Vulnerabilities > CVE-2003-0305 - Denial-Of-Service vulnerability in IOS
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
The Service Assurance Agent (SAA) in Cisco IOS 12.0 through 12.2, aka Response Time Reporter (RTR), allows remote attackers to cause a denial of service (crash) via malformed RTR packets to port 1967.
Vulnerable Configurations
Nessus
NASL family CISCO NASL id CISCO-SA-20030515-SAAHTTP.NASL description The Service Assurance Agent (SAA) is the new name for the Response Time Reporter (RTR) feature. The router is vulnerable only if the RTR responder is enabled. When the router receives a malformed RTR packet, it will crash. RTR is disabled by default. There is no workaround short of disabling the RTR responder. It is possible to mitigate the vulnerability by applying the access control list (ACL) on the router. last seen 2020-03-17 modified 2011-06-22 plugin id 55385 published 2011-06-22 reporter This script is (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/55385 title Cisco IOS Software Processing of SAA Packets - Cisco Systems code #TRUSTED 4de9d7e39c170615f9c33e9ef7dbbf98ea7ec4e640a8ad2815a66a15f3712f4398a0b6dac19d5b7e79a0a9a7ec82a56e0c7eb952ac48c0a3461986cee61d63dafbd54c2625d797bbaf82ed49d532817ae151389dce7ccedaba29497f8bd5c5a369f30189085c9ab03fefdd7c79dabd5fcc592735930461a45fe7ed24a664dffb01eed327cd864e2748a6b667d75434340024898e1f619e8649799d4cf4c4fc5f037974e44da109255b7c5e111e3d995fd653d30113dbe80d59f4c8e0fda03b4b866709e2784e03d9b458dd8d84f7fd027a14ff519aa7521e08bbf7193551f091f715416a45a153c411ff3e26796f6370269a0d573a19f3288411b4921fbb398fc871de7d8238b7aa5cf66e418b1fd31123d1d09e164f9dfc0b4a1efacf9cf05830d83451fed262941bc91b5b9f77b0f05484dc5e6f51174f096eef78048903826e65f3addb37137ce70317a46473e0cb9b88f96e7ca8d6aa5f5670e01a8a67cee7447e930bd83c2bb8ffd3f61a31c9ee6e56d22dfccd389552f0ab4b864f112f9737240d4c25e0a1525d34fb46a246c0c0da29525a6d6ccf3afb2c1e20aa8b25ef3e41c1cb590482306e63f0262473841f1b895282e88bee115438fc1a680d6cc2a7905e61d3414d19aef1d4179bd645f5f0987d8a20098b006f44fb0763788c87d2ee21ca2ac702cfcaa0c28f68ff46bb7831750e16bd39335560be0e127148 # # (C) Tenable Network Security, Inc. # # Security advisory is (C) CISCO, Inc. # See https://www.cisco.com/en/US/products/products_security_advisory09186a008017ba10.shtml if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(55385); script_version("1.19"); script_set_attribute(attribute:"plugin_modification_date", value:"2018/11/15"); script_cve_id("CVE-2003-0305"); script_bugtraq_id(7607); script_name(english:"Cisco IOS Software Processing of SAA Packets - Cisco Systems"); script_summary(english:"Checks the IOS version."); script_set_attribute(attribute:"synopsis", value:"The remote device is missing a vendor-supplied security patch"); script_set_attribute(attribute:"description", value: 'The Service Assurance Agent (SAA) is the new name for the Response Time Reporter (RTR) feature. The router is vulnerable only if the RTR responder is enabled. When the router receives a malformed RTR packet, it will crash. RTR is disabled by default. There is no workaround short of disabling the RTR responder. It is possible to mitigate the vulnerability by applying the access control list (ACL) on the router. '); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20030515-saa script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ef55d88d"); # https://www.cisco.com/en/US/products/products_security_advisory09186a008017ba10.shtml script_set_attribute(attribute:"see_also", value: "http://www.nessus.org/u?0bb3e4d4"); script_set_attribute(attribute:"solution", value: "Apply the relevant patch referenced in Cisco Security Advisory cisco-sa-20030515-saa."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/05/15"); script_set_attribute(attribute:"patch_publication_date", value:"2003/05/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/06/22"); script_end_attributes(); script_xref(name:"CISCO-BUG-ID", value:"CSCdx17916"); script_xref(name:"CISCO-BUG-ID", value:"CSCdx61997"); script_xref(name:"CISCO-SA", value:"cisco-sa-20030515-saa"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is (C) 2011-2018 Tenable Network Security, Inc."); script_family(english:"CISCO"); script_dependencie("cisco_ios_version.nasl"); script_require_keys("Host/Cisco/IOS/Version"); exit(0); } include("audit.inc"); include("cisco_func.inc"); include("cisco_kb_cmd_func.inc"); flag = 0; report_extra = ""; version = get_kb_item_or_exit("Host/Cisco/IOS/Version"); override = 0; # Affected: 12.0S if (check_release(version: version, patched: make_list("12.0(21)S3", "12.0(21.03)S"))) { report_extra = '\nUpdate to ' + patch_update + ' or later\n'; flag++; } # Affected: 12.0SC if (deprecated_version(version, "12.0SC")) { report_extra = '\nNo fix is available for 12.0SC releases. Upgrade to a supported version\n'; flag++; } # Affected: 12.0SL if (deprecated_version(version, "12.0SL")) { report_extra = '\nNo fix is available for 12.0SL releases. Upgrade to a supported version\n'; flag++; } # Affected: 12.0SP if (check_release(version: version, patched: make_list("12.0(20)SP3", "12.0(20.04)SP2"))) { report_extra = '\nUpdate to ' + patch_update + ' or later\n'; flag++; } # Affected: 12.0ST if (check_release(version: version, patched: make_list("12.0(19)ST5", "12.0(21)ST2"))) { report_extra = '\nUpdate to ' + patch_update + ' or later\n'; flag++; } # Affected: 12.0SX if (deprecated_version(version, "12.0SX")) { report_extra = '\nNo fix is available for 12.0SX releases. Upgrade to a supported version\n'; flag++; } # Affected: 12.0SY if (check_release(version: version, patched: make_list("12.0(21.03)SY", "12.0(22)SY"))) { report_extra = '\nUpdate to ' + patch_update + ' or later\n'; flag++; } # Affected: 12.0WC if (check_release(version: version, patched: make_list("12.0(5)WCa"))) { report_extra = '\nUpdate to ' + patch_update + ' or later\n'; flag++; } if (deprecated_version(version, "12.0XE")) { report_extra = '\nNo fix is available for 12.0XE releases. Upgrade to a supported version\n'; flag++; } # Affected: 12.1 if (check_release(version: version, patched: make_list("12.1(18)", "12.1(18.1)"))) { report_extra = '\nUpdate to ' + patch_update + ' or later\n'; flag++; } # Affected: 12.1E if (check_release(version: version, patched: make_list("12.1(12.5)E", "12.1(13)E"))) { report_extra = '\nUpdate to ' + patch_update + ' or later\n'; flag++; } # Affected: 12.1EA if (check_release(version: version, patched: make_list("12.1(8)EA1c"))) { report_extra = '\nUpdate to ' + patch_update + ' or later\n'; flag++; } # Affected: 12.1EC if (check_release(version: version, patched: make_list("12.1(12c)EC"))) { report_extra = '\nUpdate to ' + patch_update + ' or later\n'; flag++; } # Affected: 12.1EW if (check_release(version: version, patched: make_list("12.1(11b)EW", "12.1(11b)EW(0.46)"))) { report_extra = '\nUpdate to ' + patch_update + ' or later\n'; flag++; } # Affected: 12.1EX if (check_release(version: version, patched: make_list("12.1(11b)EX"))) { report_extra = '\nUpdate to ' + patch_update + ' or later\n'; flag++; } # Affected: 12.1XF if (deprecated_version(version, "12.1XF")) { report_extra = '\nUpdate to 12.1(5)T or later\n'; flag++; } # Affected: 12.1XG if (deprecated_version(version, "12.1XG")) { report_extra = '\nUpdate to 12.1(1)T or later\n'; flag++; } # Affected: 12.1YB if (deprecated_version(version, "12.1YB")) { report_extra = '\nUpdate to 12.1(2)T or later\n'; flag++; } # Affected: 12.1YC if (deprecated_version(version, "12.1YC")) { report_extra = '\nUpdate to 12.1(4)T or later\n'; flag++; } # Affected: 12.2 if (check_release(version: version, patched: make_list("12.2(10)", "12.2(10.4)"))) { report_extra = '\nUpdate to ' + patch_update + ' or later\n'; flag++; } # Affected: 12.2(4)B if (version == "12.2(4)B") { report_extra = '\nUpdate to 12.2(13.3)B or later\n'; flag++; } # Affected: 12.2BC if (deprecated_version(version, "12.2BC")) { report_extra = '\nNo fix is available for 12.2BC releases. Upgrade to a supported version\n'; flag++; } # Affected: 12.2BY if (deprecated_version(version, "12.2BY")) { report_extra = '\nUpdate to 12.2(13.3)B or later\n'; flag++; } # Affected: 12.2BZ if (check_release(version: version, patched: make_list("12.2(15)BZ"))) { report_extra = '\nUpdate to ' + patch_update + ' or later\n'; flag++; } # Affected: 12.2DA if (check_release(version: version, patched: make_list("12.2(11.4)DA", "12.2(12)DA"))) { report_extra = '\nUpdate to ' + patch_update + ' or later\n'; flag++; } # Affected: 12.2MB if (check_release(version: version, patched: make_list("12.2(4)MB5"))) { report_extra = '\nUpdate to ' + patch_update + ' or later\n'; flag++; } # Affected: 12.2S if (check_release(version: version, patched: make_list("12.2(11.1)S"))) { report_extra = '\nUpdate to ' + patch_update + ' or later\n'; flag++; } # Affected: 12.2XC if (check_release(version: version, patched: make_list("12.2(1a)XC5"))) { report_extra = '\nUpdate to ' + patch_update + ' or later\n'; flag++; } # Affected: 12.2XD if (deprecated_version(version, "12.2XD")) { report_extra = '\nUpdate to 12.2(8)YN or later\n'; flag++; } # Affected: 12.2XE if (deprecated_version(version, "12.2XE")) { report_extra = '\nUpdate to 12.2(8)T or later\n'; flag++; } # Affected: 12.2XH if (deprecated_version(version, "12.2XH")) { report_extra = '\nUpdate to 12.2(8)T or later\n'; flag++; } # Affected: 12.2XI if (deprecated_version(version, "12.2XI")) { report_extra = '\nUpdate to 12.2(12)T or later\n'; flag++; } # Affected: 12.2XJ if (deprecated_version(version, "12.2XJ")) { report_extra = '\nUpdate to 12.2(4)YB or later\n'; flag++; } # Affected: 12.2XK if (check_release(version: version, patched: make_list("12.2(2)XK3"))) { report_extra = '\nUpdate to ' + patch_update + ' or later\n'; flag++; } # Affected: 12.2XL if (check_release(version: version, patched: make_list("12.2(4)XL5"))) { report_extra = '\nUpdate to ' + patch_update + ' or later\n'; flag++; } # Affected: 12.2XM if (deprecated_version(version, "12.2XM")) { report_extra = '\nUpdate to 12.2(8)YB or later\n'; flag++; } # Affected: 12.2YA if (check_release(version: version, patched: make_list("12.2(4)YA3"))) { report_extra = '\nUpdate to ' + patch_update + ' or later\n'; flag++; } # Affected: 12.2YB if (check_release(version: version, patched: make_list("12.2(8)YB"))) { report_extra = '\nUpdate to ' + patch_update + ' or later\n'; flag++; } # Affected: 12.2YC if (check_release(version: version, patched: make_list("12.2(4)YC4"))) { report_extra = '\nUpdate to ' + patch_update + ' or later\n'; flag++; } # Affected: 12.2YF if (deprecated_version(version, "12.2YF")) { report_extra = '\nNo fix is available for 12.2YF releases. Upgrade to a supported version\n'; flag++; } # Affected: 12.2YG if (check_release(version: version, patched: make_list("12.2(4)YG"))) { report_extra = '\nUpdate to ' + patch_update + ' or later\n'; flag++; } # Affected: 12.2YH if (check_release(version: version, patched: make_list("12.2(4)YH"))) { report_extra = '\nUpdate to ' + patch_update + ' or later\n'; flag++; } if (get_kb_item("Host/local_checks_enabled")) { if (flag) { flag = 0; buf = cisco_command_kb_item("Host/Cisco/Config/show rtr responder", "show rtr responder"); if (check_cisco_result(buf)) { if (preg(pattern:"RTR\s+Responder\s+is:\s+Enabled", multiline:TRUE, string:buf)) { flag = 1; } } else if (cisco_needs_enable(buf)) { flag = 1; override = 1; } } } if (flag) { security_hole(port:0, extra:report_extra + cisco_caveat(override)); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family CISCO NASL id CSCDX17916.NASL description It is possible to crash the remote router by sending malformed Response Time Responder (RTR) packets. For this flaw to be exploitable, the router needs to have RTR responder enabled. This bug is referenced as CISCO bug id CSCdx17916 and CSCdx61997. last seen 2017-10-29 modified 2014-08-11 plugin id 11632 published 2003-05-16 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=11632 title Cisco IOS SAA Malformed RTR Packet DoS (CSCdx17916, CSCdx61997) code #%NASL_MIN_LEVEL 999999 # # (C) Tenable Network Security, Inc. # # @DEPRECATED@ # # Disabled on 2010/11/15. Use cisco-sa-20030515-saa.nasl (plugin ID 48970) instead. # include("compat.inc"); if(description) { script_id(11632); script_cve_id("CVE-2003-0305"); script_version("1.18"); script_cvs_date("Date: 2018/08/22 16:49:13"); script_name(english:"Cisco IOS SAA Malformed RTR Packet DoS (CSCdx17916, CSCdx61997)"); script_set_attribute(attribute:"synopsis", value: "The remote device is missing a vendor-supplied security patch." ); script_set_attribute(attribute:"description", value: "It is possible to crash the remote router by sending malformed Response Time Responder (RTR) packets. For this flaw to be exploitable, the router needs to have RTR responder enabled. This bug is referenced as CISCO bug id CSCdx17916 and CSCdx61997." ); script_set_attribute(attribute:"solution", value: "See http://www.nessus.org/u?7e84eef2" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_attribute(attribute:"cpe", value: "cpe:/o:cisco:ios"); script_set_attribute(attribute:"plugin_publication_date", value: "2003/05/16"); script_set_attribute(attribute:"vuln_publication_date", value: "2003/05/15"); script_end_attributes(); summary["english"] = "Uses SNMP to determine if a flaw is present"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is (C) 2003-2018 Tenable Network Security, Inc."); script_family(english:"CISCO"); script_dependencie("snmp_sysDesc.nasl", "snmp_cisco_type.nasl"); script_require_keys("SNMP/community", "SNMP/sysDesc", "CISCO/model"); exit(0); } # Deprecated exit(0, "This plugin has been deprecated. Use cisco-sa-20030515-saa.nasl (plugin ID 48970) instead."); # The code starts here ok=0; os = get_kb_item("SNMP/sysDesc"); if(!os)exit(0); hardware = get_kb_item("CISCO/model"); if(!hardware)exit(0); # Check for the required operating system... #---------------------------------------------------------------- # Is this IOS ? if(!egrep(pattern:".*(Internetwork Operating|IOS).*", string:os))exit(0); # 12.0S if(egrep(string:os, pattern:"((12\.0\(([0-9]|[1-1][0-9]|2[0-0])\)|12\.0)S[0-9]*|12\.0\(21\)S[0-2]),"))ok=1; # 12.0SC if(egrep(string:os, pattern:"(12\.0\([0-9]*\)|12\.0)SC[0-9]*,"))ok=1; # 12.0SL if(egrep(string:os, pattern:"(12\.0\([0-9]*\)|12\.0)SL[0-9]*,"))ok=1; # 12.0ST if(egrep(string:os, pattern:"((12\.0\(([0-9]|[1-1][0-9]|2[0-0])\)|12\.0)ST[0-9]*|12\.0\(21\)ST[0-1]),"))ok=1; # 12.0WC if(egrep(string:os, pattern:"(12\.0\([0-4]\)|12\.0)WC[0-9]*,"))ok=1; # 12.0SX if(egrep(string:os, pattern:"(12\.0\([0-9]*\)|12\.0)SX[0-9]*,"))ok=1; # 12.0SY if(egrep(string:os, pattern:"(12\.0\(([0-9]|[1-1][0-9]|2[0-1])\)|12\.0)SY[0-9]*,"))ok=1; # 12.1 if(egrep(string:os, pattern:"(12\.1\(([0-9]|1[0-7])\)|12\.1),"))ok=1; # 12.1E if(egrep(string:os, pattern:"(12\.1\(([0-9]|1[0-2])\)|12\.1)E[0-9]*,"))ok=1; # 12.1EA if(egrep(string:os, pattern:"(12\.1\([0-9]*\)|12\.1)EA[0-9]*,"))ok=1; # 12.1EW if(egrep(string:os, pattern:"(12\.1\(([0-9]|1[0-0])\)|12\.1)EW[0-9]*,"))ok=1; # 12.1EX if(egrep(string:os, pattern:"(12\.1\(([0-9]|1[0-0])\)|12\.1)EX[0-9]*,"))ok=1; # 12.1XF if(egrep(string:os, pattern:"(12\.1\([0-9]*\)|12\.1)XF[0-9]*,"))ok=1; # 12.1XG if(egrep(string:os, pattern:"(12\.1\([0-9]*\)|12\.1)XG[0-9]*,"))ok=1; # 12.1YG if(egrep(string:os, pattern:"(12\.1\([0-9]*\)|12\.1)YG[0-9]*,"))ok=1; # 12.1YC if(egrep(string:os, pattern:"(12\.1\([0-9]*\)|12\.1)YC[0-9]*,"))ok=1; # 12.2 if(egrep(string:os, pattern:"(12\.2\([0-9]\)|12\.2),"))ok=1; # 12.2BC if(egrep(string:os, pattern:"(12\.2\([0-9]*\)|12\.2)BC[0-9]*,"))ok=1; # 12.2BY if(egrep(string:os, pattern:"(12\.2\([0-9]*\)|12\.2)BY[0-9]*,"))ok=1; # 12.2BZ if(egrep(string:os, pattern:"(12\.2\(([0-9]|1[0-4])\)|12\.2)BZ[0-9]*,"))ok=1; # 12.2DA if(egrep(string:os, pattern:"(12\.2\(([0-9]|1[0-1])\)|12\.2)DA[0-9]*,"))ok=1; # 12.2MB if(egrep(string:os, pattern:"((12\.2\([0-3]\)|12\.2)MB[0-9]*|12\.2\(4\)MB[0-4]),"))ok=1; # 12.2S if(egrep(string:os, pattern:"(12\.2\(([0-9]|1[0-1])\)|12\.2)S[0-9]*,"))ok=1; # 12.2XC if(egrep(string:os, pattern:"((12\.2\([0-0]\)|12\.2)XC[0-9]*|12\.2\(1\)XC[0-4]),"))ok=1; # 12.2XD if(egrep(string:os, pattern:"(12\.2\([0-9]*\)|12\.2)XD[0-9]*,"))ok=1; # 12.2XE if(egrep(string:os, pattern:"(12\.2\([0-9]*\)|12\.2)XE[0-9]*,"))ok=1; # 12.2XH if(egrep(string:os, pattern:"(12\.2\([0-9]*\)|12\.2)XH[0-9]*,"))ok=1; # 12.2XI if(egrep(string:os, pattern:"(12\.2\([0-9]*\)|12\.2)XI[0-9]*,"))ok=1; # 12.2XJ if(egrep(string:os, pattern:"(12\.2\([0-9]*\)|12\.2)XJ[0-9]*,"))ok=1; # 12.2XK if(egrep(string:os, pattern:"((12\.2\([0-1]\)|12\.2)XK[0-9]*|12\.2\(2\)XK[0-2]),"))ok=1; # 12.2XL if(egrep(string:os, pattern:"((12\.2\([0-3]\)|12\.2)XL[0-9]*|12\.2\(4\)XL[0-4]),"))ok=1; # 12.2XM if(egrep(string:os, pattern:"(12\.2\([0-9]*\)|12\.2)XM[0-9]*,"))ok=1; # 12.2YA if(egrep(string:os, pattern:"((12\.2\([0-3]\)|12\.2)YA[0-9]*|12\.2\(4\)YA[0-2]),"))ok=1; # 12.2YB if(egrep(string:os, pattern:"(12\.2\([0-7]\)|12\.2)YB[0-9]*,"))ok=1; # 12.2YC if(egrep(string:os, pattern:"((12\.2\([0-3]\)|12\.2)YC[0-9]*|12\.2\(4\)YC[0-3]),"))ok=1; # 12.2YF if(egrep(string:os, pattern:"(12\.2\([0-9]*\)|12\.2)YF[0-9]*,"))ok=1; # 12.2YG if(egrep(string:os, pattern:"(12\.2\([0-3]\)|12\.2)YG[0-9]*,"))ok=1; # 12.2YH if(egrep(string:os, pattern:"(12\.2\([0-3]\)|12\.2)YH[0-9]*,"))ok=1; #---------------------------------------------- if(ok)security_warning(port:161, proto:"udp");
Oval
| accepted | 2008-09-08T04:00:30.972-04:00 | ||||
| class | vulnerability | ||||
| contributors |
| ||||
| description | The Service Assurance Agent (SAA) in Cisco IOS 12.0 through 12.2, aka Response Time Reporter (RTR), allows remote attackers to cause a denial of service (crash) via malformed RTR packets to port 1967. | ||||
| family | ios | ||||
| id | oval:org.mitre.oval:def:5608 | ||||
| status | accepted | ||||
| submitted | 2008-05-02T11:06:36.000-04:00 | ||||
| title | Cisco IOS Denial of Service Vulnerability | ||||
| version | 3 |