Vulnerabilities > CVE-2008-1151 - Resource Management Errors vulnerability in Cisco IOS

047910
CVSS 7.1 - HIGH
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
COMPLETE
network
cisco
CWE-399
nessus

Summary

Memory leak in the virtual private dial-up network (VPDN) component in Cisco IOS before 12.3 allows remote attackers to cause a denial of service (memory consumption) via a series of PPTP sessions, related to "dead memory" that remains allocated after process termination, aka bug ID CSCsj58566.

Vulnerable Configurations

Part Description Count
OS
Cisco
1534

Common Weakness Enumeration (CWE)

Nessus

NASL familyCISCO
NASL idCISCO-SA-20080326-PPTPHTTP.NASL
descriptionTwo vulnerabilities exist in the virtual private dial-up network (VPDN) solution when Point-to-Point Tunneling Protocol (PPTP) is used in certain Cisco IOS releases prior to 12.3. PPTP is only one of the supported tunneling protocols used to tunnel PPP frames within the VPDN solution. The first vulnerability is a memory leak that occurs as a result of PPTP session termination. The second vulnerability may consume all interface descriptor blocks on the affected device because those devices will not reuse virtual access interfaces. If these vulnerabilities are repeatedly exploited, the memory and/or interface resources of the attacked device may be depleted. Cisco has made free software available to address these vulnerabilities for affected customers. There are no workarounds available to mitigate the effects of these vulnerabilities.
last seen2019-10-28
modified2010-09-01
plugin id49013
published2010-09-01
reporterThis script is (C) 2010-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/49013
titleCisco IOS Virtual Private Dial-up Network Denial of Service Vulnerability - Cisco Systems

Oval

accepted2008-09-08T04:00:19.955-04:00
classvulnerability
contributors
nameYuzheng Zhou
organizationHewlett-Packard
descriptionMemory leak in the virtual private dial-up network (VPDN) component in Cisco IOS before 12.3 allows remote attackers to cause a denial of service (memory consumption) via a series of PPTP sessions, related to "dead memory" that remains allocated after process termination, aka bug ID CSCsj58566.
familyios
idoval:org.mitre.oval:def:5287
statusaccepted
submitted2008-05-26T11:06:36.000-04:00
titleCisco IOS Virtual Private Dial-up Network (VPDN) PPTP Session Termination Memory Leak Vulnerability
version3

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 28460 CVE(CAN) ID: CVE-2008-1151,CVE-2008-1150 Cisco IOS是思科网络设备所使用的互联网操作系统。 如果某些Cisco IOS 12.3之前版本中使用了点到点隧道协议(PPTP)的话,虚拟专用拨号网络(VPDN)中就可能存在两个安全漏洞,远程攻击者可能利用此漏洞获取设备敏感信息或导致设备不可用。 PPTP是VPDN解决方案中用于隧道传输PPP帧的唯一支持隧道协议。在完成PPTP会话时,终止设备上处理器内存会泄露;此外受影响的设备没有删除关联到PPTP会话的虚拟访问接口,之后的连接没有重用接口。这就可能导致耗尽接口描述符块(IDB)限制,在Cisco IOS中无法创建任何新的接口,这就阻断了所有新的VPDN连接,即使路由器仍有足够的处理器内存。必须重启设备才能删除接口。 Cisco IOS 12.2 Cisco IOS 12.1 Cisco IOS 12.0 Cisco已经为此发布了一个安全公告(cisco-sa-20080326-pptp)以及相应补丁: cisco-sa-20080326-pptp:Cisco IOS Virtual Private Dial-up Network Denial of Service Vulnerability 链接:<a href=http://www.cisco.com/warp/public/707/cisco-sa-20080326-pptp.shtml target=_blank>http://www.cisco.com/warp/public/707/cisco-sa-20080326-pptp.shtml</a>
idSSV:3107
last seen2017-11-19
modified2008-03-31
published2008-03-31
reporterRoot
titleCisco IOS虚拟专用拨号网络多个拒绝服务漏洞