Copyright (C) 2016 Greenbone AGOPENVAS:1361412562310105683Cisco IOS-XE Fragmented Packet Resource Consumption Vulnerability
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7 High
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
56.0%
A vulnerability in the packet reassembly subsystem of Cisco IOS-XE could allow an unauthenticated,
remote attacker to consume CPU resources which may lead to a denial of service (DoS) condition.
The vulnerability is due to an error message that is triggered to the console and the syslog when a fragmented
packet cannot be properly reassembled. When an affected device fails to successfully perform reassembly,
instead of silently dropping the fragments, the ATTN-3-SYNC_TIMEOUT error message may be triggered.
On a device that is highly loaded, this condition may be leveraged to consume CPU resources that may be required
by another process, resulting in a temporary halt of the queued process. In some situations this may lead to a
drop of transit traffic. An attacker could trigger this vulnerability by sending a series of IPv4 or IPv6 fragments,
that are designed to trigger the error message, directly to the affected device.
Cisco IOS-XE devices rate-limit error messages to once every 60 seconds by default.
Cisco has confirmed the vulnerability and released software updates.
To exploit the vulnerability, an attacker must send a continuous series of network packets to a targeted device. Devices that are protected by network filtering or have access restricted from untrusted networks may be at less risk of exploitation.
Cisco indicates through the CVSS score that functional exploit code exists, however, the code is not known to be publicly available.
# SPDX-FileCopyrightText: 2016 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
CPE = "cpe:/o:cisco:ios_xe";
if (description)
{
script_oid("1.3.6.1.4.1.25623.1.0.105683");
script_cve_id("CVE-2015-4293");
script_tag(name:"cvss_base", value:"5.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:N/A:P");
script_version("2023-07-20T05:05:17+0000");
script_name("Cisco IOS-XE Fragmented Packet Resource Consumption Vulnerability");
script_xref(name:"URL", value:"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/Cisco-SA-20150729-CVE-2015-4293");
script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");
script_tag(name:"solution", value:"See the referenced vendor advisory for a solution.");
script_tag(name:"summary", value:"A vulnerability in the packet reassembly subsystem of Cisco IOS-XE could allow an unauthenticated,
remote attacker to consume CPU resources which may lead to a denial of service (DoS) condition.
The vulnerability is due to an error message that is triggered to the console and the syslog when a fragmented
packet cannot be properly reassembled. When an affected device fails to successfully perform reassembly,
instead of silently dropping the fragments, the ATTN-3-SYNC_TIMEOUT error message may be triggered.
On a device that is highly loaded, this condition may be leveraged to consume CPU resources that may be required
by another process, resulting in a temporary halt of the queued process. In some situations this may lead to a
drop of transit traffic. An attacker could trigger this vulnerability by sending a series of IPv4 or IPv6 fragments,
that are designed to trigger the error message, directly to the affected device.
Cisco IOS-XE devices rate-limit error messages to once every 60 seconds by default.
Cisco has confirmed the vulnerability and released software updates.
To exploit the vulnerability, an attacker must send a continuous series of network packets to a targeted device. Devices that are protected by network filtering or have access restricted from untrusted networks may be at less risk of exploitation.
Cisco indicates through the CVSS score that functional exploit code exists, however, the code is not known to be publicly available.");
script_tag(name:"qod_type", value:"package");
script_tag(name:"solution_type", value:"VendorFix");
script_tag(name:"last_modification", value:"2023-07-20 05:05:17 +0000 (Thu, 20 Jul 2023)");
script_tag(name:"creation_date", value:"2016-05-10 11:02:10 +0200 (Tue, 10 May 2016)");
script_category(ACT_GATHER_INFO);
script_family("CISCO");
script_copyright("Copyright (C) 2016 Greenbone AG");
script_dependencies("gb_cisco_ios_xe_consolidation.nasl");
script_mandatory_keys("cisco/ios_xe/detected");
exit(0);
}
include("host_details.inc");
include("version_func.inc");
if( ! version = get_app_version( cpe:CPE, nofork:TRUE ) )
exit( 0 );
affected = make_list(
'2.1.0',
'2.1.1',
'2.1.2',
'2.2.1',
'2.2.2',
'2.2.3',
'2.3.0',
'2.3.0t',
'2.3.1t',
'2.3.2',
'2.4.0',
'2.4.1',
'2.5.0',
'2.5.1',
'2.5.2',
'2.6.0',
'2.6.1',
'2.6.2',
'3.1.0S',
'3.1.1S',
'3.1.2S',
'3.1.3S',
'3.1.4S',
'3.1.5S',
'3.1.6S',
'3.2.0S',
'3.2.1S',
'3.2.2S',
'3.2.3S',
'3.3.0S',
'3.3.1S',
'3.3.2S',
'3.4.0S',
'3.4.1S',
'3.4.2S',
'3.4.3S',
'3.4.4S',
'3.4.5S',
'3.4.6S',
'3.5.0S',
'3.5.1S',
'3.5.2S',
'3.6.0S',
'3.6.1S',
'3.6.2S',
'3.7.0S',
'3.7.1S',
'3.7.2S',
'3.7.3S',
'3.7.4S',
'3.7.5S',
'3.7.6S',
'3.7.7S',
'3.8.0S',
'3.8.1S',
'3.8.2S',
'3.9.0S',
'3.9.1S',
'3.9.2S',
'3.10.0S',
'3.10.1S',
'3.10.2S',
'3.10.3S',
'3.11.0S',
'3.11.1S',
'3.11.2S',
'3.11.3S',
'3.12.0S',
'3.12.1S',
'3.13.0S' );
foreach af ( affected )
{
if( version == af )
{
report = report_fixed_ver( installed_version:version, fixed_version:"See advisory" );
security_message( port:0, data:report );
exit( 0 );
}
}
exit( 99 );
Related
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7 High
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
56.0%