Vulnerabilities > CVE-2012-1338 - Race Condition vulnerability in Cisco products

CVSS 6.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

SINGLE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

COMPLETE

network

cisco

CWE-362

nessus

NVD

Published: 2012-08-06

Updated: 2013-04-02

Summary

Cisco IOS 15.0 and 15.1 on Catalyst 3560 and 3750 series switches allows remote authenticated users to cause a denial of service (device reload) by completing local web authentication quickly, aka Bug ID CSCts88664.

Vulnerable Configurations

Part	Description	Count
OS	Cisco Cisco IOS 15.0 Cisco IOS 15.1	2
Hardware	Cisco Cisco Catalyst 3560 * Cisco Catalyst 3560 E * Cisco Catalyst 3560 X * Cisco Catalyst 3750 * Cisco Catalyst 3750 E * Cisco Catalyst 3750 X * Cisco Catalyst 3750 Metro * Cisco Catalyst 3750G *	8

Common Weakness Enumeration (CWE)

CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Common Attack Pattern Enumeration and Classification (CAPEC)

Leveraging Race Conditions
This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.

Nessus

NASL family	CISCO
NASL id	CISCO_IOS_WEBAUTH_DOS.NASL
description	The version of Cisco IOS installed on the remote host is affected by a denial of service vulnerability due to an error while parsing local web authentication. A remote attacker, by entering an extremely rapid input of credentials, can exploit this to crash the switch, forcing a reboot.
last seen	2020-06-01
modified	2020-06-02
plugin id	61492
published	2012-08-10
reporter	This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/61492
title	Cisco IOS Web Authentication DoS
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(61492); script_version("1.7"); script_cvs_date("Date: 2018/07/06 11:26:05"); script_cve_id("CVE-2012-1338"); script_bugtraq_id(54834); script_xref(name:"CISCO-BUG-ID", value:"CSCts88664"); script_name(english:"Cisco IOS Web Authentication DoS"); script_summary(english:"Checks the IOS version."); script_set_attribute(attribute:"synopsis", value: "The remote device is missing a vendor-supplied security patch."); script_set_attribute(attribute:"description", value: "The version of Cisco IOS installed on the remote host is affected by a denial of service vulnerability due to an error while parsing local web authentication. A remote attacker, by entering an extremely rapid input of credentials, can exploit this to crash the switch, forcing a reboot."); script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/security/center/viewAlert.x?alertId=26615"); script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCts88664"); script_set_attribute(attribute:"solution", value: "Upgrade to the relevant fixed version referenced in Cisco bug ID CSCts88664."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/06/29"); script_set_attribute(attribute:"patch_publication_date", value:"2012/08/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/10"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc."); script_family(english:"CISCO"); script_dependencies("cisco_ios_version.nasl"); script_require_keys("Host/Cisco/IOS/Version", "Host/Cisco/IOS/Model"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); model = get_kb_item_or_exit("Host/Cisco/IOS/Model"); if ("3750-E" >!< model && "3560-E" >!< model) audit(AUDIT_HOST_NOT, "affected"); version = get_kb_item_or_exit("Host/Cisco/IOS/Version"); flag = 0; if (version =="15.0(0.0.85)SE1") flag++; if (version =="15.0(1)EW") flag++; if (version =="15.0(2)EW") flag++; if (version =="15.0(3)EW") flag++; if (version =="15.0(4)EW") flag++; if (version =="15.0(5)EW") flag++; if (version =="15.0(6)EW") flag++; if (version =="15.0(7)EW") flag++; if (version =="15.0(8)EW") flag++; if (version =="15.0(1)SE") flag++; if (version =="15.0(1)SE1") flag++; if (version =="15.0(1)SE2") flag++; if (version =="15.0(1)SE3") flag++; if (version =="15.0(2)SE") flag++; if (version =="15.0(2)SE1") flag++; if (version =="15.0(2)SE2") flag++; if (version =="15.0(2)SG") flag++; if (version =="15.0(2)SG1") flag++; if (version =="15.0(2)SG2") flag++; if (version =="15.0(2)SG3") flag++; if (version =="15.0(2)SG4") flag++; if (version =="15.0(2)SG5") flag++; if (version =="15.0(2)SG6") flag++; if (flag) { if (report_verbosity > 0) { report = '\n Installed version : ' + version + '\n Cisco bug ID : CSCts88664' + '\n'; security_warning(port:0, extra:report); } else security_warning(port:0); } else audit(AUDIT_HOST_NOT, "affected");

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Nessus

References