Vulnerabilities > CVE-2014-3409 - Resource Management Errors vulnerability in Cisco IOS XE
Attack vector
ADJACENT_NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
COMPLETE Summary
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family CISCO NASL id CISCO-SN-CSCUQ93406-IOS.NASL description The remote Cisco device is affected by a denial of service vulnerability due to due to improper parsing of malformed Ethernet Connectivity Fault Management (CFM) packets. A remote, unauthenticated attacker, using specially crafted CFM packets, could trigger a denial of service condition, resulting in a reload of the device. last seen 2019-10-28 modified 2014-11-07 plugin id 78918 published 2014-11-07 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/78918 title Cisco IOS Software Ethernet Connectivity Fault Management (CFM) DoS code #TRUSTED 12435477e7e36d2ffecc0f92ec6f07be20a1197c364c6ee4f6cac71e0f29d198edc7c0b063d2b0fb0ff717cb6ab8c02602ebe2ce199313941e99194d77aea44750b852c2a4872cb5a6361d011799aa91877f56f70a18e2e3fd4d41abb006b483a561a1cd7208cea59292e8ca2e89dc4052a651a679a3a5a121e28eb35a7c0e057a6ea5294641627db92510c95e3aaed9f1b05d826795c388bb1c14bc8d60f09062ae2b92aac9c793125f28e65b74626909f35eda60a77198208f6c4662469474b3237368ba780cc57b2296922f6b54fa66c6de0d93497cda609ac759bb17c9210376ad72172eb85f05956cd8a66cc55c987d3762e242283d742f8224914d4a7c1c9febbbebadac91e04a6415688bc5eb9899c839777ba9a8bae1ab34dcc273e7ed4f509fe0811e659c1624501c6af0e06b4b78b9b0292ddf462287b1130bb7445fa353d5bf2898540a8a6c65503222a26c87594f13999a039187dba9633c817fccfdac67bda46a54fbb9f9c084d58cfef3bb15215272cbf93f9a16ff871a8c9f078012ea3dcf9cd47833a2a2ad60e44eec243596359f71c141c8ef6cfb8b0641b3ba688e5ac724a74691bfbf8bb2a568334abedd437fcaa95cdb02ef1fb2aea87aa01adf9b59ee5a3ee28c87b68c7bef96fed8212a596438d7f130c9c5d1eacdc2cdf47ee66a840a18bfc2a7171a89d8d03fa8d732d434a8256711fbb9512cd1 # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(78918); script_version("1.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2018/11/15"); script_cve_id("CVE-2014-3409"); script_bugtraq_id(70715); script_xref(name:"CISCO-BUG-ID", value:"CSCuq93406"); script_name(english:"Cisco IOS Software Ethernet Connectivity Fault Management (CFM) DoS"); script_summary(english:"Checks the IOS version."); script_set_attribute(attribute:"synopsis", value: "The remote Cisco device is affected by a denial of service vulnerability."); script_set_attribute(attribute:"description", value: "The remote Cisco device is affected by a denial of service vulnerability due to due to improper parsing of malformed Ethernet Connectivity Fault Management (CFM) packets. A remote, unauthenticated attacker, using specially crafted CFM packets, could trigger a denial of service condition, resulting in a reload of the device."); # https://tools.cisco.com/security/center/viewAlert.x?alertId=36184 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8080ca42"); script_set_attribute(attribute:"solution", value: "Apply the relevant patch referenced in the Cisco Security Notice. Alternatively, disable Ethernet Connectivity Fault Management (CFM)."); script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/10/24"); script_set_attribute(attribute:"patch_publication_date", value:"2013/10/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/11/07"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CISCO"); script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc."); script_dependencies("cisco_ios_version.nasl"); script_require_keys("Host/Cisco/IOS/Version"); exit(0); } include("audit.inc"); include("cisco_func.inc"); include("cisco_kb_cmd_func.inc"); # Check model model = get_kb_item("CISCO/model"); if (!model) model = get_kb_item("Host/Cisco/IOS/Model"); flag = 0; override = 0; version = get_kb_item_or_exit("Host/Cisco/IOS/Version"); if (!model) { if (version == "15.1(3)S2") flag++; } else { # 7600: 12.2(33)SRE onwards if (model =~ "^7600($|[^0-9])" && version =~ "^12\.2\(33\)SRE($|\d+[a-z]*$)") flag++; # ISR-G2: 15.1(1)T onwards else if (model =~ "^ISR-G2($|[^0-9])" && version =~ "^15\.1\(1\)T($|\d+[a-z]*$)") flag++; # ME2400: 12.2(25)SE onwards else if (model =~ "^ME2400($|[^0-9])" && version =~ "^12\.2\(25\)SE($|\d+[a-z]*$)") flag++; # ME3600: 12.2(52)EY onwards else if (model =~ "^ME3600($|[^0-9])" && version =~ "^12\.2\(52\)EY($|\d+[a-z]*$)") flag++; # Cat4k: 15.0(2)SG onwards else if (tolower(model) =~ "^cat4k($|[^0-9])" && version =~ "^15\.0\(2\)SG($|\d+[a-z]*$)") flag++; # Cat6k: 12.2(33)SXI2 onwards (note the '2' at the end) else if (tolower(model) =~ "^cat6k($|[^0-9])" && version =~ "^12\.2\(33\)SXI([2-9]|[1-9][0-9])($|[^0-9])") flag++; } if (get_kb_item("Host/local_checks_enabled") && flag > 0) { flag = 0; buf = cisco_command_kb_item("Host/Cisco/Config/show_running-config", "show running-config"); if (check_cisco_result(buf)) { if (preg(multiline:TRUE, pattern:"ethernet cfm", string:buf)) flag = 1; } else if (cisco_needs_enable(buf)) { flag = 1; override = 1; } } if (flag > 0) { if (report_verbosity > 0) { report = '\n Cisco bug ID : CSCuq93406' + '\n Installed release : ' + version + '\n'; security_warning(port:0, extra:report + cisco_caveat(override)); } else security_warning(port:0, extra:cisco_caveat(override)); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family CISCO NASL id CISCO-SN-CSCUQ93406-IOSXE.NASL description The remote Cisco device is affected by a denial of service vulnerability due to due to improper parsing of malformed Ethernet Connectivity Fault Management (CFM) packets. A remote, unauthenticated attacker, using specially crafted CFM packets, could trigger a denial of service condition, resulting in a reload of the device. last seen 2019-10-28 modified 2014-11-07 plugin id 78919 published 2014-11-07 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/78919 title Cisco IOS XE Software Connectivity Fault Management (CFM) DoS code #TRUSTED 482d642216215faba881a92b713ad8d0d12885d2ff592bf5dac4eb92e00af4f5fd9e28c1bbd425d6ade14fcc1b25f63465ef2f300491a4362e2e8f86f02797160cce056af0101afebb0132b171f8cdc67d99a4387cf1d8045981ea2f4c5595c55d0c7b36d22100ba25bf734e285d616e82239581268f15d64cb336d4f53880a08ad4f6652802e503c17a859547ddaf4423e02964c6f6430c426c88bc376fe4339700f44e0d3d71bf74af3b136b6652b56bc694ca5b4bba56a8a4b74d7a5a6b06f7bc39212a90e3f37f66eed40e990f25dff06cc8f3d56b791dd4c974f2a01cd7459c911b19137574ab7893ca88c13fba4b2dd63408850bc08dea697c97ed0867c62e6be59fba3c6a916b3b5649f3920e715287dcecfe1ed1fbdb5e2341955d9e42873754ac8d64a065f99bf49e0050aa455b77c4540d0f6b54a7e99df844e8c8bc3ef02bb7351b206fce645fa3197842125815c4b48a728b8f536df68e0c173bda8ff3019ae2fe692475777b42e4ec0c2dea2798d917a18838a7cd6ea0c1be2f3399302475ef368b5616365cf525eda6168cff49bb090acfdf6f255db2bb0cbf25e50386d1f64f5a702d39003f9eaff7c3dc518eb3e627ecdadb8bf65db6ac6543a7af69d13fa9a32020821720091f6e1923f782d5841c1fa5f4a7060cf35d2e1ce6a49a83855163611bd1cbeb13d72f86358906d762caa70661f15e05e66a09 # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(78919); script_version("1.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2018/11/15"); script_cve_id("CVE-2014-3409"); script_bugtraq_id(70715); script_xref(name:"CISCO-BUG-ID", value:"CSCuq93406"); script_name(english:"Cisco IOS XE Software Connectivity Fault Management (CFM) DoS"); script_summary(english:"Checks the IOS XE version."); script_set_attribute(attribute:"synopsis", value: "The remote Cisco device is affected by a denial of service vulnerability."); script_set_attribute(attribute:"description", value: "The remote Cisco device is affected by a denial of service vulnerability due to due to improper parsing of malformed Ethernet Connectivity Fault Management (CFM) packets. A remote, unauthenticated attacker, using specially crafted CFM packets, could trigger a denial of service condition, resulting in a reload of the device."); # https://tools.cisco.com/security/center/viewAlert.x?alertId=36184 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8080ca42"); script_set_attribute(attribute:"solution", value: "Apply the relevant patch referenced in the Cisco Security Notice. Alternatively, disable Ethernet Connectivity Fault Management (CFM)."); script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/10/24"); script_set_attribute(attribute:"patch_publication_date", value:"2013/10/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/11/07"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CISCO"); script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc."); script_dependencies("cisco_ios_xe_version.nasl"); script_require_keys("Host/Cisco/IOS-XE/Version"); exit(0); } include("audit.inc"); include("cisco_func.inc"); include("cisco_kb_cmd_func.inc"); flag = 0; version = get_kb_item_or_exit("Host/Cisco/IOS-XE/Version"); # Check model model = get_kb_item("Host/Cisco/IOS-XE/Model"); if (!model) { # If no model, just do ver checks per Alert page # 3.1S .0, .1, .2, .3 if (version =~ "^3\.1\.[0-3]S$") flag++; # 3.2S .0, .1, .2 else if (version =~ "^3\.2\.[0-2]S$") flag++; # 3.3S .0, .1, .2 else if (version =~ "^3\.3\.[0-2]S$") flag++; # 3.4S .0, .1, .2, .3, .4, .5, .6 else if (version =~ "^3\.4\.[0-6]S$") flag++; # 3.5S Base, .0, .1, .2 # 3.6S Base, .0, .1, .2 # 3.7S Base, .0, .1, .2, .3, .4, .5, .6 else if (version =~ "^3\.[5-7]S$") flag++; else if (version =~ "^3\.[5-7]\.[0-2]S$") flag++; else if (version =~ "^3\.7\.[4-6]S$") flag++; # 3.9S .0, .1, .2 else if (version =~ "^3\.9\.[0-2]S$") flag++; # 3.10S .0, .0a, .1, .2, .3, .4 else if (version =~ "^3\.10\.(0a|[0-4])S$") flag++; # 3.11S .1, .2 else if (version =~ "^3\.11\.[0-2]S$") flag++; # 3.12S .0 else if (version == '3.12.0S') flag++; # 3.13S .0 else if (version == '3.13.0S') flag++; } else { # If model is present, do ver check per model per Bug page note if ('ASR901' >< model && version =~ "^3\.3\.") flag++; else if ('ASR903' >< model && version =~ "^3\.5\.") flag++; else if ('ASR920' >< model && version =~ "^3\.13\.") flag++; else if (('ASR1k' >< model || model =~ '^ASR 10[0-9][0-9]($|[^0-9])') && version =~ "^3\.2\.") flag++; } if (get_kb_item("Host/local_checks_enabled") && flag > 0) { flag = 0; buf = cisco_command_kb_item("Host/Cisco/Config/show_running-config", "show running-config"); if (check_cisco_result(buf)) { if (preg(multiline:TRUE, pattern:"ethernet cfm", string:buf)) flag = 1; } else if (cisco_needs_enable(buf)) { flag = 1; override = 1; } } if (flag > 0) { if (report_verbosity > 0) { report = '\n Cisco bug ID : CSCuq93406' + '\n Installed release : ' + version + '\n'; security_warning(port:0, extra:report + cisco_caveat(override)); } else security_warning(port:0, extra:cisco_caveat(override)); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
References
- http://secunia.com/advisories/61799
- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3409
- http://tools.cisco.com/security/center/viewAlert.x?alertId=36184
- http://www.securityfocus.com/bid/70715
- http://www.securitytracker.com/id/1031119
- https://exchange.xforce.ibmcloud.com/vulnerabilities/97758