Vulnerabilities > CVE-2014-2176 - Resource Management Errors vulnerability in Cisco products

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN

Summary

Cisco IOS XR 4.1.2 through 5.1.1 on ASR 9000 devices, when a Trident-based line card is used, allows remote attackers to cause a denial of service (NP chip and line card reload) via malformed IPv6 packets, aka Bug ID CSCun71928.

Common Weakness Enumeration (CWE)

Nessus

NASL familyCISCO
NASL idCISCO-SA-20140611-IPV6-IOSXR.NASL
descriptionAccording to its self-reported version, the version of Cisco IOS XR running on the remote host is affected by a denial of service vulnerability due to the improper handling of IPv6 packets. A remote, unauthenticated attacker can cause the device to lock up by rapidly sending specially crafted IPv6 packets. Note that this issue only affects Trident-based line cards on Cisco ASR 9000 series routers. Also, if IPv6 is not enabled, the device can still be exploited by a host on an adjacent network.
last seen2019-10-28
modified2014-06-30
plugin id76312
published2014-06-30
reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/76312
titleCisco IOS XR Software IPv6 Malformed Packet DoS (cisco-sa-20140611-ipv6)
code
#TRUSTED 47b15add16efe804fe85e40e2588271a29404f56e2c6eb6daecb85d891f75c304bc65d1052432c6cccb3b5ae3d25f49bba0a3f24270f5d439032515dba962f1549f9c807c3277442edc674db2fc022d7a49257f7459e705be487814406c29ad99d979fa3aaf051483720782ad45975720d92f1a2bcf013efb90d4f77fc673359d18187d6179f990d453275dddadeda5bfe1384ad1a1136c5a4db7afe0b8bbadd63ded41790b314a721f5017b95fa06231a1cd2d2ae3f81d61c2d7a83eced6352ae7017d506a8f6f015ecc1a8cd18d35172314cfb40198b4d9f007330875b87d57822039cf814c88cfdcf9525256b2c5e1ae89ab0c0ac564966f3d22c3617928dac32ad856e13516cd8b2cb33ff0df9767dec0d98c344aa6b43d584f395532f29638ea348e37bf2e25513ed44f75bfabd3227aa41b51dada9e3feb11670d59899afe1f9a528bea92029ad09c04d7f031e8ed01981a36cb079979531fa7828d3145a9e35242d214eb6341c3a2bbb1e50ef636d04846cdf2a39062b6c791cb78a0efc0edcf55fec0a6a8db0e261155e6976eb39e5f7c01dd856823a523d73a5275f1dda1e4696804c27c434341d079fb636a6e4642657c105a1110bd97e2f8b42e6587cf14aad8ce2562513ad53d1eb0f0bd57e53b692d34134b5504473ce1354a2f07b2b93ac54a67ecf960a872fd7b9ec2e882b606adeabc13cca617c8ba3d2f8
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(76312);
  script_version("1.8");
  script_set_attribute(attribute:"plugin_modification_date", value:"2018/11/15");

  script_cve_id("CVE-2014-2176");
  script_bugtraq_id(68005);
  script_xref(name:"CISCO-BUG-ID", value:"CSCun71928");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20140611-ipv6");

  script_name(english:"Cisco IOS XR Software IPv6 Malformed Packet DoS (cisco-sa-20140611-ipv6)");
  script_summary(english:"Checks the IOS XR version.");
  script_set_attribute(attribute:"synopsis", value:"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, the version of Cisco IOS XR
running on the remote host is affected by a denial of service
vulnerability due to the improper handling of IPv6 packets. A remote,
unauthenticated attacker can cause the device to lock up by rapidly
sending specially crafted IPv6 packets.

Note that this issue only affects Trident-based line cards on Cisco
ASR 9000 series routers. Also, if IPv6 is not enabled, the device can
still be exploited by a host on an adjacent network.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140611-ipv6
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?28457895");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/security/center/viewAlert.x?alertId=33902");
  script_set_attribute(attribute:"solution", value:
"Apply the relevant patch referenced in Cisco Security Advisory
cisco-sa-20140611-ipv6.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/06/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2014/04/22");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/30");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xr");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.");
  script_family(english:"CISCO");

  script_dependencies("cisco_ios_xr_version.nasl");
  script_require_keys("Host/Cisco/IOS-XR/Version");

  exit(0);
}

include("audit.inc");
include("cisco_func.inc");
include("cisco_kb_cmd_func.inc");

# check model
model = get_kb_item("CISCO/model");
if (!isnull(model) && model !~ "ciscoASR9[0-9]{3}")
  audit(AUDIT_HOST_NOT, "affected");
else if (isnull(model))
{
  model = get_kb_item_or_exit("Host/Cisco/IOS-XR/Model");
  if ("ASR9K" >!< model) audit(AUDIT_HOST_NOT, "affected");
}

version = get_kb_item_or_exit("Host/Cisco/IOS-XR/Version");

# Patches are available for the versions below
if (
  report_paranoia < 2 &&
  (
    version == "4.1.2" || version == "4.2.1" || version == "4.2.3" ||
    version == "4.3.1" || version == "4.3.2" || version == "4.3.4" ||
    version == "5.1.1"
  )
) audit(AUDIT_PARANOID);


flag = 0;

if ( version =~ "^3\.[79]\.[0-3]$" ) flag++;
else if ( version =~ "^3\.8\.[0-4]$" ) flag++;
else if ( version =~ "^4\.0\.[0-4]$" ) flag++;
else if ( version =~ "^4\.1\.[0-2]$" ) flag++;
else if ( version =~ "^4\.2\.[0-4]$" ) flag++;
else if ( version =~ "^4\.3\.[0-4]$" ) flag++;
else if ( version =~ "^5\.1\.[01]$" ) flag++;

if (!flag) audit(AUDIT_INST_VER_NOT_VULN, 'Cisco IOS XR', version);

flag     = FALSE;
override = FALSE;

if (get_kb_item("Host/local_checks_enabled"))
{
  buf = cisco_command_kb_item("Host/Cisco/Config/show_diag", "show diag");
  if (check_cisco_result(buf))
  {
    pat = "A9K-(40GE-L|40GE-B|40GE-E|4T-L|4T-B|4T-E|8T/4-L|8T/4-B|8T/4-E|2T20GE-L|2T20GE-B|2T20GE-E|8T-L|8T-B|8T-E|16T/8-B)";
    if (preg(multiline:TRUE, pattern:pat, string:buf)) flag = TRUE;
  }
  else if (cisco_needs_enable(buf)) override = TRUE;
}

if (!flag && !override) audit(AUDIT_HOST_NOT, "affected");

if (report_verbosity > 0)
{
  report =
    '\n  Cisco Bug ID      : CSCun71928' +
    '\n  Installed release : ' + version +
    '\n';
  security_hole(port:0, extra:report+cisco_caveat(override));
}
else security_hole(port:0, extra:cisco_caveat(override));