Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.CISCO-SN-CSCUW08236-IOSXE.NASL
HistoryJan 08, 2016 - 12:00 a.m.

Cisco IOS XE Software IKEv1 State Machine DoS (CSCuw08236)

2016-01-0800:00:00
This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
35
JSON

According to its self-reported version, the Cisco IOS XE software running on the remote device is affected by a denial of service vulnerability in the Internet Key Exchange version 1 (IKEv1) subsystem due to insufficient condition checks in the IKEv1 state machine. An unauthenticated, remote attacker can exploit this vulnerability, by sending a spoofed, specific IKEv1 packet to an endpoint of an IPsec tunnel, to tear down IPsec tunnels that terminate on the endpoint, resulting in a partial denial of service condition.

#TRUSTED 27bddc3cf364454f6c96289a8a7a920464b436db0d034ffbce50260da8e42141c21e7b032cf0826f80a79d3d3a8f930522ccc4fe74d6f7e85d928db9d026afb9544917da208831d928346458a9ad8ab2ba2d3879238f1d530c58cac767933df4ee4e755062fa310b24df48d5f9f99a90ee00eb5db3a7a54302080db997677a0e653db5f13477b8dac33b93f6aefe401127c653b3a4b9530c7c86546d085eb5fb3390af2cab2e3f8ca258675d6fb55787b1cef8284da98107004c58ba6a17ab063085983940048e5cfb8ef9c92972c100ec55d728c0c9808a9e5bed980b38e1a2ba93be622acfd7b375d3ed3f2fcdb141ce08d9825838e3fe62b9017c9194976aa03edada4bb63648710603358b02c5a5368aadbb345338a1dc296e49cec025438e64e18189e11174bf0cbb98ccaa41080558a7efaaf24959e679593d47c0209b50da2ebe547ef82243c06a7902eeb8a52473af0ed171eec4169806f31dc59f1e587071039a1150e2797f6ed58340a21cd0cd1fd1f97935fa3fa56b6a8d891737adae78dd2cb677fbeff2d3e1c15431e68433b55e90fd749daa5163b06bd0bd1bf581b6eff035f84917980fac560b725558483fd67397c78a82202c81311b067c9de97c93563fb0919d7ce0f85a9164ffe756e313c842b6ca17a43a81a2eac82b18f3f04d569fe90a8900e9a48530ca3678eac8579ac789f175e6b68b5c3452a0
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(87821);
  script_version("1.8");
  script_cvs_date("Date: 2019/11/20");

  script_cve_id("CVE-2015-6429");
  script_bugtraq_id(79745);
  script_xref(name:"CISCO-BUG-ID", value:"CSCuw08236");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20151218-ios");

  script_name(english:"Cisco IOS XE Software IKEv1 State Machine DoS (CSCuw08236)");
  script_summary(english:"Checks the IOS XE version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, the Cisco IOS XE software
running on the remote device is affected by a denial of service
vulnerability in the Internet Key Exchange version 1 (IKEv1) subsystem
due to insufficient condition checks in the IKEv1 state machine. An
unauthenticated, remote attacker can exploit this vulnerability, by
sending a spoofed, specific IKEv1 packet to an endpoint of an IPsec
tunnel, to tear down IPsec tunnels that terminate on the endpoint,
resulting in a partial denial of service condition.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151218-ios
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1b10e25c");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuw08236");
  script_set_attribute(attribute:"solution", value:
"Apply the relevant patch referenced in Cisco security advisory
cisco-sa-20151218-ios.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/12/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/12/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/01/08");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_xe_version.nasl");
  script_require_keys("Host/Cisco/IOS-XE/Version");

  exit(0);
}

include("audit.inc");
include("cisco_func.inc");
include("cisco_kb_cmd_func.inc");

ver = get_kb_item_or_exit("Host/Cisco/IOS-XE/Version");

flag = 0;


# 3.15.2S / 3.16.1S / 3.17.1S Labeled not-vuln in SA
if (
  # CVRF IOS XE unmapped
  ver == "3.15.0S" ||
  ver == "3.15.1S" ||
  ver == "3.17.0S" ||
  ver == "3.16.0S" ||

  # CVRF IOS XE mapped (via cisco_ios_xe_version.nasl)
  ver == "3.13.0S" || # IOS 15.4(3)S
  ver == "3.14.0S"    # IOS 15.5(1)S
)
{
  flag++;
}

cmds = make_list();
# Check that IKEv1 or ISAKMP is running
if (flag && get_kb_item("Host/local_checks_enabled"))
{
  pat = "(\d+.\d+.\d+.\d+|.*:.*|UNKNOWN|--any--)\s+(500|848|4500)\s";

  flag = 0;
  buf = cisco_command_kb_item("Host/Cisco/Config/show_ip_sockets","show ip sockets");
  if (check_cisco_result(buf))
  {
    if (
      preg(multiline:TRUE, pattern:pat, string:buf)
    )
    {
      cmds = make_list(cmds, "show ip sockets");
      flag = 1;
    }
  }
  else if (cisco_needs_enable(buf))
  {
    flag = 1;
    override = 1;
  }

  buf = cisco_command_kb_item("Host/Cisco/Config/show_udp","show udp");
  if (check_cisco_result(buf))
  {
    if (
      preg(multiline:TRUE, pattern:"^17(\(v6\))?\s+--listen--.*\s500\s", string:buf) ||
      preg(multiline:TRUE, pattern:"^17(\(v6\))?\s+--listen--.*\s848\s", string:buf) ||
      preg(multiline:TRUE, pattern:"^17(\(v6\))?\s+--listen--.*\s4500\s", string:buf)
    )
    {
      flag = 1;
      cmds = make_list(cmds, "show udp");
    }
  }
  else if (cisco_needs_enable(buf))
  {
    flag = 1;
    override = 1;
  }
}

if (flag)
{
  security_report_cisco(
    port     : 0,
    severity : SECURITY_WARNING,
    override : override,
    version  : ver,
    bug_id   : "CSCuw08236",
    cmds     : cmds
  );
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
VendorProductVersionCPE
ciscoios_xecpe:/o:cisco:ios_xe

Related

prion 1
cisco 1
cve 1
nessus 1
openvas 1
prion
prion
Design/Logic Flaw
2015-12-19 14:59:00
cisco
cisco
Cisco IOS and IOS XE Software IKEv1 State Machine Denial of Service Vulnerability
2015-12-18 08:00:00
cve
cve
CVE-2015-6429
2015-12-19 14:59:00
nessus
nessus
Cisco IOS Software IKEv1 State Machine DoS (CSCuw08236)
2016-01-08 00:00:00
openvas
openvas
Cisco IOS and IOS XE Software IKEv1 State Machine Denial of Service Vulnerability
2016-05-10 00:00:00
JSON
Related for CISCO-SN-CSCUW08236-IOSXE.NASL
prion1cisco1cve1nessus1openvas1