Vulnerabilities > CVE-2008-2060 - Configuration vulnerability in Cisco Intrusion Prevention System 5.1/6.0

047910
CVSS 7.8 - HIGH
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
COMPLETE
network
cisco
CWE-16
nessus
NVD
Published: 2008-06-18
Updated: 2017-08-08

Summary

Unspecified vulnerability in Cisco Intrusion Prevention System (IPS) 5.x before 5.1(8)E2 and 6.x before 6.0(5)E2, when inline mode and jumbo Ethernet support are enabled, allows remote attackers to cause a denial of service (panic), and possibly bypass intended restrictions on network traffic, via a "specific series of jumbo Ethernet frames."

Vulnerable Configurations

Part Description Count
Application
Cisco
2

Common Weakness Enumeration (CWE)

Nessus

NASL familyCISCO
NASL idCISCO-SA-20080618-IPS.NASL
descriptionAccording to its self-reported version, the version of the Cisco Intrusion Prevention System Software running on the remote host may be vulnerable to a denial of service (DoS) attack caused by a kernel panic. This is due to the handling of jumbo Ethernet frames when gigabit network interfaces are installed and are deployed in inline mode.
last seen2019-10-28
modified2013-08-14
plugin id69335
published2013-08-14
reporterThis script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/69335
titleCisco Intrusion Prevention System Jumbo Frame Denial of Service (cisco-sa-20080618-ips)
code
#TRUSTED 24c3d21d5dde512993cb1d080767cb3e46474b3b0ddcd35ba95d8266af312def7fde0cb14d8fc5ed865380d7bcffb9c1ff8dd38d0451b3572d92b105520cc5b2afdf77c8657a8f7fe821badf09dc950c4af744c142bdd8f8e80c806ad19c498d8621b5381645513b3120905ac72eb8d3fb03ed8a38df923840f4113e8fb02f575f91463d77f219ba7f3d60193b6663b672ac73c1931435bdce9f397936a7c46d525494b2ee304f8c344c70a811829b349adcb6abd7ac10affeb33e7b2691af5617183036b443aa33b75965eab51c89312ea574944282c435337ff1e0f40d17a4ad01bfa828e78384c7508857131ad4d43a224ade5825b927b6dd7a13f1fb2c925a0cf53c40dfcf1a927145515becdbdf1ad39d9295deb9d52df88620a2584dc6bab5b7779eaaea88ecacc34cd9fe39d1af68c512ef234864180dfc163d089913cab80ae0e794dface64da614926d8c06ece4899e0d3f4e7a9d74c2212b9f11b70c10f8f73baf3a7fc32f6960e39f122a6de310de9994d013be1989618356936d2c5c481021d95034a723a0200647ccb334096b22729ffec03762bdb06bc1ff027c99bcf3f19a858d4adee8c239cec9bbea388596c74fd7bba0784abece4d807c370346c6a5f28a28a9f38fc0a0c74ca6ea6b56c10ed1745dcfc9a0b1e1b19b6ab6eb179dee9c94a84d23a6aacd5c3f7512c4270c6a94242ad2dc6acac8cb1401
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(69335);
  script_version("1.8");
  script_set_attribute(attribute:"plugin_modification_date", value:"2018/11/15");

  script_cve_id("CVE-2008-2060");
  script_bugtraq_id(29791);
  script_xref(name:"CISCO-BUG-ID", value:"CSCso64762");
  script_xref(name:"IAVT", value:"2008-T-0030");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20080618-ips");

  script_name(english:"Cisco Intrusion Prevention System Jumbo Frame Denial of Service (cisco-sa-20080618-ips)");
  script_summary(english:"Checks IPS version");

  script_set_attribute(attribute:"synopsis", value:"The remote security appliance is missing a vendor-supplied patch.");
  script_set_attribute(
    attribute:"description",
    value:
"According to its self-reported version, the version of the Cisco
Intrusion Prevention System Software running on the remote host may be
vulnerable to a denial of service (DoS) attack caused by a kernel panic.
This is due to the handling of jumbo Ethernet frames when gigabit
network interfaces are installed and are deployed in inline mode."
  );
  # https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20080618-ips.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?84dc8ff1");
  script_set_attribute(
    attribute:"solution",
    value:
"Apply the relevant update referenced in Cisco Security Advisory
cisco-sa-20080618-ips."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(16);

  script_set_attribute(attribute:"vuln_publication_date", value:"2008/06/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2008/06/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/08/14");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:intrusion_prevention_system");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ips_version.nasl");
  script_require_keys("Host/Cisco/IPS/Version");

  exit(0);
}

include("audit.inc");
include("cisco_func.inc");
include("cisco_kb_cmd_func.inc");


##
# Compares two strings representing versions. (assumes the strings are "." delimited.
#
# @param fix     The second version string.
# @param ver     The first version string.
#
# @return -1 if ver < fix, 0 if ver == fix, or 1 if ver > fix.
##
function ips_ver_compare(fix, ver)
{
  local_var ffield, vfield, flen, vlen, len, i;
  # replace ( and ) with dots to make comparisons more accurate
  ver = ereg_replace(pattern:'[()]', replace:".", string:ver);
  fix = ereg_replace(pattern:'[()]', replace:".", string:fix);
  # Break apart the version strings into numeric fields.
  ver = split(ver, sep:'.', keep:FALSE);
  fix = split(fix, sep:'.', keep:FALSE);
  # Both versions must have the same number of fields when
  # when doing a strict comparison.
  vlen = max_index(ver);
  flen = max_index(fix);
  len = vlen;
  if (flen > len) len = flen;
  # Compare each pair of fields in the version strings.
  for (i = 0; i < len; i++)
  {
    if (i >= vlen) vfield = 0;
    else vfield = ver[i];
    if (i >= flen) ffield = 0;
    else ffield = fix[i];
    if ( (int(vfield) == vfield) && (int(ffield) == ffield) )
    {
      vfield = int(ver[i]);
      ffield = int(fix[i]);
    }
    if (vfield < ffield) return -1;
    if (vfield > ffield) return 1;
  }
  return 0;
}

ver = get_kb_item_or_exit('Host/Cisco/IPS/Version');
model = get_kb_item_or_exit('Host/Cisco/IPS/Model');
display_fix = "";

if (model =~ "4235" ||
    model =~ "4240" ||
    model =~ "4250" ||
    model =~ "4250SX" ||
    model =~ "4250TX" ||
    model =~ "4250XL" ||
    model =~ "4255" ||
    model =~ "4260" ||
    model =~ "4270")
{
  if ( (ver =~ "^5\.") && (ips_ver_compare(ver:ver, fix:"5.1(8)E2") < 0) )
    display_fix = "5.1(8)E2";
  if ( (ver =~ "^6\.") && (ips_ver_compare(ver:ver, fix:"6.0(5)E2") < 0) )
    display_fix = "6.0(5)E2";
}

if (display_fix == "")
  audit(AUDIT_INST_VER_NOT_VULN, 'Cisco IPS', ver);

flag = 1;
override = 0;

if (get_kb_item("Host/local_checks_enabled"))
{
  flag = 0;
  buf = cisco_command_kb_item("Host/Cisco/Config/show_interfaces", "show interfaces");
  if (check_cisco_result(buf))
  {
    if (preg(pattern:"Inline Mode = Paired with", multiline:TRUE, string:buf)) { flag = 1; }
  } else if (cisco_needs_enable(buf)) { flag = 1; override = 1; }
}

if (flag)
{
  report =
    '\n  Installed version : ' + ver +
    '\n  Fixed version     : ' + display_fix + '\n';
  security_hole(port:0, extra:report + cisco_caveat(override));
}
else audit(AUDIT_HOST_NOT, "affected");

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 29791 CVE(CAN) ID: CVE-2008-2060 Cisco入侵保护系统是网络安全设备中的一部分,可提供基于网络的威胁防范服务。 某些Cisco IPS平台在处理巨型以太网报文时存在拒绝服务漏洞。如果以inline模式所部署的有漏洞Cisco IPS平台的千兆网口接收到了特定的巨型以太网帧的话,就会出现内核忙碌,导致平台完全失效和网络拒绝服务的情况。仅以混杂模式部署的平台或没有千兆网口的平台不受漏洞影响。 成功利用本文所述的漏洞可能导致网络拒绝服务,必须断电才能恢复运行。Cisco IPS 4260/4270平台的硬件配置了硬件直通以在系统忙碌的情况下传送通讯,因此攻击者可以绕过访问控制和恶意行为检测。 Cisco IPS 6.x Cisco IPS 5.x 厂商补丁: Cisco ----- Cisco已经为此发布了一个安全公告(cisco-sa-20080618-ips)以及相应补丁: cisco-sa-20080618-ips:Cisco Intrusion Prevention System Jumbo Frame Denial of Service 链接:<a href=http://www.cisco.com/warp/public/707/cisco-sa-20080618-ips.shtml target=_blank>http://www.cisco.com/warp/public/707/cisco-sa-20080618-ips.shtml</a> 补丁下载: <a href=http://www.cisco.com/pcgi-bin/tablebuild.pl/ips5?psrtdcat20e2 target=_blank>http://www.cisco.com/pcgi-bin/tablebuild.pl/ips5?psrtdcat20e2</a> <a href=http://www.cisco.com/pcgi-bin/tablebuild.pl/ips6?psrtdcat20e2 target=_blank>http://www.cisco.com/pcgi-bin/tablebuild.pl/ips6?psrtdcat20e2</a>
idSSV:3446
last seen2017-11-19
modified2008-06-20
published2008-06-20
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-3446
titleCisco IPS平台Inline模式拒绝服务漏洞

References