Vulnerabilities > CVE-2015-0710 - Resource Management Errors vulnerability in Cisco IOS XE 3.10.0S/3.10S.01

047910
CVSS 6.1 - MEDIUM
Attack vector
ADJACENT_NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
COMPLETE
low complexity
cisco
CWE-399
nessus

Summary

The Overlay Transport Virtualization (OTV) implementation in Cisco IOS XE 3.10S allows remote attackers to cause a denial of service (device reload) via a series of packets that are considered oversized and trigger improper fragmentation handling, aka Bug IDs CSCup37676 and CSCup30335.

Vulnerable Configurations

Part Description Count
OS
Cisco
2

Common Weakness Enumeration (CWE)

Nessus

NASL familyCISCO
NASL idCISCO-SN-CSCUP37676_CSCUP30335-IOSXE.NASL
descriptionThe remote Cisco device is affected by a denial of service vulnerability due to improper processing of oversized Overlay Transport Virtualization (OTV) frames. An unauthenticated, adjacent attacker can exploit this, by sending a large number of oversized OTV frames requiring fragmentation and reassembly, to cause the device to reload, resulting in a denial of service condition.
last seen2020-06-01
modified2020-06-02
plugin id83733
published2015-05-20
reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/83733
titleCisco IOS XE Software Overlay Transport Virtualization (OTV) DoS
code
#TRUSTED 569248b866cb3ae3c4cdb082cef1b7cf08cc1d6e00749d43de4a01171160ef365dfef4cdbcfb4a762303e5bf6cbb19476993e6be5522d0cb4273dcf7c8bcf6b5dfa01bfa8da293897d50294f4626384b2a102aa08a55efa988ab04d1ab0d55f66748ae6dec2305508b21d4c6ed9449f59590c0b29c8fd3f4419f2e926bd1c72e0d8991f6c65a2132e086031cb2deb0bff4ce151eea5a6fe416e1727f0485a9ab87ed7d2734a184ecb66ce616ad76acfa12d13d092df0c6e2e26f446b84a4b090e6798075933738cca9bc82e7b6bf0d4a4690868860b74fd3f43febce936464a6c925a258bf928fd0335ddccae4335d265e57f4c877b988a1ce2c07797ede807b2cb97c614cd75c546d193df10b485a1b4266b210d190ef7146f20f6c519eeadca097ac709c667d4792f6e1a53b7de291131e56f25534da36621b0f01595e8c07eea2f9e1173d9c9daf337fd2ddb1bc9febf4c2e01d8931724a0d9ac3a45143de5d2cc3bd41fd7310b00199b6aad4d800ae03199d68c32d634fed97188bc4e92e83df057a88a7b42bbb64792ee964deb5f7b39f890d9c913c58f3d4bb31832753691510600cd09ab57c68630582d0cec4952f645b6d06b00a9f6e7118dcf5280a0f74e44bc55971de96f94c1d8fe4d6904bed9388e5a8874175eebe3ab31eba2eb5a06ba983efd62d477a8bd121bff80ff783a2f91a29cdf2d4650eda1ec1d719
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(83733);
  script_version("1.7");
  script_cvs_date("Date: 2019/11/22");

  script_cve_id("CVE-2015-0710");
  script_bugtraq_id(74386);
  script_xref(name:"CISCO-BUG-ID", value:"CSCup37676");
  script_xref(name:"CISCO-BUG-ID", value:"CSCup30335");

  script_name(english:"Cisco IOS XE Software Overlay Transport Virtualization (OTV) DoS");
  script_summary(english:"Checks the IOS XE version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote Cisco device is affected by a denial of service
vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote Cisco device is affected by a denial of service
vulnerability due to improper processing of oversized Overlay
Transport Virtualization (OTV) frames. An unauthenticated, adjacent
attacker can exploit this, by sending a large number of oversized OTV
frames requiring fragmentation and reassembly, to cause the device to
reload, resulting in a denial of service condition.");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/security/center/viewAlert.x?alertId=38549");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug IDs
CSCup30335 and CSCup37676.

As a workaround, limit oversize packets across OTV topology.");
  script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/04/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2013/04/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/05/20");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_xe_version.nasl");
  script_require_keys("Host/Cisco/IOS-XE/Version");

  exit(0);
}

include("audit.inc");
include("cisco_func.inc");
include("cisco_kb_cmd_func.inc");

flag = 0;

version = get_kb_item_or_exit("Host/Cisco/IOS-XE/Version");

# Check model
model = get_kb_item("Host/Cisco/IOS-XE/Model");
if (('ASR1k' >< model || model =~ '^ASR 10[0-9][0-9]($|[^0-9])'))
  audit();

# 15.3(3)S1 maps to 3.10.0 / 3.10.1S
if (
  version == "3.10.0" ||
  version == "3.10.1S"
) flag++;

if (get_kb_item("Host/local_checks_enabled") && flag > 0)
{
  flag = 0;
  buf = cisco_command_kb_item("Host/Cisco/Config/show_otv", "show otv");
  if (check_cisco_result(buf))
  {
    if (preg(multiline:TRUE, pattern:"^Overlay Interface Overlay", string:buf)) flag = 1;
  }
  else if (cisco_needs_enable(buf)) { flag = 1; override = 1; }
}

if (flag > 0)
{
  if (report_verbosity > 0)
  {
    report =
      '\n  Cisco bug ID      : CSCup37676 / CSCup30335' +
      '\n  Installed release : ' + version +
      '\n  Fixed release     : See solution.' +
      '\n';
    security_warning(port:0, extra:report + cisco_caveat(override));
  }
  else security_warning(port:0, extra:cisco_caveat(override));
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");