Vulnerabilities > CVE-2004-1111 - Denial-Of-Service vulnerability in 7600
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
Cisco IOS 2.2(18)EW, 12.2(18)EWA, 12.2(14)SZ, 12.2(18)S, 12.2(18)SE, 12.2(18)SV, 12.2(18)SW, and other versions without the "no service dhcp" command, keep undeliverable DHCP packets in the queue instead of dropping them, which allows remote attackers to cause a denial of service (dropped traffic) via multiple undeliverable DHCP packets that exceed the input queue size.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 8 | |
| Hardware | 9 |
Nessus
NASL family CISCO NASL id CISCO-SA-20041110-DHCPHTTP.NASL description Cisco IOS devices running branches of Cisco IOS version 12.2S that have Dynamic Host Configuration Protocol (DHCP) server or relay agent enabled, even if not configured, are vulnerable to a denial of service where the input queue becomes blocked when receiving specifically crafted DHCP packets. Cisco is providing free fixed software to address this issue. There are also workarounds to mitigate this vulnerability. This issue was introduced by the fix included in CSCdx46180 and is being tracked by Cisco Bug ID CSCee50294. last seen 2019-10-28 modified 2010-09-01 plugin id 48978 published 2010-09-01 reporter This script is (C) 2010-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/48978 title Cisco IOS DHCP Blocked Interface Denial-of-Service - Cisco Systems code #TRUSTED 35e9d24965327e9bb34082c3192bf795519313e242a6a8a1694efbbb6a42a0e72fba4ec76c9385a5d474c65080a3a58f668617b95f7d960de39b1719f154199484ee5b543e14104f7631c842fafa7fe39a6e8a62d9f91dc9dcd187751006f9a031e99524678d04a920a117d6f8e7ffed367db6b8a4e6ffff78801e1b9abaa28b0303d22d82e52aa767343e14d9feee72a774ddacc43ddeaaac0f20474cf1072077bf4047572a1afd3cfd8922a15792355239bc0fd9b0c8452515aa05685f3ec3c824a3f3d3c44d9fdf69383f9a70af4e8154927d6786de8f90ff9177d55745dfd99013aa222e2ca2aa18b5d589c4c1660c2322ec6e6b51a1726ca3fadc0dd483688c15a06064606e210c4dc9a31de315d3cd3288c0ceddf6335c6b942914f5f36683eddfe4123c9ccc1961887ec710558f325eca39303daba7e58a1653593cac3b87309c3aa7852ab9a516782a6e8e73bc0091673b7264bc717c822802eebd4e82437730c97fce7df28a5a90d92181dce736ab8abdc43665baeacebbd8a6d8b4401d339ad1c73a48fb29e6271b13edbaa1b3deb54bb9baecf09f056449455aa86f22afe9fd4ade58aee9084da5dfd5e0e947e0f5a5ec8ce83b3b087192f2c2ca351402f3b452020f3c7c77b961b9186c05283a5e5c4bbb1960c115b69cf1e8b1307768f22449fb6468c3ee0c435a2530c92fbff8e1407b6b221fae0d6f8ae687 # # (C) Tenable Network Security, Inc. # # Security advisory is (C) CISCO, Inc. # See https://www.cisco.com/en/US/products/products_security_advisory09186a00803448c7.shtml if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(48978); script_version("1.14"); script_set_attribute(attribute:"plugin_modification_date", value:"2018/11/15"); script_cve_id("CVE-2004-1111"); script_xref(name:"CERT", value:"630104"); script_name(english:"Cisco IOS DHCP Blocked Interface Denial-of-Service - Cisco Systems"); script_summary(english:"Checks the IOS version."); script_set_attribute(attribute:"synopsis", value:"The remote device is missing a vendor-supplied security patch"); script_set_attribute(attribute:"description", value: 'Cisco IOS devices running branches of Cisco IOS version 12.2S that have Dynamic Host Configuration Protocol (DHCP) server or relay agent enabled, even if not configured, are vulnerable to a denial of service where the input queue becomes blocked when receiving specifically crafted DHCP packets. Cisco is providing free fixed software to address this issue. There are also workarounds to mitigate this vulnerability. This issue was introduced by the fix included in CSCdx46180 and is being tracked by Cisco Bug ID CSCee50294.' ); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20041110-dhcp script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1c793e4c"); # https://www.cisco.com/en/US/products/products_security_advisory09186a00803448c7.shtml script_set_attribute(attribute:"see_also", value: "http://www.nessus.org/u?e24ccf46"); script_set_attribute(attribute:"solution", value: "Apply the relevant patch referenced in Cisco Security Advisory cisco-sa-20041110-dhcp."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/11/10"); script_set_attribute(attribute:"patch_publication_date", value:"2004/11/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/09/01"); script_end_attributes(); script_xref(name:"CISCO-BUG-ID", value:"CSCdx46180"); script_xref(name:"CISCO-BUG-ID", value:"CSCee50294"); script_xref(name:"CISCO-SA", value:"cisco-sa-20041110-dhcp"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is (C) 2010-2018 Tenable Network Security, Inc."); script_family(english:"CISCO"); script_dependencie("cisco_ios_version.nasl"); script_require_keys("Host/Cisco/IOS/Version"); exit(0); } include("audit.inc"); include("cisco_func.inc"); include("cisco_kb_cmd_func.inc"); flag = 0; report_extra = ""; version = get_kb_item_or_exit("Host/Cisco/IOS/Version"); override = 0; # Affected: 12.2(18)EW if (check_release(version: version, patched: make_list("12.2(18)EW2"), oldest: "12.2(18)EW")) { report_extra = '\nUpdate to ' + patch_update + ' or later\n'; flag++; } # Affected: 12.2(20)EW if (version =~ "^12\.2\(20\)EW[0-9]*$") { report_extra = '\nUpdate to 12.2(20)EWA or later\n'; flag++; } # Affected: 12.2(18)EWA if (check_release(version: version, patched: make_list("12.2(20)EWA"), oldest: "12.2(18)EWA")) { report_extra = '\nUpdate to ' + patch_update + ' or later\n'; flag++; } # Affected: 12.2(18)S if (check_release(version: version, patched: make_list("12.2(18)S6"), oldest: "12.2(18)S")) { report_extra = '\nUpdate to ' + patch_update + ' or later\n'; flag++; } # Affected: 12.2(18)SE if (check_release(version: version, patched: make_list("12.2(20)SE3"), oldest: "12.2(18)SE")) { report_extra = '\nUpdate to ' + patch_update + ' or later\n'; flag++; } # Affected: 12.2(18)SV if (check_release(version: version, patched: make_list("12.2(24)SV"), oldest: "12.2(18)SV")) { report_extra = '\nUpdate to ' + patch_update + ' or later\n'; flag++; } # Affected: 12.2(18)SW if (check_release(version: version, patched: make_list("12.2(25)SW"), oldest: "12.2(18)SW")) { report_extra = '\nUpdate to ' + patch_update + ' or later\n'; flag++; } # Affected: 12.2(14)SZ if (version =~ "^12\.2\(14\)SZ[0-9]*$") { report_extra = '\nUpdate to 12.2(20)S4 or later\n'; flag++; } if (get_kb_item("Host/local_checks_enabled")) { if (flag) { flag = 0; buf = cisco_command_kb_item("Host/Cisco/Config/show_running-config", "show running-config"); if (check_cisco_result(buf)) { if (!preg(pattern:"no\s+service\s+dhcp", multiline:TRUE, string:buf)) { flag = 1; } } else if (cisco_needs_enable(buf)) { flag = 1; override = 1; } } } if (flag) { security_warning(port:0, extra:report_extra + cisco_caveat(override)); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family CISCO NASL id CSCEE50294.NASL description The remote router contains a version of IOS which has flaw in the DHCP service/relay service that may let an attacker to disable DHCP serving and or relaying on the remote router. CISCO identifies this vulnerability as bug id CSCee50294. last seen 2020-06-01 modified 2020-06-02 plugin id 15782 published 2004-11-22 reporter This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15782 title Cisco IOS Malformed DHCP Packet DoS (CSCee50294) code # # (C) Tenable Network Security # include("compat.inc"); if(description) { script_id(15782); script_bugtraq_id(11649); script_cve_id("CVE-2004-1111"); script_version("1.18"); script_name(english:"Cisco IOS Malformed DHCP Packet DoS (CSCee50294)"); script_set_attribute(attribute:"synopsis", value: "The remote device is missing a vendor-supplied security patch." ); script_set_attribute(attribute:"description", value: "The remote router contains a version of IOS which has flaw in the DHCP service/relay service that may let an attacker to disable DHCP serving and or relaying on the remote router. CISCO identifies this vulnerability as bug id CSCee50294." ); script_set_attribute(attribute:"solution", value: "http://www.nessus.org/u?7f0d4f1a" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value: "2004/11/22"); script_set_attribute(attribute:"vuln_publication_date", value: "2004/11/10"); script_cvs_date("Date: 2018/06/27 18:42:25"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value: "cpe:/o:cisco:ios"); script_end_attributes(); summary["english"] = "Uses SNMP to determine if a flaw is present"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc."); script_family(english:"CISCO"); script_dependencie("snmp_sysDesc.nasl", "snmp_cisco_type.nasl"); script_require_keys("SNMP/community", "SNMP/sysDesc", "CISCO/model"); exit(0); } # The code starts here ok=0; os = get_kb_item("SNMP/sysDesc"); if(!os)exit(0); hardware = get_kb_item("CISCO/model"); if(!hardware)exit(0); # Check for the required operating system... #---------------------------------------------------------------- # Is this IOS ? if(!egrep(pattern:".*(Internetwork Operating|IOS).*", string:os))exit(0); # 12.2EW if(egrep(string:os, pattern:"((12\.2\(([0-9]|1[0-7])\)|12\.2)EW[0-9]*|12\.2\(18\)EW[0-1]),"))ok=1; # 12.2EWA if(egrep(string:os, pattern:"(12\.2\(([0-9]|1[0-9])\)|12\.2)EWA[0-9]*,"))ok=1; # 12.2S if(egrep(string:os, pattern:"((12\.2\(([0-9]|1[0-7])\)|12\.2)S[0-9]*|12\.2\(18\)S[0-5]),"))ok=1; # 12.2SE if(egrep(string:os, pattern:"((12\.2\(([0-9]|1[0-9])\)|12\.2)SE[0-9]*|12\.2\(20\)SE[0-2]),"))ok=1; # 12.2SV if(egrep(string:os, pattern:"(12\.2\(([0-9]|[1-1][0-9]|2[0-3])\)|12\.2)SV[0-9]*,"))ok=1; # 12.2SW if(egrep(string:os, pattern:"(12\.2\(([0-9]|[1-1][0-9]|2[0-4])\)|12\.2)SW[0-9]*,"))ok=1; # 12.2SZ if(egrep(string:os, pattern:"(12\.2\([0-9]*\)|12\.2)SZ[0-9]*,"))ok=1; #---------------------------------------------- if(ok)security_warning(port:161, proto:"udp");
Oval
| accepted | 2008-09-08T04:00:31.343-04:00 | ||||
| class | vulnerability | ||||
| contributors |
| ||||
| description | Cisco IOS 2.2(18)EW, 12.2(18)EWA, 12.2(14)SZ, 12.2(18)S, 12.2(18)SE, 12.2(18)SV, 12.2(18)SW, and other versions without the "no service dhcp" command, keep undeliverable DHCP packets in the queue instead of dropping them, which allows remote attackers to cause a denial of service (dropped traffic) via multiple undeliverable DHCP packets that exceed the input queue size. | ||||
| family | ios | ||||
| id | oval:org.mitre.oval:def:5632 | ||||
| status | accepted | ||||
| submitted | 2008-05-26T11:06:36.000-04:00 | ||||
| title | Cisco Systems IOS DHCP Input Queue DoS Vulnerability | ||||
| version | 3 |
References
- http://www.ciac.org/ciac/bulletins/p-034.shtml
- http://www.cisco.com/warp/public/707/cisco-sa-20041110-dhcp.shtml
- http://www.kb.cert.org/vuls/id/630104
- http://www.us-cert.gov/cas/techalerts/TA04-316A.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/18021
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5632