessus
Reporter Tenable
Modified 2018-08-09T00:00:00

Description

The Cisco IOS XE software running on the remote device is affected by a denial of service vulnerability due to improper processing of IP packets by the Layer 4 Redirect (L4R) feature. An unauthenticated, remote attacker, using crafted IPv4 or IPv6 packets, can exploit this to cause a device reload.

                                        
                                            #TRUSTED 832472def965edc7f774b3c340d068971f65a5005b8382d2b4d6b6c37756cdd73543f8b5d65cb8f793cbbe6903760b1eb73fc96e12286c72c201c3c3a1ad52e4ae6221305b7efe52f55090ad9332c25e91ce036f8a5cb8f0bec0047e190722a744e833bc275494f91e57daa3a81ea69478413d4f52e972cb552ba3a05bf654e4cd55644097dc650b76b149d0f6bd19eca4642aba1a5cfc861f1b960deb91ac25708f80708a314483f0f83061037aa57a1de9a1d30bc29ed442b721049bf7decf6b92884cebfb6fe81c8a6bfc7d105c1ae0b8cd87f1a70c19d8d0a25f5b31944aa82ebaaa837cb9f7b57463c87a70dca96ff6b4f72c786fe0aabc1c23fae22eec6835723db74abe4b5dbe670d19351fd68f1146e574f38bded3535464202ae389c6e10a72f5e20fdcdd5d04669aa9a3836aa5aa3c6b0da57bcc9b3916cb98228de3915bc7d1c0ad710b4cd0f90ac36ffa0da736a5d998d2055cb9eccfd193b33a218005870f9056085f08628659f5dd1356c368b419e3ce178b0a577bc3f633921bdaf2de6d2433c318ef0d1a62067948aa3da51fbf829858221d6434ad463ad38bf9fc9eb70d3b39332f6d36382a70b0b11efc7f0b5a57a852081a43a94e398b8a758f83c8adb4f083d503f451832494a4835efc2cb831c68ae10f2f5968935149b0ddfa4e0b59f8d250bc59e44d079f2d8a1a9e170cfeb9a3f531c3db64b7cd
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(82590);
  script_version("1.8");
  script_set_attribute(attribute:"plugin_modification_date", value:"2018/08/09");

  script_cve_id("CVE-2015-0645");
  script_bugtraq_id(73337);
  script_xref(name:"CISCO-BUG-ID", value:"CSCuq59131");

  script_name(english:"Cisco IOS XE Layer 4 Redirect DoS");
  script_summary(english:"Checks the IOS XE version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is affected by a denial of service vulnerability.");
  script_set_attribute(attribute:"description", value:
"The Cisco IOS XE software running on the remote device is affected by
a denial of service vulnerability due to improper processing of IP
packets by the Layer 4 Redirect (L4R) feature. An unauthenticated,
remote attacker, using crafted IPv4 or IPv6 packets, can exploit this
to cause a device reload.");
  # http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150325-iosxe#@ID
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?30ea0b29");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCuq59131");
  script_set_attribute(attribute:"solution", value:
"Apply the relevant patch referenced in the Cisco Security Advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/03/25");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/03/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/04/06");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.");

  script_dependencies("cisco_ios_xe_version.nasl");
  script_require_keys("Host/Cisco/IOS-XE/Version", "Host/Cisco/IOS-XE/Model");

  exit(0);
}

include("audit.inc");
include("cisco_func.inc");
include("cisco_kb_cmd_func.inc");

flag = 0;

model = get_kb_item_or_exit("Host/Cisco/IOS-XE/Model");
if ("ASR" >!< model &&
    "ISR" >!< model &&
    "CSR" >!< model
  ) audit(AUDIT_HOST_NOT, "a ASR / ISR / CSR device");

version = get_kb_item_or_exit("Host/Cisco/IOS-XE/Version");

# Bug
if (version == "15.2(4)S0.1") flag++; # Not in map

# CVRF
if (version == "3.1.0S")   flag++;
if (version == "3.1.1S")   flag++;
if (version == "3.1.2S")   flag++;
if (version == "3.1.3S")   flag++;
if (version == "3.1.4S")   flag++;
if (version == "3.1.5S")   flag++;
if (version == "3.1.6S")   flag++;
if (version == "3.10.0S")  flag++;
if (version == "3.10.0aS") flag++;
if (version == "3.10.1S")  flag++;
if (version == "3.10.2S")  flag++;
if (version == "3.10.3S")  flag++;
if (version == "3.11.0S")  flag++;
if (version == "3.11.1S")  flag++;
if (version == "3.11.2S")  flag++;
if (version == "3.12.0S")  flag++;
if (version == "3.12.1S")  flag++;
if (version == "3.13.0S")  flag++;
if (version == "3.2.0S")   flag++;
if (version == "3.2.1S")   flag++;
if (version == "3.2.2S")   flag++;
if (version == "3.2.3S")   flag++;
if (version == "3.3.0S")   flag++;
if (version == "3.3.1S")   flag++;
if (version == "3.3.2S")   flag++;
if (version == "3.4.0S")   flag++;
if (version == "3.4.1S")   flag++;
if (version == "3.4.2S")   flag++;
if (version == "3.4.3S")   flag++;
if (version == "3.4.4S")   flag++;
if (version == "3.4.5S")   flag++;
if (version == "3.4.6S")   flag++;
if (version == "3.5.0S")   flag++;
if (version == "3.5.1S")   flag++;
if (version == "3.5.2S")   flag++;
if (version == "3.6.0S")   flag++;
if (version == "3.6.1S")   flag++;
if (version == "3.6.2S")   flag++;

# From SA (and not covered by Bug or CVRF)
if (version =~ "^2\.") flag++;
if (version =~ "^3\.[789]($|[^0-9])") flag++;

# Check L4 Redirect config
if (flag > 0)
{
  flag = 0;
  buf = cisco_command_kb_item("Host/Cisco/Config/show_running-config", "show running-config");
  if (check_cisco_result(buf))
  {
    if (
      (preg(multiline:TRUE, pattern:"^\s+redirect server-group ", string:buf)) &&
      (preg(multiline:TRUE, pattern:"^\s+redirect to group ", string:buf))
    ) flag = 1;
  } else if (cisco_needs_enable(buf)) { flag = 1; override = 1; }
}

if (flag)
{
  if (report_verbosity > 0)
  {
    report =
    '\n  Cisco bug ID      : CSCuq59131' +
    '\n  Installed release : ' + version;
    security_hole(port:0, extra:report);
  }
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");