Cisco IOS XE Layer 4 Redirect DoS

2015-04-06T00:00:00
ID CISCO-SN-CSCUQ59131-IOSXE.NASL
Type nessus
Reporter Tenable
Modified 2018-02-21T00:00:00

Description

The Cisco IOS XE software running on the remote device is affected by a denial of service vulnerability due to improper processing of IP packets by the Layer 4 Redirect (L4R) feature. An unauthenticated, remote attacker, using crafted IPv4 or IPv6 packets, can exploit this to cause a device reload.

                                        
                                            #TRUSTED 853759533b51097461774f5df81d51b74b86521b44409231d219955eae681de599971d675dc1a21c17ed260a8e4e7d172a15a1f81ad312b3eeaa14f24a294a771f2ebb8ed99bc3f87bb91b5896996dd8fa41ac5333ecf94d824e917dc5b9302f9e3a95a4eabbe564a63ed12974c24ffdd8fb205b22501c068e0d9887576f36b1798e417249d6169df734281c071f1354ef93448ca96f45fe30df02655f13c85ab50faa0bff54eb9cb255de42fb1af4b12deef185d8f55cb2034ea01785d723fe57504b6f1ae06d092ee044b5a17f014614ad150e93ec04908618e9f86c73ca83481873a0c93495c64aaee667f084d52b7a9cebaae96932b1f664f0c1cf6cb4515cb36f3fdf3173e501942306df1f07b23aa744bfa80b85f483ea63028265ab35293a2e13f9f6c123c4544393c644f0212c2703de837335d8c0ba09df3323bf7683c8a85ed382615b9fe63fd0871645f23500164774db5199b708e00ee9c96397d36438590e4c63d260cff8a650290a589ab35eb7406cbc05217d8f30fc1e4b74f82d716cd78d278f45023e220218b26bb1f56046a57d450d8c8c2d04919222ad847765505de23ea5bdfd6132774feb33a68c903bea076e9fb985d074e0c0c1c5197a0426b1e1ec440de77b64ec43c08edd0085070b7a5c8ae2628f2f64c4989294207dca6d2f09c8ad27a7c62d06c4e29780eac30049c08f7ba3f37746dc0fb1
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(82590);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2018/02/21");

  script_cve_id("CVE-2015-0645");
  script_bugtraq_id(73337);
  script_osvdb_id(119944);
  script_xref(name:"CISCO-BUG-ID", value:"CSCuq59131");

  script_name(english:"Cisco IOS XE Layer 4 Redirect DoS");
  script_summary(english:"Checks the IOS XE version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is affected by a denial of service vulnerability.");
  script_set_attribute(attribute:"description", value:
"The Cisco IOS XE software running on the remote device is affected by
a denial of service vulnerability due to improper processing of IP
packets by the Layer 4 Redirect (L4R) feature. An unauthenticated,
remote attacker, using crafted IPv4 or IPv6 packets, can exploit this
to cause a device reload.");
  # http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150325-iosxe#@ID
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?30ea0b29");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCuq59131");
  script_set_attribute(attribute:"solution", value:
"Apply the relevant patch referenced in the Cisco Security Advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/03/25");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/03/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/04/06");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.");

  script_dependencies("cisco_ios_xe_version.nasl");
  script_require_keys("Host/Cisco/IOS-XE/Version", "Host/Cisco/IOS-XE/Model");

  exit(0);
}

include("audit.inc");
include("cisco_func.inc");
include("cisco_kb_cmd_func.inc");

flag = 0;

model = get_kb_item_or_exit("Host/Cisco/IOS-XE/Model");
if ("ASR" >!< model &&
    "ISR" >!< model &&
    "CSR" >!< model
  ) audit(AUDIT_HOST_NOT, "a ASR / ISR / CSR device");

version = get_kb_item_or_exit("Host/Cisco/IOS-XE/Version");

# Bug
if (version == "15.2(4)S0.1") flag++; # Not in map

# CVRF
if (version == "3.1.0S")   flag++;
if (version == "3.1.1S")   flag++;
if (version == "3.1.2S")   flag++;
if (version == "3.1.3S")   flag++;
if (version == "3.1.4S")   flag++;
if (version == "3.1.5S")   flag++;
if (version == "3.1.6S")   flag++;
if (version == "3.10.0S")  flag++;
if (version == "3.10.0aS") flag++;
if (version == "3.10.1S")  flag++;
if (version == "3.10.2S")  flag++;
if (version == "3.10.3S")  flag++;
if (version == "3.11.0S")  flag++;
if (version == "3.11.1S")  flag++;
if (version == "3.11.2S")  flag++;
if (version == "3.12.0S")  flag++;
if (version == "3.12.1S")  flag++;
if (version == "3.13.0S")  flag++;
if (version == "3.2.0S")   flag++;
if (version == "3.2.1S")   flag++;
if (version == "3.2.2S")   flag++;
if (version == "3.2.3S")   flag++;
if (version == "3.3.0S")   flag++;
if (version == "3.3.1S")   flag++;
if (version == "3.3.2S")   flag++;
if (version == "3.4.0S")   flag++;
if (version == "3.4.1S")   flag++;
if (version == "3.4.2S")   flag++;
if (version == "3.4.3S")   flag++;
if (version == "3.4.4S")   flag++;
if (version == "3.4.5S")   flag++;
if (version == "3.4.6S")   flag++;
if (version == "3.5.0S")   flag++;
if (version == "3.5.1S")   flag++;
if (version == "3.5.2S")   flag++;
if (version == "3.6.0S")   flag++;
if (version == "3.6.1S")   flag++;
if (version == "3.6.2S")   flag++;

# From SA (and not covered by Bug or CVRF)
if (version =~ "^2\.") flag++;
if (version =~ "^3\.[789]($|[^0-9])") flag++;

# Check L4 Redirect config
if (flag > 0)
{
  flag = 0;
  buf = cisco_command_kb_item("Host/Cisco/Config/show_running-config", "show running-config");
  if (check_cisco_result(buf))
  {
    if (
      (preg(multiline:TRUE, pattern:"^\s+redirect server-group ", string:buf)) &&
      (preg(multiline:TRUE, pattern:"^\s+redirect to group ", string:buf))
    ) flag = 1;
  } else if (cisco_needs_enable(buf)) { flag = 1; override = 1; }
}

if (flag)
{
  if (report_verbosity > 0)
  {
    report =
    '\n  Cisco bug ID      : CSCuq59131' +
    '\n  Installed release : ' + version;
    security_hole(port:0, extra:report);
  }
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");