Vulnerabilities > CVE-2004-1436 - Multiple vulnerability in Cisco ONS

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
cisco
nessus
NVD
Published: 2004-12-31
Updated: 2018-10-30

Summary

The Transaction Language 1 (TL1) login interface in Cisco ONS 15327 4.6(0) and 4.6(1) and 15454 and 15454 SDH 4.6(0) and 4.6(1), when a user account is configured with a blank password, allows remote attackers to gain unauthorized access by logging in with a password larger than 10 characters.

Vulnerable Configurations

Part Description Count
Application
Cisco
23

Nessus

NASL familyCISCO
NASL idCISCO_ONS_MULTIPLE_VULNERABILITIES.NASL
descriptionThe remote Cisco ONS platform contains various vulnerabilities that may allow a remote attacker to cause a denial of service in the remote control cards or to bypass authentication on the remote device.
last seen2020-06-01
modified2020-06-02
plugin id16201
published2005-01-18
reporterThis script is (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/16201
titleCisco ONS Multiple Remote Vulnerabilities (20040721-ons)
code
#
# (C) Tenable Network Security, Inc.
#

#These vulnerabilities are documented as the following Cisco bug IDs
#    * CSCed06531 (IP)
#    * CSCed86946 (ICMP)
#    * CSCec88426/CSCec88508/CSCed85088/CSCeb07263/CSCec21429 (TCP)
#    * CSCec59739/CSCed02439/CSCed22547 (Last-ACK)
#    * CSCec88402/CSCed31918/CSCed83309/CSCec85982/CSCec21435/CSCee03697 (UDP)
#    * CSCea16455/CSCea37089/CSCea37185 (SNMP)
#    * CSCee27329 (passwd)


include("compat.inc");

if(description)
{
 script_id(16201);
 script_cve_id(
   "CVE-2004-1432", 
   "CVE-2004-1433", 
   "CVE-2004-1434", 
   "CVE-2004-1435", 
   "CVE-2004-1436"
 );
 script_bugtraq_id(10768);
 script_version("1.21");

 script_name(english:"Cisco ONS Multiple Remote Vulnerabilities (20040721-ons)");

 script_set_attribute(attribute:"synopsis", value:
"The remote network device is affected by multiple vulnerabilities." );
 script_set_attribute(attribute:"description", value:
"The remote Cisco ONS platform contains various vulnerabilities that
may allow a remote attacker to cause a denial of service in the remote
control cards or to bypass authentication on the remote device." );
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20040721-ons
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?08fb347d" );
 script_set_attribute(attribute:"solution", value:
"Apply the appropriate update as referenced in the vendor advisory
above." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_set_attribute(attribute:"plugin_publication_date", value: "2005/01/18");
 script_set_attribute(attribute:"vuln_publication_date", value: "2004/07/21");
 script_set_attribute(attribute:"patch_publication_date", value: "2004/07/21");
 script_cvs_date("Date: 2018/11/15 20:50:20");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe",value:"cpe:/o:cisco:ons");
script_end_attributes();


 summary["english"] = "Uses SNMP to determine if a flaw is present";
 script_summary(english:summary["english"]);

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is (C) 2005-2018 Tenable Network Security, Inc.");

 script_family(english:"CISCO");

 script_dependencie("snmp_sysDesc.nasl");
 script_require_keys("SNMP/sysDesc");
 exit(0);
}

port = 0;

sysDesc = get_kb_item("SNMP/sysDesc"); 
if ( ! sysDesc ) exit(0);

if ("Cisco ONS" >!< sysDesc ) exit(0);

if ( egrep(pattern:"Cisco ONS 15327.*", string:sysDesc) ) 
{
 version = chomp(ereg_replace(pattern:".*Cisco ONS 15327.* ([0-9.]*)-.*", string:sysDesc, replace:"\1"));
 int_version = eregmatch(pattern:"^([0-9]+)\.([0-9])([0-9])$", string:version);
 if ( int(int_version[1]) <= 3 ) security_hole(port);
 else if ( int(int_version[1]) == 4 && int(int_version[2]) == 0 && int(int_version[3]) <= 2) security_hole(port);
 else if ( int(int_version[1]) == 4 && int(int_version[2]) == 1 && int(int_version[3]) <= 3) security_hole(port);
 else if ( int(int_version[1]) == 4 && int(int_version[2]) == 6 && int(int_version[3]) <= 1) security_hole(port);
}
else if ( egrep(pattern:"Cisco ONS 15454.*", string:sysDesc) ) 
{
 version = chomp(ereg_replace(pattern:".*Cisco ONS 15454.* ([0-9.]*)-.*", string:sysDesc, replace:"\1"));
 int_version = eregmatch(pattern:"^([0-9]+)\.([0-9])([0-9])$", string:version);
 if ( int(int_version[1]) <= 3 ) security_hole(port);
 else if ( int(int_version[1]) == 4 && int(int_version[2]) == 0 && int(int_version[3]) <= 2) security_hole(port);
 else if ( int(int_version[1]) == 4 && int(int_version[2]) == 1 && int(int_version[3]) <= 3) security_hole(port);
 else if ( int(int_version[1]) == 4 && int(int_version[2]) == 5 ) security_hole(port);
 else if ( int(int_version[1]) == 4 && int(int_version[2]) == 6 && int(int_version[3]) <= 1) security_hole(port);
}
else if ( egrep(pattern:"Cisco ONS 15600.*", string:sysDesc) ) 
{
 version = chomp(ereg_replace(pattern:".*Cisco ONS 15600.* ([0-9.]*)-.*", string:sysDesc, replace:"\1"));
 int_version = eregmatch(pattern:"^([0-9]+)\.([0-9])([0-9])$", string:version);
 if ( int(int_version[1]) <= 1 ) security_hole(port);
}

References