Cisco IOS XE Software IKEv1 State Machine DoS (CSCuw08236)

2016-01-08T00:00:00
ID CISCO-SN-CSCUW08236-IOSXE.NASL
Type nessus
Reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2019-11-20T00:00:00

Description

According to its self-reported version, the Cisco IOS XE software running on the remote device is affected by a denial of service vulnerability in the Internet Key Exchange version 1 (IKEv1) subsystem due to insufficient condition checks in the IKEv1 state machine. An unauthenticated, remote attacker can exploit this vulnerability, by sending a spoofed, specific IKEv1 packet to an endpoint of an IPsec tunnel, to tear down IPsec tunnels that terminate on the endpoint, resulting in a partial denial of service condition.

                                        
                                            #TRUSTED 27bddc3cf364454f6c96289a8a7a920464b436db0d034ffbce50260da8e42141c21e7b032cf0826f80a79d3d3a8f930522ccc4fe74d6f7e85d928db9d026afb9544917da208831d928346458a9ad8ab2ba2d3879238f1d530c58cac767933df4ee4e755062fa310b24df48d5f9f99a90ee00eb5db3a7a54302080db997677a0e653db5f13477b8dac33b93f6aefe401127c653b3a4b9530c7c86546d085eb5fb3390af2cab2e3f8ca258675d6fb55787b1cef8284da98107004c58ba6a17ab063085983940048e5cfb8ef9c92972c100ec55d728c0c9808a9e5bed980b38e1a2ba93be622acfd7b375d3ed3f2fcdb141ce08d9825838e3fe62b9017c9194976aa03edada4bb63648710603358b02c5a5368aadbb345338a1dc296e49cec025438e64e18189e11174bf0cbb98ccaa41080558a7efaaf24959e679593d47c0209b50da2ebe547ef82243c06a7902eeb8a52473af0ed171eec4169806f31dc59f1e587071039a1150e2797f6ed58340a21cd0cd1fd1f97935fa3fa56b6a8d891737adae78dd2cb677fbeff2d3e1c15431e68433b55e90fd749daa5163b06bd0bd1bf581b6eff035f84917980fac560b725558483fd67397c78a82202c81311b067c9de97c93563fb0919d7ce0f85a9164ffe756e313c842b6ca17a43a81a2eac82b18f3f04d569fe90a8900e9a48530ca3678eac8579ac789f175e6b68b5c3452a0
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(87821);
  script_version("1.8");
  script_cvs_date("Date: 2019/11/20");

  script_cve_id("CVE-2015-6429");
  script_bugtraq_id(79745);
  script_xref(name:"CISCO-BUG-ID", value:"CSCuw08236");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20151218-ios");

  script_name(english:"Cisco IOS XE Software IKEv1 State Machine DoS (CSCuw08236)");
  script_summary(english:"Checks the IOS XE version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, the Cisco IOS XE software
running on the remote device is affected by a denial of service
vulnerability in the Internet Key Exchange version 1 (IKEv1) subsystem
due to insufficient condition checks in the IKEv1 state machine. An
unauthenticated, remote attacker can exploit this vulnerability, by
sending a spoofed, specific IKEv1 packet to an endpoint of an IPsec
tunnel, to tear down IPsec tunnels that terminate on the endpoint,
resulting in a partial denial of service condition.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151218-ios
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1b10e25c");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuw08236");
  script_set_attribute(attribute:"solution", value:
"Apply the relevant patch referenced in Cisco security advisory
cisco-sa-20151218-ios.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/12/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/12/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/01/08");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_xe_version.nasl");
  script_require_keys("Host/Cisco/IOS-XE/Version");

  exit(0);
}

include("audit.inc");
include("cisco_func.inc");
include("cisco_kb_cmd_func.inc");

ver = get_kb_item_or_exit("Host/Cisco/IOS-XE/Version");

flag = 0;


# 3.15.2S / 3.16.1S / 3.17.1S Labeled not-vuln in SA
if (
  # CVRF IOS XE unmapped
  ver == "3.15.0S" ||
  ver == "3.15.1S" ||
  ver == "3.17.0S" ||
  ver == "3.16.0S" ||

  # CVRF IOS XE mapped (via cisco_ios_xe_version.nasl)
  ver == "3.13.0S" || # IOS 15.4(3)S
  ver == "3.14.0S"    # IOS 15.5(1)S
)
{
  flag++;
}

cmds = make_list();
# Check that IKEv1 or ISAKMP is running
if (flag && get_kb_item("Host/local_checks_enabled"))
{
  pat = "(\d+.\d+.\d+.\d+|.*:.*|UNKNOWN|--any--)\s+(500|848|4500)\s";

  flag = 0;
  buf = cisco_command_kb_item("Host/Cisco/Config/show_ip_sockets","show ip sockets");
  if (check_cisco_result(buf))
  {
    if (
      preg(multiline:TRUE, pattern:pat, string:buf)
    )
    {
      cmds = make_list(cmds, "show ip sockets");
      flag = 1;
    }
  }
  else if (cisco_needs_enable(buf))
  {
    flag = 1;
    override = 1;
  }

  buf = cisco_command_kb_item("Host/Cisco/Config/show_udp","show udp");
  if (check_cisco_result(buf))
  {
    if (
      preg(multiline:TRUE, pattern:"^17(\(v6\))?\s+--listen--.*\s500\s", string:buf) ||
      preg(multiline:TRUE, pattern:"^17(\(v6\))?\s+--listen--.*\s848\s", string:buf) ||
      preg(multiline:TRUE, pattern:"^17(\(v6\))?\s+--listen--.*\s4500\s", string:buf)
    )
    {
      flag = 1;
      cmds = make_list(cmds, "show udp");
    }
  }
  else if (cisco_needs_enable(buf))
  {
    flag = 1;
    override = 1;
  }
}

if (flag)
{
  security_report_cisco(
    port     : 0,
    severity : SECURITY_WARNING,
    override : override,
    version  : ver,
    bug_id   : "CSCuw08236",
    cmds     : cmds
  );
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");