Vulnerabilities > CVE-2014-3359 - Resource Management Errors vulnerability in Cisco IOS and IOS XE

CVSS 7.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

COMPLETE

network

low complexity

cisco

CWE-399

nessus

NVD

Published: 2014-09-25

Updated: 2017-08-29

Summary

Memory leak in Cisco IOS 15.1 through 15.4 and IOS XE 3.4.xS, 3.5.xS, 3.6.xS, and 3.7.xS before 3.7.6S; 3.8.xS, 3.9.xS, and 3.10.xS before 3.10.1S; and 3.11.xS before 3.12S allows remote attackers to cause a denial of service (memory consumption or device reload) via malformed DHCPv6 packets, aka Bug ID CSCum90081.

Vulnerable Configurations

Part	Description	Count
OS	Cisco Cisco IOS 15.1 Cisco IOS 15.2 Cisco IOS 15.3 Cisco IOS 15.4 Cisco IOS XE 3.4.0S Cisco IOS XE 3.4.1S Cisco IOS XE 3.4.2S Cisco IOS XE 3.4.3S Cisco IOS XE 3.4.4S Cisco IOS XE 3.4.5S Cisco IOS XE 3.5.0S Cisco IOS XE 3.5.1S Cisco IOS XE 3.5.2S Cisco IOS XE 3.6S$.0$ Cisco IOS XE 3.6S$.1$ Cisco IOS XE 3.6S$.2$ Cisco IOS XE 3.7$0$S Cisco IOS XE 3.7$1$As Cisco IOS XE 3.7$2$S Cisco IOS XE 3.7$3$S Cisco IOS XE 3.7$4$S Cisco IOS XE 3.7$5$S Cisco IOS XE 3.8.0S Cisco IOS XE 3.8S$.0$ Cisco IOS XE 3.8S$.1$ Cisco IOS XE 3.8S$.2$ Cisco IOS XE 3.9S$.0$ Cisco IOS XE 3.9S$.1$ Cisco IOS XE 3.9S$.2$ Cisco IOS XE 3.10 Cisco IOS XE 3.10.0S Cisco IOS XE 3.11.0S Cisco IOS XE 3.11.1S Cisco IOS XE 3.11.2S	34

Common Weakness Enumeration (CWE)

CWE-399 - Resource Management Errors

Nessus

NASL family	CISCO
NASL id	CISCO-SA-20140924-DHCPV6.NASL
description	According to its self-reported version, the version of Cisco IOS running on the remote host is affected by a denial of service vulnerability in the DHCP version 6 (DHCPv6) implementation due to improper handling of DHCPv6 packets. A remote attacker can exploit this issue by sending specially crafted DHCPv6 packets to the link-scoped multicast address (ff02::1:2) and the IPv6 unicast address.
last seen	2019-10-28
modified	2014-10-02
plugin id	78029
published	2014-10-02
reporter	This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/78029
title	Cisco IOS Software DHCPv6 DoS (cisco-sa-20140924-dhcpv6)
code	#TRUSTED 0fe6da30fd16cfa6a83ad8ada7150c352c977aebe9c8fa2adccd9605eb56df6b230498ada8e1ac67c48365d540d905a87855c9874aef4a1e22ee583636a67cbed7806b90870256117a3de03105d8788d0bacb9bcd0938e23113d2b992e0b156558d44dd4e6dc006810d21a37ac86b30748b5932f8917199c96fb79ffeb066e3d5f95535961cae6e7b5c987d8fc714ddc2328c9941303aafa6c066a2eab6dd49a1a340c20419d2ed4b4d123ff99a93469177d0c04f6082cb9b32858a266bb867143da6f93b21b456c7cc15220f46baed58478afc2d4855bbcc10b319adcda549c84652e481c69cc7b31c4dbaf034a897d715fce1d753ccc0324f299ca51031314fe25bedf61ec465aa622125aa526cb3c5630d1e25cb19a0594bb596944defb5e9a6654d76e7de20800d09e3170dc136a27fbf29c0feccd4183cb5d39389edf37bae8a7b1c7f1771d66418afb12975cdd76b59db5f490d328722c94bf81ce5a434e90e1049073342cff92d4238631246e40ea7133a0bb0ee973c70f5570106f9ddd69a48019e2d5ff4d00495ad69c6a88769a24afea7ffccdae2de1d20da23f67ea0516b9b8a4c9dee727603ba2431c79a8a6ace8b9a17e83f65057ca80a40edbc5f70366611ded327db807b808906122562e7dde7e564a844ed1ab698a64dc707eeacf00f1dac4d0a4195c574361c08ce1ee2aecf703ea3c8a0efe893a64c2be # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(78029); script_version("1.10"); script_set_attribute(attribute:"plugin_modification_date", value:"2018/11/15"); script_cve_id("CVE-2014-3359"); script_bugtraq_id(70140); script_xref(name:"CISCO-BUG-ID", value:"CSCum90081"); script_xref(name:"CISCO-SA", value:"cisco-sa-20140924-dhcpv6"); script_name(english:"Cisco IOS Software DHCPv6 DoS (cisco-sa-20140924-dhcpv6)"); script_summary(english:"Checks the IOS version."); script_set_attribute(attribute:"synopsis", value:"The remote device is missing a vendor-supplied security patch."); script_set_attribute(attribute:"description", value: "According to its self-reported version, the version of Cisco IOS running on the remote host is affected by a denial of service vulnerability in the DHCP version 6 (DHCPv6) implementation due to improper handling of DHCPv6 packets. A remote attacker can exploit this issue by sending specially crafted DHCPv6 packets to the link-scoped multicast address (ff02::1:2) and the IPv6 unicast address."); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140924-dhcpv6 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?942aeed1"); script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/security/center/viewAlert.x?alertId=35609"); script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCum90081"); script_set_attribute(attribute:"solution", value: "Apply the relevant patch referenced in Cisco Security Advisory cisco-sa-20140924-dhcpv6."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/09/24"); script_set_attribute(attribute:"patch_publication_date", value:"2014/09/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/10/02"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc."); script_family(english:"CISCO"); script_dependencies("cisco_ios_version.nasl"); script_require_keys("Host/Cisco/IOS/Version"); exit(0); } include("audit.inc"); include("cisco_func.inc"); include("cisco_kb_cmd_func.inc"); ver = get_kb_item_or_exit("Host/Cisco/IOS/Version"); app = "Cisco IOS"; cbi = "CSCum90081"; fixed_ver = NULL; #15.1MR if (ver == "15.1(3)MR") fixed_ver = "Refer to the vendor."; #15.1MRA else if (ver == "15.1(3)MRA" \|\| ver == "15.1(3)MRA1" \|\| ver == "15.1(3)MRA2") fixed_ver = "15.1(3)MRA3"; #15.1S else if (ver == "15.1(3)S" \|\| ver == "15.1(3)S0a" \|\| ver == "15.1(3)S1" \|\| ver == "15.1(3)S2" \|\| ver == "15.1(3)S3" \|\| ver == "15.1(3)S4" \|\| ver == "15.1(3)S5a" \|\| ver == "15.1(3)S6") fixed_ver = "15.1(3)S7"; #15.2S else if (ver == "15.2(1)S" \|\| ver == "15.2(1)S1" \|\| ver == "15.2(1)S2" \|\| ver == "15.2(2)S" \|\| ver == "15.2(2)S0a" \|\| ver == "15.2(2)S0c" \|\| ver == "15.2(2)S0d" \|\| ver == "15.2(2)S1" \|\| ver == "15.2(2)S2" \|\| ver == "15.2(4)S" \|\| ver == "15.2(4)S0c" \|\| ver == "15.2(4)S1" \|\| ver == "15.2(4)S1c" \|\| ver == "15.2(4)S2" \|\| ver == "15.2(4)S3" \|\| ver == "15.2(4)S3a" \|\| ver == "15.2(4)S4" \|\| ver == "15.2(4)S4a" \|\| ver == "15.2(4)S5") fixed_ver = "15.2(4)S2t or 15.2(4)S6"; #15.2SNG else if (ver == "15.2(2)SNG") fixed_ver = "Refer to the vendor."; #15.2SNH else if (ver == "15.2(2)SNH" \|\| ver == "15.2(2)SNH1") fixed_ver = "Refer to the vendor."; #15.2SNI else if (ver == "15.2(2)SNI") fixed_ver = "15.3(3)S4"; #15.3JA else if (ver == "15.3(3)JA75") fixed_ver = "Refer to the vendor."; #15.3M else if (ver == "15.3(3)M" \|\| ver == "15.3(3)M1" \|\| ver == "15.3(3)M2" \|\| ver == "15.3(3)M3") fixed_ver = "15.3(3)M4"; #15.3S else if (ver == "15.3(1)S" \|\| ver == "15.3(1)S1" \|\| ver == "15.3(1)S1e" \|\| ver == "15.3(1)S2" \|\| ver == "15.3(2)S" \|\| ver == "15.3(2)S0a" \|\| ver == "15.3(2)S0xa" \|\| ver == "15.3(2)S1" \|\| ver == "15.3(2)S1b" \|\| ver == "15.3(2)S1c" \|\| ver == "15.3(2)S2" \|\| ver == "15.3(3)S" \|\| ver == "15.3(3)S0b" \|\| ver == "15.3(3)S1" \|\| ver == "15.3(3)S1a" \|\| ver == "15.3(3)S2" \|\| ver == "15.3(3)S2a" \|\| ver == "15.3(3)S3") fixed_ver = "15.3(3)S4"; #15.4CG else if (ver == "15.4(1)CG" \|\| ver == "15.4(1)CG1" \|\| ver == "15.4(2)CG") fixed_ver = "Refer to the vendor."; #15.4S else if (ver == "15.4(1)S" \|\| ver == "15.4(1)S0a" \|\| ver == "15.4(1)S0b" \|\| ver == "15.4(1)S0c" \|\| ver == "15.4(1)S0d" \|\| ver == "15.4(1)S0e" \|\| ver == "15.4(1)S1" \|\| ver == "15.4(1)S2") fixed_ver = "15.4(1)S3 or 15.4(2)S"; #15.4T else if (ver == "15.4(1)T" \|\| ver == "15.4(1)T1" \|\| ver == "15.4(2)T") fixed_ver = "15.4(1)T2 or 15.4(2)T1"; if (isnull(fixed_ver)) audit(AUDIT_INST_VER_NOT_VULN, app, ver); override = FALSE; if (get_kb_item("Host/local_checks_enabled")) { flag = FALSE; buf = cisco_command_kb_item("Host/Cisco/Config/show_ipv6_dhcp_interface", "show ipv6 dhcp interface"); if (check_cisco_result(buf)) { # DHCPv6 if (preg(multiline:TRUE, pattern:"^Using pool: DHCPv6-stateful", string:buf)) flag = TRUE; } else if (cisco_needs_enable(buf)) override = TRUE; if (!flag && !override) audit(AUDIT_HOST_NOT, "affected because DHCPv6 is not enabled."); } if (report_verbosity > 0) { report += '\n Cisco bug ID : ' + cbi + '\n Installed release : ' + ver + '\n Fixed release : ' + fixed_ver + '\n'; security_hole(port:0, extra:report+cisco_caveat(override)); } else security_hole(port:0, extra:cisco_caveat(override));

NASL family	CISCO
NASL id	CISCO-SA-20140924-DHCPV6-IOSXE.NASL
description	According to its self-reported version, the version of Cisco IOS XE running on the remote host is affected by a denial of service vulnerability in the DHCP version 6 (DHCPv6) implementation due to improper handling of DHCPv6 packets. A remote attacker can exploit this issue by sending specially crafted DHCPv6 packets to the link-scoped multicast address (ff02::1:2) and the IPv6 unicast address.
last seen	2019-10-28
modified	2014-10-02
plugin id	78028
published	2014-10-02
reporter	This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/78028
title	Cisco IOS XE Software DHCPv6 DoS (cisco-sa-20140924-dhcpv6)
code	#TRUSTED 6b921082af1837d76c6a1b28df6517c81ee572fe4a6fad9800bab25de9ad88908d0c1dafc9379768c25af12d25448e3e4de33f774dc77a980b932ae9a0c9671d2629e25a00b00324262de993fb5aee59769e11cf6b36dba5e1301d20c0de66bde31d251a8b587e5ecf1ac12e19e2c6d04aaef07edf04d56bc5dba3064ac5a77e24fd5795fbc8b100b310e8bc021b164b0631e5197d9ca7ccbd0b33db7ace5bc9dc5ed97116f5aedfa29a0d1e5bfdca85d4ee45916a683cd325944e38eacb8e1f3a2d7e88352498782bd97fc5a9b6429b01c7cfa1464815bd41fc7aca071ba2846c675333f63f1785b133b145ebb8c695361d241b5dcce43bc19f1aac1fcaf42100fe57eccd40a382bc473e678a10253fd237a1d808fa257cc2608f68517999fa806c061c0af65dab6392da497518f64165220a98e89fafc26e551e3632e88663a7946ac06b711b36ef443f40a232ada20a5496448baf118b938d4e721c2ee23678579ba178174522dd81734842fdc8e96a909a3ec2a546db28789bcc0eeae4cf75777bd15dfcc00eaf97b74c9a2f42f7f9ac267db89c6fc118fb6124b04b66b867de87ebac686136b72985be6deb712d956579a62c75ff4403fb10147a7a2eb12dc3e4b58dae7a531dd37a2a9df8b23c19c2b72a9af6b3a16f7a3b662584831fbb75c8e0213a30a5711f066bd4379a7409df582e9a9b3c9c3d95696a907f5df9 # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(78028); script_version("1.10"); script_set_attribute(attribute:"plugin_modification_date", value:"2018/11/15"); script_cve_id("CVE-2014-3359"); script_bugtraq_id(70140); script_xref(name:"CISCO-BUG-ID", value:"CSCum90081"); script_xref(name:"CISCO-SA", value:"cisco-sa-20140924-dhcpv6"); script_name(english:"Cisco IOS XE Software DHCPv6 DoS (cisco-sa-20140924-dhcpv6)"); script_summary(english:"Checks the IOS XE version."); script_set_attribute(attribute:"synopsis", value:"The remote device is missing a vendor-supplied security patch."); script_set_attribute(attribute:"description", value: "According to its self-reported version, the version of Cisco IOS XE running on the remote host is affected by a denial of service vulnerability in the DHCP version 6 (DHCPv6) implementation due to improper handling of DHCPv6 packets. A remote attacker can exploit this issue by sending specially crafted DHCPv6 packets to the link-scoped multicast address (ff02::1:2) and the IPv6 unicast address."); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140924-dhcpv6 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?942aeed1"); script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/security/center/viewAlert.x?alertId=35609"); script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCum90081"); script_set_attribute(attribute:"solution", value: "Apply the relevant patch referenced in Cisco Security Advisory cisco-sa-20140924-dhcpv6."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/09/24"); script_set_attribute(attribute:"patch_publication_date", value:"2014/09/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/10/02"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc."); script_family(english:"CISCO"); script_dependencies("cisco_ios_xe_version.nasl"); script_require_keys("Host/Cisco/IOS-XE/Version"); exit(0); } include("audit.inc"); include("cisco_func.inc"); include("cisco_kb_cmd_func.inc"); ver = get_kb_item_or_exit("Host/Cisco/IOS-XE/Version"); app = "Cisco IOS XE"; cbi = "CSCum90081"; fixed_ver = NULL; if ( ver =~ "^2\.[16]\.[0-2]$" \|\| ver =~ "^2\.2\.[1-3]$" \|\| ver =~ "^2\.3\.([02]\|[01]t)$" \|\| ver =~ "^2\.4\.[01]$" \|\| ver == "2.5.0" \|\| ver =~ "^3\.1\.[0-3]S$" \|\| ver =~ "^3\.[2356]\.[0-2]S$" \|\| ver =~ "^3\.4\.[0-6]S$" \|\| ver =~ "^3\.7\.[0-4]S$" ) fixed_ver = "3.7.6S"; else if ( ver =~ "^3\.2\.[0-3]SE$" \|\| ver =~ "^3\.3\.[01]SE$" ) fixed_ver = "3.3.2SE"; else if ( ver =~ "^3\.3\.[0-2]SG$" \|\| ver =~ "^3\.4\.[0-3]SG$" ) fixed_ver = "3.4.4SG"; else if (ver == "3.3.0XO") fixed_ver = "3.3.1XO"; else if (ver =~ "^3\.5\.[01]E$") fixed_ver = "3.5.2E"; else if ( ver =~ "^3\.8\.[0-2]S$" \|\| ver =~ "^3\.9\.[01]S$" \|\| ver =~ "^3\.10\.(0\|0a)S$" ) fixed_ver = "3.10.4S"; else if (ver =~ "^3\.11\.[12]S$") fixed_ver = "3.12.0S"; if (isnull(fixed_ver)) audit(AUDIT_INST_VER_NOT_VULN, app, ver); # DHCPv6 check override = FALSE; if (get_kb_item("Host/local_checks_enabled")) { flag = FALSE; buf = cisco_command_kb_item("Host/Cisco/Config/show_ipv6_dhcp_interface", "show ipv6 dhcp interface"); if (check_cisco_result(buf)) { # DHCPv6 if (preg(multiline:TRUE, pattern:"^Using pool: DHCPv6-stateful", string:buf)) flag = TRUE; } else if (cisco_needs_enable(buf)) override = TRUE; if (!flag && !override) audit(AUDIT_HOST_NOT, "affected because DHCPv6 is not enabled."); } if (report_verbosity > 0) { report += '\n Cisco bug ID : ' + cbi + '\n Installed release : ' + ver + '\n Fixed release : ' + fixed_ver + '\n'; security_hole(port:0, extra:report+cisco_caveat(override)); } else security_hole(port:0, extra:cisco_caveat(override));

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Nessus

References