Vulnerabilities > CVE-2007-0918 - Unspecified vulnerability in Cisco IOS
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
COMPLETE Summary
The ATOMIC.TCP signature engine in the Intrusion Prevention System (IPS) feature for Cisco IOS 12.4XA, 12.3YA, 12.3T, and other trains allows remote attackers to cause a denial of service (IPS crash and traffic loss) via unspecified manipulations that are not properly handled by the regular expression feature, as demonstrated using the 3123.0 (Netbus Pro Traffic) signature.
Vulnerable Configurations
Nessus
NASL family CISCO NASL id CISCO-SA-20070213-IOSIPSHTTP.NASL description The Intrusion Prevention System (IPS) feature set of Cisco IOS contains several vulnerabilities. These include: - Fragmented IP packets may be used to evade signature inspection. (CVE-2007-0917) - IPS signatures utilizing the regular expression feature of the ATOMIC.TCP signature engine may cause a router to crash resulting in a denial of service. (CVE-2007-0918) last seen 2020-06-01 modified 2020-06-02 plugin id 49000 published 2010-09-01 reporter This script is (C) 2010-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/49000 title Multiple IOS IPS Vulnerabilities code # # (C) Tenable Network Security, Inc. # # Security advisory is (C) CISCO, Inc. # See https://www.cisco.com/en/US/products/products_security_advisory09186a00807e0a5b.shtml if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(49000); script_version("1.13"); script_cve_id("CVE-2007-0917", "CVE-2007-0918"); script_bugtraq_id(22549); script_xref(name:"CISCO-BUG-ID", value:"CSCsa53334"); script_xref(name:"CISCO-BUG-ID", value:"CSCsg15598"); script_xref(name:"CISCO-SA", value:"cisco-sa-20070213-iosips"); script_name(english:"Multiple IOS IPS Vulnerabilities"); script_set_attribute(attribute:"synopsis", value: "The remote device is missing a vendor-supplied security patch." ); script_set_attribute(attribute:"description", value: 'The Intrusion Prevention System (IPS) feature set of Cisco IOS contains several vulnerabilities. These include: - Fragmented IP packets may be used to evade signature inspection. (CVE-2007-0917) - IPS signatures utilizing the regular expression feature of the ATOMIC.TCP signature engine may cause a router to crash resulting in a denial of service. (CVE-2007-0918)' ); script_set_attribute(attribute:"see_also", value: "http://www.nessus.org/u?644ae844"); # https://www.cisco.com/en/US/products/products_security_advisory09186a00807e0a5b.shtml script_set_attribute(attribute:"see_also", value: "http://www.nessus.org/u?a7d0ea33"); script_set_attribute(attribute:"solution", value: "Apply the relevant patch referenced in Cisco Security Advisory cisco-sa-20070213-iosips." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(20); script_set_attribute(attribute:"plugin_type", value: "local"); script_set_attribute(attribute:"cpe", value: "cpe:/o:cisco:ios"); script_set_attribute(attribute:"vuln_publication_date", value: "2007/02/13"); script_set_attribute(attribute:"patch_publication_date", value: "2007/02/13"); script_set_attribute(attribute:"plugin_publication_date", value: "2010/09/01"); script_cvs_date("Date: 2018/11/15 20:50:20"); script_end_attributes(); script_summary(english:"Uses SNMP to determine if a flaw is present"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is (C) 2010-2018 Tenable Network Security, Inc."); script_family(english:"CISCO"); script_dependencie("cisco_ios_version.nasl"); script_require_keys("Host/Cisco/IOS/Version"); exit(0); } include("cisco_func.inc"); # version = get_kb_item_or_exit("Host/Cisco/IOS/Version"); if (version == '12.4(6)XE2') security_hole(0); else if (version == '12.4(6)XE1') security_hole(0); else if (version == '12.4(6)XE') security_hole(0); else if (version == '12.4(2)XA2') security_hole(0); else if (version == '12.4(2)XA1') security_hole(0); else if (version == '12.4(2)XA') security_hole(0); else if (version == '12.4(11)T') security_hole(0); else if (version == '12.4(9)T2') security_hole(0); else if (version == '12.4(9)T1') security_hole(0); else if (version == '12.4(9)T') security_hole(0); else if (version == '12.4(2)T2') security_hole(0); else if (version == '12.4(2)T1') security_hole(0); else if (version == '12.4(2)T') security_hole(0); else if (version == '12.4(10a)') security_hole(0); else if (version == '12.4(10)') security_hole(0); else if (version == '12.4(8c)') security_hole(0); else if (version == '12.4(8b)') security_hole(0); else if (version == '12.4(8a)') security_hole(0); else if (version == '12.4(8)') security_hole(0); else if (version == '12.4(7d)') security_hole(0); else if (version == '12.4(7c)') security_hole(0); else if (version == '12.4(7b)') security_hole(0); else if (version == '12.4(7a)') security_hole(0); else if (version == '12.4(7)') security_hole(0); else if (version == '12.4(3a)') security_hole(0); else if (version == '12.4(3)') security_hole(0); else if (version == '12.4(1b)') security_hole(0); else if (version == '12.4(1a)') security_hole(0); else if (version == '12.4(1)') security_hole(0); else if (version == '12.3(8)ZA') security_hole(0); else if (version == '12.3(14)YT1') security_hole(0); else if (version == '12.3(14)YT') security_hole(0); else if (version == '12.3(11)YS1') security_hole(0); else if (version == '12.3(11)YS') security_hole(0); else if (version == '12.3(14)YM4') security_hole(0); else if (version == '12.3(14)YM3') security_hole(0); else if (version == '12.3(14)YM2') security_hole(0); else if (version == '12.3(11)YK2') security_hole(0); else if (version == '12.3(11)YK1') security_hole(0); else if (version == '12.3(11)YK') security_hole(0); else if (version == '12.3(8)YI3') security_hole(0); else if (version == '12.3(8)YI2') security_hole(0); else if (version == '12.3(8)YI1') security_hole(0); else if (version == '12.3(8)YH') security_hole(0); else if (version == '12.3(8)YG5') security_hole(0); else if (version == '12.3(8)YG4') security_hole(0); else if (version == '12.3(8)YG3') security_hole(0); else if (version == '12.3(8)YG2') security_hole(0); else if (version == '12.3(8)YG1') security_hole(0); else if (version == '12.3(8)YG') security_hole(0); else if (version == '12.3(8)YD1') security_hole(0); else if (version == '12.3(8)YD') security_hole(0); else if (version == '12.3(8)YA1') security_hole(0); else if (version == '12.3(8)YA') security_hole(0); else if (version == '12.3(8)XX1') security_hole(0); else if (version == '12.3(8)XX') security_hole(0); else if (version == '12.3(7)XS2') security_hole(0); else if (version == '12.3(7)XS1') security_hole(0); else if (version == '12.3(7)XS') security_hole(0); else if (version == '12.3(7)XR6') security_hole(0); else if (version == '12.3(7)XR5') security_hole(0); else if (version == '12.3(7)XR4') security_hole(0); else if (version == '12.3(7)XR3') security_hole(0); else if (version == '12.3(7)XR2') security_hole(0); else if (version == '12.3(7)XR') security_hole(0); else if (version == '12.3(4)XQ1') security_hole(0); else if (version == '12.3(4)XQ') security_hole(0); else if (version == '12.3(11)XL1') security_hole(0); else if (version == '12.3(11)XL') security_hole(0); else if (version == '12.3(14)T3') security_hole(0); else if (version == '12.3(14)T2') security_hole(0); else if (version == '12.3(14)T1') security_hole(0); else if (version == '12.3(14)T') security_hole(0); else if (version == '12.3(11)T8') security_hole(0); else if (version == '12.3(11)T7') security_hole(0); else if (version == '12.3(11)T6') security_hole(0); else if (version == '12.3(11)T5') security_hole(0); else if (version == '12.3(11)T4') security_hole(0); else if (version == '12.3(11)T3') security_hole(0); else if (version == '12.3(11)T2') security_hole(0); else if (version == '12.3(11)T') security_hole(0); else if (version == '12.3(8)T9') security_hole(0); else if (version == '12.3(8)T8') security_hole(0); else if (version == '12.3(8)T7') security_hole(0); else if (version == '12.3(8)T6') security_hole(0); else if (version == '12.3(8)T5') security_hole(0); else if (version == '12.3(8)T4') security_hole(0); else if (version == '12.3(8)T3') security_hole(0); else if (version == '12.3(8)T11') security_hole(0); else if (version == '12.3(8)T10') security_hole(0); else if (version == '12.3(8)T1') security_hole(0); else if (version == '12.3(8)T') security_hole(0); else exit(0, 'The host is not affected.');NASL family CISCO NASL id CSCSG15598.NASL description The remote version of IOS contains an intrusion prevention system that is affected by a fragmented packet evasion vulnerability and a denial of service vulnerability. An attacker might use these flaws to disable this device remotely or to sneak past the IPS. last seen 2020-06-01 modified 2020-06-02 plugin id 24739 published 2007-03-01 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24739 title Cisco IOS Intrusion Prevention System (IPS) Multiple Vulnerabilities (CSCsa53334, CSCsg15598) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if(description) { script_id(24739); script_cve_id("CVE-2007-0917", "CVE-2007-0918"); script_bugtraq_id(22549); script_version("1.18"); script_name(english:"Cisco IOS Intrusion Prevention System (IPS) Multiple Vulnerabilities (CSCsa53334, CSCsg15598)"); script_set_attribute(attribute:"synopsis", value: "The remote CISCO device can be crashed remotely." ); script_set_attribute(attribute:"description", value: "The remote version of IOS contains an intrusion prevention system that is affected by a fragmented packet evasion vulnerability and a denial of service vulnerability. An attacker might use these flaws to disable this device remotely or to sneak past the IPS." ); script_set_attribute(attribute:"solution", value: "http://www.nessus.org/u?16b1f263" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(20); script_set_attribute(attribute:"plugin_publication_date", value: "2007/03/01"); script_set_attribute(attribute:"vuln_publication_date", value: "2007/02/13"); script_cvs_date("Date: 2018/06/27 18:42:25"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value: "cpe:/o:cisco:ios"); script_end_attributes(); summary["english"] = "Uses SNMP to determine if a flaw is present"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc."); script_family(english:"CISCO"); script_dependencie("snmp_sysDesc.nasl", "snmp_cisco_type.nasl"); script_require_keys("SNMP/community", "SNMP/sysDesc", "CISCO/model"); exit(0); } include('cisco_func.inc'); os = get_kb_item("SNMP/sysDesc"); if(!os)exit(0); version = extract_version(os); if ( ! version ) exit(0); # 12.3 Deprecated if ( deprecated_version(version, "12.3XQ", "12.3XR", "12.3XS", "12.3XW", "12.3XX", "12.3XY", "12.3YA", "12.3YD", "12.3YG", "12.3YH", "12.3YI", "12.3YJ", "12.3YK", "12.3YS", "12.3YT") ) vuln ++; if ( check_release(version:version, patched:make_list("12.3(2)T", "12.3(4)T", "12.3(7)T", "12.3(11)T10", "12.3(14)T7"), newest:"12.3(14)T7") ) vuln ++; if ( check_release(version:version, patched:make_list("12.3(14)YM5"), newest:"12.3(14)YM5") ) vuln ++; if ( check_release(version:version, patched:make_list("12.3(14)YQ8"), newest:"12.3(14)YQ8") ) vuln ++; if ( check_release(version:version, patched:make_list("12.3(14)YX3"), newest:"12.3(14)YX3") ) vuln ++; if ( check_release(version:version, patched:make_list("12.3(11)YZ"), newest:"12.3(11)YZ") ) vuln ++; # 12.4 if ( deprecated_version(version, "12.4XE") ) vuln ++; if ( check_release(version:version, patched:make_list("12.4(1c)", "12.4(3b)", "12.4(5)", "12.4(7e)", "12.4(10b)", "12.4(12)"), newest:"12.4(12)") ) vuln ++; if ( check_release(version:version, patched:make_list("12.4(6)MR1"), newest:"12.4(6)MR1") ) vuln ++; if ( check_release(version:version, patched:make_list("12.4(2)T3", "12.4(4)T", "12.4(6)T", "12.4(9)T3", "12.4(11)T1"), newest:"12.4(11)T1") ) vuln ++; if ( check_release(version:version, patched:make_list("12.4(2)XA2"), newest:"12.4(2)XA2") ) vuln ++; if ( check_release(version:version, patched:make_list("12.4(2)XB3"), newest:"12.4(2)XB3") ) vuln ++; if ( vuln == 1 ) security_hole(port:161, proto:"udp"); else if ( vuln > 1 ) display("IOS version ", version, " identified as vulnerable by multiple checks\n");
Oval
| accepted | 2008-09-08T04:00:50.379-04:00 | ||||
| class | vulnerability | ||||
| contributors |
| ||||
| description | The ATOMIC.TCP signature engine in the Intrusion Prevention System (IPS) feature for Cisco IOS 12.4XA, 12.3YA, 12.3T, and other trains allows remote attackers to cause a denial of service (IPS crash and traffic loss) via unspecified manipulations that are not properly handled by the regular expression feature, as demonstrated using the 3123.0 (Netbus Pro Traffic) signature. | ||||
| family | ios | ||||
| id | oval:org.mitre.oval:def:5832 | ||||
| status | accepted | ||||
| submitted | 2008-05-26T11:06:36.000-04:00 | ||||
| title | Cisco IOS Regular Expression ATOMIC.TCP DoS Vulnerability | ||||
| version | 3 |
References
- http://www.cisco.com/en/US/products/products_security_advisory09186a00807e0a5b.shtml
- http://www.securitytracker.com/id?1017631
- http://www.cisco.com/en/US/products/products_security_response09186a00807e0a5e.html
- http://www.securityfocus.com/bid/22549
- http://secunia.com/advisories/24142
- http://osvdb.org/33053
- http://www.vupen.com/english/advisories/2007/0597
- https://exchange.xforce.ibmcloud.com/vulnerabilities/32474
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5832