Vulnerabilities > CVE-2007-0917 - Multiple vulnerability in Cisco IOS Intrusion Prevention System

047910
CVSS 6.4 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
NONE
network
low complexity
cisco
nessus
NVD
Published: 2007-02-14
Updated: 2017-10-11

Summary

The Intrusion Prevention System (IPS) feature for Cisco IOS 12.4XE to 12.3T allows remote attackers to bypass IPS signatures that use regular expressions via fragmented packets.

Vulnerable Configurations

Part Description Count
OS
Cisco
25

Nessus

  • NASL familyCISCO
    NASL idCISCO-SA-20070213-IOSIPSHTTP.NASL
    descriptionThe Intrusion Prevention System (IPS) feature set of Cisco IOS contains several vulnerabilities. These include: - Fragmented IP packets may be used to evade signature inspection. (CVE-2007-0917) - IPS signatures utilizing the regular expression feature of the ATOMIC.TCP signature engine may cause a router to crash resulting in a denial of service. (CVE-2007-0918)
    last seen2020-06-01
    modified2020-06-02
    plugin id49000
    published2010-09-01
    reporterThis script is (C) 2010-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/49000
    titleMultiple IOS IPS Vulnerabilities
    code
    #
# (C) Tenable Network Security, Inc.
#
# Security advisory is (C) CISCO, Inc.
# See https://www.cisco.com/en/US/products/products_security_advisory09186a00807e0a5b.shtml

if (NASL_LEVEL < 3000) exit(0);

include("compat.inc");

if (description)
{
 script_id(49000);
 script_version("1.13");
 script_cve_id("CVE-2007-0917", "CVE-2007-0918");
 script_bugtraq_id(22549);
 script_xref(name:"CISCO-BUG-ID", value:"CSCsa53334");
 script_xref(name:"CISCO-BUG-ID", value:"CSCsg15598");
 script_xref(name:"CISCO-SA", value:"cisco-sa-20070213-iosips");

 script_name(english:"Multiple IOS IPS Vulnerabilities");
 script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch." );
 script_set_attribute(attribute:"description", value:
'The Intrusion Prevention System (IPS) feature set of Cisco IOS
contains several vulnerabilities. These include: 

  - Fragmented IP packets may be used to evade
    signature inspection. (CVE-2007-0917)

  - IPS signatures utilizing the regular expression
    feature of the ATOMIC.TCP signature engine may
    cause a router to crash resulting in a denial
    of service. (CVE-2007-0918)'
 );
 script_set_attribute(attribute:"see_also", value: "http://www.nessus.org/u?644ae844");
 # https://www.cisco.com/en/US/products/products_security_advisory09186a00807e0a5b.shtml
 script_set_attribute(attribute:"see_also", value: "http://www.nessus.org/u?a7d0ea33");
 script_set_attribute(attribute:"solution", value:
"Apply the relevant patch referenced in Cisco Security Advisory
cisco-sa-20070213-iosips."
 );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_cwe_id(20);
 script_set_attribute(attribute:"plugin_type", value: "local");
 script_set_attribute(attribute:"cpe", value: "cpe:/o:cisco:ios");
 script_set_attribute(attribute:"vuln_publication_date", value: "2007/02/13");
 script_set_attribute(attribute:"patch_publication_date", value: "2007/02/13");
 script_set_attribute(attribute:"plugin_publication_date", value: "2010/09/01");
 script_cvs_date("Date: 2018/11/15 20:50:20");

 script_end_attributes();
 script_summary(english:"Uses SNMP to determine if a flaw is present");
 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is (C) 2010-2018 Tenable Network Security, Inc.");
 script_family(english:"CISCO");
 script_dependencie("cisco_ios_version.nasl");
 script_require_keys("Host/Cisco/IOS/Version");
 exit(0);
}
include("cisco_func.inc");

#

version = get_kb_item_or_exit("Host/Cisco/IOS/Version");

if (version == '12.4(6)XE2')
  security_hole(0);
else if (version == '12.4(6)XE1')
  security_hole(0);
else if (version == '12.4(6)XE')
  security_hole(0);
else if (version == '12.4(2)XA2')
  security_hole(0);
else if (version == '12.4(2)XA1')
  security_hole(0);
else if (version == '12.4(2)XA')
  security_hole(0);
else if (version == '12.4(11)T')
  security_hole(0);
else if (version == '12.4(9)T2')
  security_hole(0);
else if (version == '12.4(9)T1')
  security_hole(0);
else if (version == '12.4(9)T')
  security_hole(0);
else if (version == '12.4(2)T2')
  security_hole(0);
else if (version == '12.4(2)T1')
  security_hole(0);
else if (version == '12.4(2)T')
  security_hole(0);
else if (version == '12.4(10a)')
  security_hole(0);
else if (version == '12.4(10)')
  security_hole(0);
else if (version == '12.4(8c)')
  security_hole(0);
else if (version == '12.4(8b)')
  security_hole(0);
else if (version == '12.4(8a)')
  security_hole(0);
else if (version == '12.4(8)')
  security_hole(0);
else if (version == '12.4(7d)')
  security_hole(0);
else if (version == '12.4(7c)')
  security_hole(0);
else if (version == '12.4(7b)')
  security_hole(0);
else if (version == '12.4(7a)')
  security_hole(0);
else if (version == '12.4(7)')
  security_hole(0);
else if (version == '12.4(3a)')
  security_hole(0);
else if (version == '12.4(3)')
  security_hole(0);
else if (version == '12.4(1b)')
  security_hole(0);
else if (version == '12.4(1a)')
  security_hole(0);
else if (version == '12.4(1)')
  security_hole(0);
else if (version == '12.3(8)ZA')
  security_hole(0);
else if (version == '12.3(14)YT1')
  security_hole(0);
else if (version == '12.3(14)YT')
  security_hole(0);
else if (version == '12.3(11)YS1')
  security_hole(0);
else if (version == '12.3(11)YS')
  security_hole(0);
else if (version == '12.3(14)YM4')
  security_hole(0);
else if (version == '12.3(14)YM3')
  security_hole(0);
else if (version == '12.3(14)YM2')
  security_hole(0);
else if (version == '12.3(11)YK2')
  security_hole(0);
else if (version == '12.3(11)YK1')
  security_hole(0);
else if (version == '12.3(11)YK')
  security_hole(0);
else if (version == '12.3(8)YI3')
  security_hole(0);
else if (version == '12.3(8)YI2')
  security_hole(0);
else if (version == '12.3(8)YI1')
  security_hole(0);
else if (version == '12.3(8)YH')
  security_hole(0);
else if (version == '12.3(8)YG5')
  security_hole(0);
else if (version == '12.3(8)YG4')
  security_hole(0);
else if (version == '12.3(8)YG3')
  security_hole(0);
else if (version == '12.3(8)YG2')
  security_hole(0);
else if (version == '12.3(8)YG1')
  security_hole(0);
else if (version == '12.3(8)YG')
  security_hole(0);
else if (version == '12.3(8)YD1')
  security_hole(0);
else if (version == '12.3(8)YD')
  security_hole(0);
else if (version == '12.3(8)YA1')
  security_hole(0);
else if (version == '12.3(8)YA')
  security_hole(0);
else if (version == '12.3(8)XX1')
  security_hole(0);
else if (version == '12.3(8)XX')
  security_hole(0);
else if (version == '12.3(7)XS2')
  security_hole(0);
else if (version == '12.3(7)XS1')
  security_hole(0);
else if (version == '12.3(7)XS')
  security_hole(0);
else if (version == '12.3(7)XR6')
  security_hole(0);
else if (version == '12.3(7)XR5')
  security_hole(0);
else if (version == '12.3(7)XR4')
  security_hole(0);
else if (version == '12.3(7)XR3')
  security_hole(0);
else if (version == '12.3(7)XR2')
  security_hole(0);
else if (version == '12.3(7)XR')
  security_hole(0);
else if (version == '12.3(4)XQ1')
  security_hole(0);
else if (version == '12.3(4)XQ')
  security_hole(0);
else if (version == '12.3(11)XL1')
  security_hole(0);
else if (version == '12.3(11)XL')
  security_hole(0);
else if (version == '12.3(14)T3')
  security_hole(0);
else if (version == '12.3(14)T2')
  security_hole(0);
else if (version == '12.3(14)T1')
  security_hole(0);
else if (version == '12.3(14)T')
  security_hole(0);
else if (version == '12.3(11)T8')
  security_hole(0);
else if (version == '12.3(11)T7')
  security_hole(0);
else if (version == '12.3(11)T6')
  security_hole(0);
else if (version == '12.3(11)T5')
  security_hole(0);
else if (version == '12.3(11)T4')
  security_hole(0);
else if (version == '12.3(11)T3')
  security_hole(0);
else if (version == '12.3(11)T2')
  security_hole(0);
else if (version == '12.3(11)T')
  security_hole(0);
else if (version == '12.3(8)T9')
  security_hole(0);
else if (version == '12.3(8)T8')
  security_hole(0);
else if (version == '12.3(8)T7')
  security_hole(0);
else if (version == '12.3(8)T6')
  security_hole(0);
else if (version == '12.3(8)T5')
  security_hole(0);
else if (version == '12.3(8)T4')
  security_hole(0);
else if (version == '12.3(8)T3')
  security_hole(0);
else if (version == '12.3(8)T11')
  security_hole(0);
else if (version == '12.3(8)T10')
  security_hole(0);
else if (version == '12.3(8)T1')
  security_hole(0);
else if (version == '12.3(8)T')
  security_hole(0);
else
  exit(0, 'The host is not affected.');
  • NASL familyCISCO
    NASL idCSCSG15598.NASL
    descriptionThe remote version of IOS contains an intrusion prevention system that is affected by a fragmented packet evasion vulnerability and a denial of service vulnerability. An attacker might use these flaws to disable this device remotely or to sneak past the IPS.
    last seen2020-06-01
    modified2020-06-02
    plugin id24739
    published2007-03-01
    reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24739
    titleCisco IOS Intrusion Prevention System (IPS) Multiple Vulnerabilities (CSCsa53334, CSCsg15598)
    code
    #
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if(description)
{
 script_id(24739);
 script_cve_id("CVE-2007-0917", "CVE-2007-0918");
 script_bugtraq_id(22549);
 script_version("1.18");

 script_name(english:"Cisco IOS Intrusion Prevention System (IPS) Multiple Vulnerabilities (CSCsa53334, CSCsg15598)");

 script_set_attribute(attribute:"synopsis", value:
"The remote CISCO device can be crashed remotely." );
 script_set_attribute(attribute:"description", value:
"The remote version of IOS contains an intrusion prevention system
that is affected by a fragmented packet evasion vulnerability and a
denial of service vulnerability. 

An attacker might use these flaws to disable this device remotely or to 
sneak past the IPS." );
 script_set_attribute(attribute:"solution", value:
"http://www.nessus.org/u?16b1f263" );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
 script_cwe_id(20);
 script_set_attribute(attribute:"plugin_publication_date", value: "2007/03/01");
 script_set_attribute(attribute:"vuln_publication_date", value: "2007/02/13");
 script_cvs_date("Date: 2018/06/27 18:42:25");
 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value: "cpe:/o:cisco:ios");
 script_end_attributes();

 summary["english"] = "Uses SNMP to determine if a flaw is present";
 script_summary(english:summary["english"]);

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");

 script_family(english:"CISCO");

 script_dependencie("snmp_sysDesc.nasl", "snmp_cisco_type.nasl");
 script_require_keys("SNMP/community", "SNMP/sysDesc", "CISCO/model");
 exit(0);
}


include('cisco_func.inc');

os = get_kb_item("SNMP/sysDesc"); if(!os)exit(0);
version = extract_version(os);
if ( ! version ) exit(0);



# 12.3 Deprecated
if ( deprecated_version(version, "12.3XQ", "12.3XR", "12.3XS", "12.3XW", "12.3XX", "12.3XY", "12.3YA", "12.3YD", "12.3YG", "12.3YH", "12.3YI", "12.3YJ", "12.3YK", "12.3YS", "12.3YT") ) vuln ++;


if ( check_release(version:version,
		   patched:make_list("12.3(2)T", "12.3(4)T", "12.3(7)T", "12.3(11)T10", "12.3(14)T7"),
		   newest:"12.3(14)T7") ) vuln ++;

if ( check_release(version:version,
		   patched:make_list("12.3(14)YM5"),
		   newest:"12.3(14)YM5") ) vuln ++;

if ( check_release(version:version,
		   patched:make_list("12.3(14)YQ8"),
		   newest:"12.3(14)YQ8") ) vuln ++;

if ( check_release(version:version,
		   patched:make_list("12.3(14)YX3"),
		   newest:"12.3(14)YX3") ) vuln ++;

if ( check_release(version:version,
		   patched:make_list("12.3(11)YZ"),
		   newest:"12.3(11)YZ") ) vuln ++;
# 12.4

if ( deprecated_version(version, "12.4XE") ) vuln ++;

if ( check_release(version:version,
		   patched:make_list("12.4(1c)", "12.4(3b)", "12.4(5)", "12.4(7e)", "12.4(10b)", "12.4(12)"),
		   newest:"12.4(12)") ) vuln ++;


if ( check_release(version:version,
		   patched:make_list("12.4(6)MR1"),
		   newest:"12.4(6)MR1") ) vuln ++;

if ( check_release(version:version,
		   patched:make_list("12.4(2)T3", "12.4(4)T", "12.4(6)T", "12.4(9)T3", "12.4(11)T1"),
		   newest:"12.4(11)T1") ) vuln ++;

if ( check_release(version:version,
		   patched:make_list("12.4(2)XA2"),
		   newest:"12.4(2)XA2") ) vuln ++;

if ( check_release(version:version,
		   patched:make_list("12.4(2)XB3"),
		   newest:"12.4(2)XB3") ) vuln ++;

if ( vuln == 1 ) security_hole(port:161, proto:"udp");
else if ( vuln > 1 ) display("IOS version ", version, " identified as vulnerable by multiple checks\n");

Oval

accepted2010-06-14T04:00:04.364-04:00
classvulnerability
contributors
  • nameYuzheng Zhou
    organizationHewlett-Packard
  • nameKASHIF LATIF
    organizationDTCC
descriptionThe Intrusion Prevention System (IPS) feature for Cisco IOS 12.4XE to 12.3T allows remote attackers to bypass IPS signatures that use regular expressions via fragmented packets.
familyios
idoval:org.mitre.oval:def:5858
statusaccepted
submitted2008-05-26T11:06:36.000-04:00
titleCisco IOS Fragmented Packet IPS Evasion Vulnerability
version5

References