Vulnerabilities > CVE-2007-0917 - Unspecified vulnerability in Cisco IOS
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN cisco
nessus
Summary
The Intrusion Prevention System (IPS) feature for Cisco IOS 12.4XE to 12.3T allows remote attackers to bypass IPS signatures that use regular expressions via fragmented packets.
Vulnerable Configurations
Nessus
NASL family CISCO NASL id CISCO-SA-20070213-IOSIPSHTTP.NASL description The Intrusion Prevention System (IPS) feature set of Cisco IOS contains several vulnerabilities. These include: - Fragmented IP packets may be used to evade signature inspection. (CVE-2007-0917) - IPS signatures utilizing the regular expression feature of the ATOMIC.TCP signature engine may cause a router to crash resulting in a denial of service. (CVE-2007-0918) last seen 2020-06-01 modified 2020-06-02 plugin id 49000 published 2010-09-01 reporter This script is (C) 2010-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/49000 title Multiple IOS IPS Vulnerabilities code # # (C) Tenable Network Security, Inc. # # Security advisory is (C) CISCO, Inc. # See https://www.cisco.com/en/US/products/products_security_advisory09186a00807e0a5b.shtml if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(49000); script_version("1.13"); script_cve_id("CVE-2007-0917", "CVE-2007-0918"); script_bugtraq_id(22549); script_xref(name:"CISCO-BUG-ID", value:"CSCsa53334"); script_xref(name:"CISCO-BUG-ID", value:"CSCsg15598"); script_xref(name:"CISCO-SA", value:"cisco-sa-20070213-iosips"); script_name(english:"Multiple IOS IPS Vulnerabilities"); script_set_attribute(attribute:"synopsis", value: "The remote device is missing a vendor-supplied security patch." ); script_set_attribute(attribute:"description", value: 'The Intrusion Prevention System (IPS) feature set of Cisco IOS contains several vulnerabilities. These include: - Fragmented IP packets may be used to evade signature inspection. (CVE-2007-0917) - IPS signatures utilizing the regular expression feature of the ATOMIC.TCP signature engine may cause a router to crash resulting in a denial of service. (CVE-2007-0918)' ); script_set_attribute(attribute:"see_also", value: "http://www.nessus.org/u?644ae844"); # https://www.cisco.com/en/US/products/products_security_advisory09186a00807e0a5b.shtml script_set_attribute(attribute:"see_also", value: "http://www.nessus.org/u?a7d0ea33"); script_set_attribute(attribute:"solution", value: "Apply the relevant patch referenced in Cisco Security Advisory cisco-sa-20070213-iosips." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(20); script_set_attribute(attribute:"plugin_type", value: "local"); script_set_attribute(attribute:"cpe", value: "cpe:/o:cisco:ios"); script_set_attribute(attribute:"vuln_publication_date", value: "2007/02/13"); script_set_attribute(attribute:"patch_publication_date", value: "2007/02/13"); script_set_attribute(attribute:"plugin_publication_date", value: "2010/09/01"); script_cvs_date("Date: 2018/11/15 20:50:20"); script_end_attributes(); script_summary(english:"Uses SNMP to determine if a flaw is present"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is (C) 2010-2018 Tenable Network Security, Inc."); script_family(english:"CISCO"); script_dependencie("cisco_ios_version.nasl"); script_require_keys("Host/Cisco/IOS/Version"); exit(0); } include("cisco_func.inc"); # version = get_kb_item_or_exit("Host/Cisco/IOS/Version"); if (version == '12.4(6)XE2') security_hole(0); else if (version == '12.4(6)XE1') security_hole(0); else if (version == '12.4(6)XE') security_hole(0); else if (version == '12.4(2)XA2') security_hole(0); else if (version == '12.4(2)XA1') security_hole(0); else if (version == '12.4(2)XA') security_hole(0); else if (version == '12.4(11)T') security_hole(0); else if (version == '12.4(9)T2') security_hole(0); else if (version == '12.4(9)T1') security_hole(0); else if (version == '12.4(9)T') security_hole(0); else if (version == '12.4(2)T2') security_hole(0); else if (version == '12.4(2)T1') security_hole(0); else if (version == '12.4(2)T') security_hole(0); else if (version == '12.4(10a)') security_hole(0); else if (version == '12.4(10)') security_hole(0); else if (version == '12.4(8c)') security_hole(0); else if (version == '12.4(8b)') security_hole(0); else if (version == '12.4(8a)') security_hole(0); else if (version == '12.4(8)') security_hole(0); else if (version == '12.4(7d)') security_hole(0); else if (version == '12.4(7c)') security_hole(0); else if (version == '12.4(7b)') security_hole(0); else if (version == '12.4(7a)') security_hole(0); else if (version == '12.4(7)') security_hole(0); else if (version == '12.4(3a)') security_hole(0); else if (version == '12.4(3)') security_hole(0); else if (version == '12.4(1b)') security_hole(0); else if (version == '12.4(1a)') security_hole(0); else if (version == '12.4(1)') security_hole(0); else if (version == '12.3(8)ZA') security_hole(0); else if (version == '12.3(14)YT1') security_hole(0); else if (version == '12.3(14)YT') security_hole(0); else if (version == '12.3(11)YS1') security_hole(0); else if (version == '12.3(11)YS') security_hole(0); else if (version == '12.3(14)YM4') security_hole(0); else if (version == '12.3(14)YM3') security_hole(0); else if (version == '12.3(14)YM2') security_hole(0); else if (version == '12.3(11)YK2') security_hole(0); else if (version == '12.3(11)YK1') security_hole(0); else if (version == '12.3(11)YK') security_hole(0); else if (version == '12.3(8)YI3') security_hole(0); else if (version == '12.3(8)YI2') security_hole(0); else if (version == '12.3(8)YI1') security_hole(0); else if (version == '12.3(8)YH') security_hole(0); else if (version == '12.3(8)YG5') security_hole(0); else if (version == '12.3(8)YG4') security_hole(0); else if (version == '12.3(8)YG3') security_hole(0); else if (version == '12.3(8)YG2') security_hole(0); else if (version == '12.3(8)YG1') security_hole(0); else if (version == '12.3(8)YG') security_hole(0); else if (version == '12.3(8)YD1') security_hole(0); else if (version == '12.3(8)YD') security_hole(0); else if (version == '12.3(8)YA1') security_hole(0); else if (version == '12.3(8)YA') security_hole(0); else if (version == '12.3(8)XX1') security_hole(0); else if (version == '12.3(8)XX') security_hole(0); else if (version == '12.3(7)XS2') security_hole(0); else if (version == '12.3(7)XS1') security_hole(0); else if (version == '12.3(7)XS') security_hole(0); else if (version == '12.3(7)XR6') security_hole(0); else if (version == '12.3(7)XR5') security_hole(0); else if (version == '12.3(7)XR4') security_hole(0); else if (version == '12.3(7)XR3') security_hole(0); else if (version == '12.3(7)XR2') security_hole(0); else if (version == '12.3(7)XR') security_hole(0); else if (version == '12.3(4)XQ1') security_hole(0); else if (version == '12.3(4)XQ') security_hole(0); else if (version == '12.3(11)XL1') security_hole(0); else if (version == '12.3(11)XL') security_hole(0); else if (version == '12.3(14)T3') security_hole(0); else if (version == '12.3(14)T2') security_hole(0); else if (version == '12.3(14)T1') security_hole(0); else if (version == '12.3(14)T') security_hole(0); else if (version == '12.3(11)T8') security_hole(0); else if (version == '12.3(11)T7') security_hole(0); else if (version == '12.3(11)T6') security_hole(0); else if (version == '12.3(11)T5') security_hole(0); else if (version == '12.3(11)T4') security_hole(0); else if (version == '12.3(11)T3') security_hole(0); else if (version == '12.3(11)T2') security_hole(0); else if (version == '12.3(11)T') security_hole(0); else if (version == '12.3(8)T9') security_hole(0); else if (version == '12.3(8)T8') security_hole(0); else if (version == '12.3(8)T7') security_hole(0); else if (version == '12.3(8)T6') security_hole(0); else if (version == '12.3(8)T5') security_hole(0); else if (version == '12.3(8)T4') security_hole(0); else if (version == '12.3(8)T3') security_hole(0); else if (version == '12.3(8)T11') security_hole(0); else if (version == '12.3(8)T10') security_hole(0); else if (version == '12.3(8)T1') security_hole(0); else if (version == '12.3(8)T') security_hole(0); else exit(0, 'The host is not affected.');NASL family CISCO NASL id CSCSG15598.NASL description The remote version of IOS contains an intrusion prevention system that is affected by a fragmented packet evasion vulnerability and a denial of service vulnerability. An attacker might use these flaws to disable this device remotely or to sneak past the IPS. last seen 2020-06-01 modified 2020-06-02 plugin id 24739 published 2007-03-01 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24739 title Cisco IOS Intrusion Prevention System (IPS) Multiple Vulnerabilities (CSCsa53334, CSCsg15598) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if(description) { script_id(24739); script_cve_id("CVE-2007-0917", "CVE-2007-0918"); script_bugtraq_id(22549); script_version("1.18"); script_name(english:"Cisco IOS Intrusion Prevention System (IPS) Multiple Vulnerabilities (CSCsa53334, CSCsg15598)"); script_set_attribute(attribute:"synopsis", value: "The remote CISCO device can be crashed remotely." ); script_set_attribute(attribute:"description", value: "The remote version of IOS contains an intrusion prevention system that is affected by a fragmented packet evasion vulnerability and a denial of service vulnerability. An attacker might use these flaws to disable this device remotely or to sneak past the IPS." ); script_set_attribute(attribute:"solution", value: "http://www.nessus.org/u?16b1f263" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(20); script_set_attribute(attribute:"plugin_publication_date", value: "2007/03/01"); script_set_attribute(attribute:"vuln_publication_date", value: "2007/02/13"); script_cvs_date("Date: 2018/06/27 18:42:25"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value: "cpe:/o:cisco:ios"); script_end_attributes(); summary["english"] = "Uses SNMP to determine if a flaw is present"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc."); script_family(english:"CISCO"); script_dependencie("snmp_sysDesc.nasl", "snmp_cisco_type.nasl"); script_require_keys("SNMP/community", "SNMP/sysDesc", "CISCO/model"); exit(0); } include('cisco_func.inc'); os = get_kb_item("SNMP/sysDesc"); if(!os)exit(0); version = extract_version(os); if ( ! version ) exit(0); # 12.3 Deprecated if ( deprecated_version(version, "12.3XQ", "12.3XR", "12.3XS", "12.3XW", "12.3XX", "12.3XY", "12.3YA", "12.3YD", "12.3YG", "12.3YH", "12.3YI", "12.3YJ", "12.3YK", "12.3YS", "12.3YT") ) vuln ++; if ( check_release(version:version, patched:make_list("12.3(2)T", "12.3(4)T", "12.3(7)T", "12.3(11)T10", "12.3(14)T7"), newest:"12.3(14)T7") ) vuln ++; if ( check_release(version:version, patched:make_list("12.3(14)YM5"), newest:"12.3(14)YM5") ) vuln ++; if ( check_release(version:version, patched:make_list("12.3(14)YQ8"), newest:"12.3(14)YQ8") ) vuln ++; if ( check_release(version:version, patched:make_list("12.3(14)YX3"), newest:"12.3(14)YX3") ) vuln ++; if ( check_release(version:version, patched:make_list("12.3(11)YZ"), newest:"12.3(11)YZ") ) vuln ++; # 12.4 if ( deprecated_version(version, "12.4XE") ) vuln ++; if ( check_release(version:version, patched:make_list("12.4(1c)", "12.4(3b)", "12.4(5)", "12.4(7e)", "12.4(10b)", "12.4(12)"), newest:"12.4(12)") ) vuln ++; if ( check_release(version:version, patched:make_list("12.4(6)MR1"), newest:"12.4(6)MR1") ) vuln ++; if ( check_release(version:version, patched:make_list("12.4(2)T3", "12.4(4)T", "12.4(6)T", "12.4(9)T3", "12.4(11)T1"), newest:"12.4(11)T1") ) vuln ++; if ( check_release(version:version, patched:make_list("12.4(2)XA2"), newest:"12.4(2)XA2") ) vuln ++; if ( check_release(version:version, patched:make_list("12.4(2)XB3"), newest:"12.4(2)XB3") ) vuln ++; if ( vuln == 1 ) security_hole(port:161, proto:"udp"); else if ( vuln > 1 ) display("IOS version ", version, " identified as vulnerable by multiple checks\n");
Oval
| accepted | 2010-06-14T04:00:04.364-04:00 | ||||||||
| class | vulnerability | ||||||||
| contributors |
| ||||||||
| description | The Intrusion Prevention System (IPS) feature for Cisco IOS 12.4XE to 12.3T allows remote attackers to bypass IPS signatures that use regular expressions via fragmented packets. | ||||||||
| family | ios | ||||||||
| id | oval:org.mitre.oval:def:5858 | ||||||||
| status | accepted | ||||||||
| submitted | 2008-05-26T11:06:36.000-04:00 | ||||||||
| title | Cisco IOS Fragmented Packet IPS Evasion Vulnerability | ||||||||
| version | 5 |
References
- http://osvdb.org/33052
- http://osvdb.org/33052
- http://secunia.com/advisories/24142
- http://secunia.com/advisories/24142
- http://www.cisco.com/en/US/products/products_security_advisory09186a00807e0a5b.shtml
- http://www.cisco.com/en/US/products/products_security_advisory09186a00807e0a5b.shtml
- http://www.cisco.com/en/US/products/products_security_response09186a00807e0a5e.html
- http://www.cisco.com/en/US/products/products_security_response09186a00807e0a5e.html
- http://www.securityfocus.com/bid/22549
- http://www.securityfocus.com/bid/22549
- http://www.securitytracker.com/id?1017631
- http://www.securitytracker.com/id?1017631
- http://www.vupen.com/english/advisories/2007/0597
- http://www.vupen.com/english/advisories/2007/0597
- https://exchange.xforce.ibmcloud.com/vulnerabilities/32473
- https://exchange.xforce.ibmcloud.com/vulnerabilities/32473
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5858
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5858