Vulnerabilities > CVE-2015-6321 - Resource Management Errors vulnerability in Cisco products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
COMPLETE Summary
Cisco AsyncOS before 8.5.7-042, 9.x before 9.1.0-032, 9.1.x before 9.1.1-023, and 9.5.x and 9.6.x before 9.6.0-042 on Email Security Appliance (ESA) devices; before 9.1.0-032, 9.1.1 before 9.1.1-005, and 9.5.x before 9.5.0-025 on Content Security Management Appliance (SMA) devices; and before 7.7.0-725 and 8.x before 8.0.8-113 on Web Security Appliance (WSA) devices allows remote attackers to cause a denial of service (memory consumption) via a flood of TCP packets, aka Bug IDs CSCus79774, CSCus79777, and CSCzv95795.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family CISCO NASL id CISCO-SA-20151104-AOS_SMA.NASL description According to its self-reported version, the Cisco Content Security Management Appliance (SMA) running on the remote host is affected by a denial of service vulnerability in the network stack of Cisco AsynOS due to improper handling of TCP packets sent at a high rate. An unauthenticated, remote attacker can exploit this to exhaust all available memory, preventing any more TCP connections from being accepted. last seen 2020-03-17 modified 2015-11-18 plugin id 86915 published 2015-11-18 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86915 title Cisco Content Security Management Appliance TCP Flood DoS (CSCus79777) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(86915); script_version("1.7"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/28"); script_cve_id("CVE-2015-6321"); script_xref(name:"CISCO-BUG-ID", value:"CSCus79777"); script_xref(name:"CISCO-SA", value:"cisco-sa-20151104-aos"); script_name(english:"Cisco Content Security Management Appliance TCP Flood DoS (CSCus79777)"); script_summary(english:"Checks the SMA version."); script_set_attribute(attribute:"synopsis", value: "The remote security appliance is missing a vendor-supplied patch."); script_set_attribute(attribute:"description", value: "According to its self-reported version, the Cisco Content Security Management Appliance (SMA) running on the remote host is affected by a denial of service vulnerability in the network stack of Cisco AsynOS due to improper handling of TCP packets sent at a high rate. An unauthenticated, remote attacker can exploit this to exhaust all available memory, preventing any more TCP connections from being accepted."); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151104-aos script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?561dad7b"); script_set_attribute(attribute:"solution", value: "Apply the relevant updates referenced in Cisco Security Advisory cisco-sa-20151104-aos."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-6321"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/11/04"); script_set_attribute(attribute:"patch_publication_date", value:"2015/11/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/11/18"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/h:cisco:content_security_management_appliance"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CISCO"); script_copyright(english:"This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("cisco_sma_version.nasl"); script_require_keys("Host/AsyncOS/Cisco Content Security Management Appliance/DisplayVersion", "Host/AsyncOS/Cisco Content Security Management Appliance/Version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); display_ver = get_kb_item_or_exit('Host/AsyncOS/Cisco Content Security Management Appliance/DisplayVersion'); ver = get_kb_item_or_exit('Host/AsyncOS/Cisco Content Security Management Appliance/Version'); if (ver =~ "^[0-7]\." || ver =~ "^8\.0\.") # Prior to 8.1 display_fix = '9.1.0-031'; else if (ver =~ "^8\.1\.") display_fix = '9.1.0-031'; else if (ver =~ "^8\.3\.") display_fix = '9.1.0-031'; else if (ver =~ "^8\.4\.") display_fix = '9.1.0-031'; else if (ver =~ "^9\.0\.") display_fix = '9.1.0-031'; else if (ver =~ "^9\.1\.1\.") display_fix = '9.1.1-005'; else if (ver =~ "^9\.1\.") display_fix = '9.1.0-031'; else if (ver =~ "^9\.5\.") display_fix = '9.5.0-025'; else audit(AUDIT_INST_VER_NOT_VULN, 'Cisco SMA', display_ver); fix = str_replace(string:display_fix, find:'-', replace:'.'); if (ver_compare(ver:ver, fix:fix, strict:FALSE) == -1) { if (report_verbosity > 0) { report = '\n Installed version : ' + display_ver + '\n Fixed version : ' + display_fix + '\n'; security_hole(port:0, extra:report); } else security_hole(0); exit(0); } else audit(AUDIT_INST_VER_NOT_VULN, 'Cisco SMA', display_ver);NASL family CISCO NASL id CISCO-SA-20151104-AOS_WSA.NASL description According to its self-reported version, the Cisco Web Security Appliance (WSA) running on the remote host is affected by the following vulnerabilities : - A denial of service vulnerability exists due to a failure to free memory objects when retrieving data from the proxy server to terminate a TCP connection. An unauthenticated, remote attacker can exploit this, by opening a large number of proxy connections, to cause exhaustion of memory, resulting in the WSA to stop passing traffic. (CVE-2015-6292) - A denial of service vulnerability exists due to a failure to free memory when a file range is requested. An unauthenticated, remote attacker can exploit this, by opening multiple connections that request file ranges, to cause exhaustion of memory, resulting in the WSA to stop passing traffic. (CVE-2015-6293) - A flaw exists in the certificate generation process due to improper validation of parameters passed to the affected scripts of the web interface. An authenticated, remote attacker can exploit this, via crafted arguments to the parameters, to execute arbitrary commands on the system with root level privileges. (CVE-2015-6298) - A denial of service vulnerability exists due to improper handling of TCP packets sent at a high rate. An unauthenticated, remote attacker can exploit this to exhaust all available memory, preventing any more TCP connections from being accepted. (CVE-2015-6321) last seen 2020-03-17 modified 2015-11-18 plugin id 86916 published 2015-11-18 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86916 title Cisco Web Security Appliance Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(86916); script_version("1.6"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/28"); script_cve_id( "CVE-2015-6292", "CVE-2015-6293", "CVE-2015-6298", "CVE-2015-6321" ); script_xref(name:"CISCO-BUG-ID", value:"CSCzv95795"); script_xref(name:"CISCO-BUG-ID", value:"CSCus83445"); script_xref(name:"CISCO-BUG-ID", value:"CSCus10922"); script_xref(name:"CISCO-BUG-ID", value:"CSCur39155"); script_xref(name:"CISCO-BUG-ID", value:"CSCuu29304"); script_xref(name:"CISCO-SA", value:"cisco-sa-20151104-aos"); script_xref(name:"CISCO-SA", value:"cisco-sa-20151104-wsa"); script_xref(name:"CISCO-SA", value:"cisco-sa-20151104-wsa1"); script_xref(name:"CISCO-SA", value:"cisco-sa-20151104-wsa2"); script_name(english:"Cisco Web Security Appliance Multiple Vulnerabilities"); script_summary(english:"Checks the WSA version."); script_set_attribute(attribute:"synopsis", value: "The remote security appliance is missing a vendor-supplied patch."); script_set_attribute(attribute:"description", value: "According to its self-reported version, the Cisco Web Security Appliance (WSA) running on the remote host is affected by the following vulnerabilities : - A denial of service vulnerability exists due to a failure to free memory objects when retrieving data from the proxy server to terminate a TCP connection. An unauthenticated, remote attacker can exploit this, by opening a large number of proxy connections, to cause exhaustion of memory, resulting in the WSA to stop passing traffic. (CVE-2015-6292) - A denial of service vulnerability exists due to a failure to free memory when a file range is requested. An unauthenticated, remote attacker can exploit this, by opening multiple connections that request file ranges, to cause exhaustion of memory, resulting in the WSA to stop passing traffic. (CVE-2015-6293) - A flaw exists in the certificate generation process due to improper validation of parameters passed to the affected scripts of the web interface. An authenticated, remote attacker can exploit this, via crafted arguments to the parameters, to execute arbitrary commands on the system with root level privileges. (CVE-2015-6298) - A denial of service vulnerability exists due to improper handling of TCP packets sent at a high rate. An unauthenticated, remote attacker can exploit this to exhaust all available memory, preventing any more TCP connections from being accepted. (CVE-2015-6321)"); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151104-aos script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?561dad7b"); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151104-wsa script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9afe6628"); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151104-wsa1 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8b233cd4"); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151104-wsa2 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6af33d45"); script_set_attribute(attribute:"solution", value: "Apply the relevant updates referenced in Cisco Security Advisories cisco-sa-20151104-aos, cisco-sa-20151104-wsa, cisco-sa-20151104-wsa1, and cisco-sa-20151104-wsa2."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/11/04"); script_set_attribute(attribute:"patch_publication_date", value:"2015/11/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/11/18"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/h:cisco:web_security_appliance"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CISCO"); script_copyright(english:"This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("cisco_wsa_version.nasl"); script_require_keys("Host/AsyncOS/Cisco Web Security Appliance/DisplayVersion", "Host/AsyncOS/Cisco Web Security Appliance/Version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); display_ver = get_kb_item_or_exit('Host/AsyncOS/Cisco Web Security Appliance/DisplayVersion'); ver = get_kb_item_or_exit('Host/AsyncOS/Cisco Web Security Appliance/Version'); if (ver =~ "^[0-6]\." || ver =~ "^7\.[0-6]\.") # Prior to 7.7 display_fix = '7.7.0-761'; else if (ver =~ "^7\.7\.") display_fix = '7.7.0-761'; else if (ver =~ "^8\.0\.") display_fix = '8.0.8-113'; else if (ver =~ "^8\.1\.") display_fix = '8.5.3-051'; else if (ver =~ "^8\.5\.") display_fix = '8.5.3-051'; else if (ver =~ "^8\.6\.") display_fix = '8.7.0-171'; else if (ver =~ "^8\.7\.") display_fix = '8.7.0-171'; else if (ver =~ "^8\.8\.") display_fix = '8.8.0-085'; else audit(AUDIT_INST_VER_NOT_VULN, 'Cisco WSA', display_ver); fix = str_replace(string:display_fix, find:'-', replace:'.'); if (ver_compare(ver:ver, fix:fix, strict:FALSE) == -1) { if (report_verbosity > 0) { report = '\n Installed version : ' + display_ver + '\n Fixed version : ' + display_fix + '\n'; security_hole(port:0, extra:report); } else security_hole(0); exit(0); } else audit(AUDIT_INST_VER_NOT_VULN, 'Cisco WSA', display_ver);NASL family CISCO NASL id CISCO-SA-20151104-AOS_ESA.NASL description According to its self-reported version, the Cisco AsyncOS running on the remote Cisco Email Security (ESA) appliance is affected by the following vulnerabilities : - An anti-spam bypass vulnerability exists in the anti-spam scanner due to improper handling of malformed packets. An unauthenticated, remote attacker can exploit this, via a crafted DNS Sender Policy Framework (SPF) record, to bypass the scanner. (CVE-2015-4184) - A denial of service vulnerability exists in the email filtering feature due to improper input validation of email attachment fields. An unauthenticated, remote attacker can exploit this, via a crafted email with an attachment, to cause memory to be consumed at a high rate, resulting in the filtering process being restarted over again. (CVE-2015-6291) - A denial of service vulnerability exists due to improper handling of TCP packets sent at a high rate. An unauthenticated, remote attacker can exploit this to exhaust all available memory, preventing any more TCP connections from being accepted. (CVE-2015-6321) last seen 2020-03-17 modified 2015-11-18 plugin id 86914 published 2015-11-18 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86914 title Cisco Email Security Appliance Multiple Vulnerabilities