Lucene search
+L

Cisco IOS Extensible Authentication Protocol Vulnerability (cisco-sr-20071019-eap)

🗓️ 22 Jul 2013 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 65 Views

Cisco IOS EAP Vulnerability, device crash due to EAP packet processing flaw, allows attacker to execute arbitrary cod

Related
Refs
Code
ReporterTitlePublishedViews
Family
CVE
CVE-2007-5651
23 Oct 200721:00
cve
Cvelist
CVE-2007-5651
23 Oct 200721:00
cvelist
EUVD
EUVD-2007-5623
7 Oct 202500:30
euvd
NVD
CVE-2007-5651
23 Oct 200721:47
nvd
Prion
Authentication flaw
23 Oct 200721:47
prion
#TRUSTED 3fc36fb57a25737856c8d905eed5c310fabee8e8ddc8a062d9ec9330e26d9c51b17c5d3b4bb9c18e128cb7b309bf60d436c2e51d5d4c590f28c492b5a5c0b49d5390ba32de628ab7fa78ef3f5c05bfae865fc03ecd6f99d0fbbadd70b6dbccc9941cb73aef45a85fd01a48706373eb35abbef6e27cc7b6ec98115d4f73f509c51b9725cf2865233ef402488c7dbf7c300600a1c37441fe3ebe8dd505ae5556c5f1c61dde84edf8dabf0035def38eb36f2da7384c6fb8d5170fbbd58c1523dde9b654c5828587c03e5a5c4ccebc912ce432b9793c4f61afa7d97390ac565f29f911e42d9b79461c186fee526760107cf182564f263164bc2b14ee6c4e33d67ebd25262912ec33181c39c9c45854ee59f7b988f4c99150628368809abe23d525b0cfc06a3bbdec63f4785f53611e522255290075a49cb68ce934d1bb8f1e600c2fa5be1d14582476b77c51f9c44e6d27a8955d512023764c281927fd8b554d04c465ddc4b2f7015161e97a11f22a6dae86ae0dbc02cc266aabebc3d06fdc93d3340fe294c09ae7738b6b7331ce97f325f1ae19815e1c5d90375cdd25f744baf6788a27fa5dda6c7984f45bf2c8e21f9fd1937d75665de536c0ede410e407c95eae5afe6c34a35638f3d14fb9cbb93812cb263876e46ea07a6d1b317afa6b88272ffadb5872e02bcd93b2274f1843be1225b1d38f9208bcc28b963586a9b74456ec
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(68991);
  script_version("1.14");
  script_set_attribute(attribute:"plugin_modification_date", value:"2018/11/15");

  script_cve_id("CVE-2007-5651");
  script_bugtraq_id(26139);
  script_xref(name:"CISCO-BUG-ID", value:"CSCsb45696");
  script_xref(name:"CISCO-BUG-ID", value:"CSCsj56438");
  script_xref(name:"CISCO-SR", value:"cisco-sr-20071019-eap");

  script_name(english:"Cisco IOS Extensible Authentication Protocol Vulnerability (cisco-sr-20071019-eap)");
  script_summary(english:"Checks IOS version and running config");

  script_set_attribute(
    attribute:"synopsis",
    value:"The remote device is missing a vendor-supplied security patch."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The version of Cisco IOS running on the remote host has a denial of
service vulnerability.  The Extensible Authentication Protocol (EAP)
implementation does not properly process EAP packets, which could cause
the device to crash.  A remote, unauthenticated attacker could exploit
this to execute arbitrary code."
  );
  script_set_attribute(attribute:"see_also", value:"https://www.cr0.org/paper/hacklu2007-final.pdf");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20071019-eap
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7c4e5585");
  script_set_attribute(
    attribute:"solution",
    value:
"Apply the relevant patch referenced in the Cisco Security Response
cisco-sr-20071019-eap."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2007-5651");
  script_set_attribute(attribute:"vuln_publication_date", value:"2007/10/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2007/10/19");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/22");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.");

  script_dependencies("cisco_ios_version.nasl");
  script_require_keys("Host/Cisco/IOS/Version");

  exit(0);
}

include("audit.inc");
include("cisco_func.inc");
include("cisco_kb_cmd_func.inc");

version = get_kb_item_or_exit("Host/Cisco/IOS/Version");
vuln = 0;

if (deprecated_version(version, "12.3JA")) vuln++;
if (check_release(version:version, patched:make_list("12.4(10b)JA"))) vuln++;
if (deprecated_version(version, "12.3JEA")) vuln++;
if (deprecated_version(version, "12.3JEB")) vuln++;
if (check_release(version:version, patched:make_list("12.3(8)JEC"))) vuln++;
if (deprecated_version(version, "12.4JX")) vuln++;
if (check_release(version:version, patched:make_list("12.4(5)XW"))) vuln++;  # the advisory says 12.4.XW5, i assume that is 12.4(5)XW
if (check_release(version:version, patched:make_list("12.1(27b)E2"))) vuln++;
if (check_release(version:version, patched:make_list("12.1(22)EA6"))) vuln++;
if (check_release(version:version, patched:make_list("12.1(26)EB2"))) vuln++;
if (check_release(version:version, patched:make_list("12.2(18)EW6"))) vuln++;
if (check_release(version:version, patched:make_list("12.2(18)S13"))) vuln++;
if (check_release(version:version, patched:make_list("12.2(18)SXF9"))) vuln++;
if (check_release(version:version, patched:make_list("12.2(18)ZY1"))) vuln++; # the advisory says 12.2.18-ZY1
if (check_release(version:version, patched:make_list("12.2(20)S13"))) vuln++;
if (check_release(version:version, patched:make_list("12.2(25)EWA4"))) vuln++;
if (check_release(version:version, patched:make_list("12.2(25)EX"))) vuln++;
if (check_release(version:version, patched:make_list("12.2(25)FX"))) vuln++;
if (check_release(version:version, patched:make_list("12.2(25)SED"))) vuln++;
if (check_release(version:version, patched:make_list("12.2(25)SG"))) vuln++;
if (check_release(version:version, patched:make_list("12.2(31)SB6"))) vuln++;
if (check_release(version:version, patched:make_list("12.2(33)SRA4"))) vuln++;

if (!vuln)
  audit(AUDIT_INST_VER_NOT_VULN, 'Cisco IOS', version);

override = 0;

if (
  get_kb_item("Host/local_checks_enabled") &&
  running_config = get_kb_item("Secret/Host/Cisco/show_running")
)
{
  config_vuln = 0;

  # two requirements for CSCsj56438 to be present on APS and 1310 Wireless Bridges:
  #
  # 1) The device must be running IOS in autonomous mode:
  #    "Access Points and 1310 Wireless Bridges running in LWAPP mode are not affected.
  #     Access Points in autonomous mode will have -K9W7- in the image names,
  #     while Access Points in LWAPP mode will have -K9W8- in their name."
  #
  # 2) "To determine if EAP is enabled on the Access Point, log into the device and issue the show running-config CLI
  #     command. If the output contains the
  #
  #      authentication open eap 'method_name'
  #    or
  #      authentication network-eap 'method_name'
  #
  #    then the device is vulnerable."
  feature_set = get_kb_item("Host/Cisco/IOS/FeatureSet");

  if (
    feature_set == 'K9W7' &&
    ('authentication open eap' >< running_config || 'authentication network-eap' >< running_config)
  )
  {
    config_vuln++;
  }

  # Two possible vulnerable configurations for CSCsj56438 on Catalyst 6500 Series and 7600 Series Wireless LAN
  # Services Module.  The device is vulnerable if the output of "show running-config" contains either of the following:
  #
  # 1) wlccp authentication-server client <any | eap | leap> <list_name>
  #
  # 2) wlccp authentication-server infrastructure <list>
  if (
    running_config =~ 'wlccp authentication-server client (any|eap|leap)' ||
    'wlccp authentication-server infrastructure' >< running_config
  )
  {
    config_vuln++;
  }

  # IOS switches are vulnerable to CSCsb45696 if the output of "show running-config" contains either of the following:
  #
  # dot1x pae authenticator
  # dot1x pae both
  if ('dot1x pae authenticator' >< running_config || 'dot1x pae both' >< running_config )
  {
    config_vuln++;
  }

  # There are configuration checks for CSCsc55249 (CatOS) but this plugin currently doesn't support authenticated
  # scans of CatOS devices

  if (!config_vuln)
    exit(0, 'The remote host is not affected.  The IOS version is unpatched, but the device is not using a vulnerable configuration.');
}

security_hole(port:0, extra:cisco_caveat(override));

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

15 Nov 2018 00:00Current
6Medium risk
Vulners AI Score6
CVSS 27.1
EPSS0.01826
65