Vulnerabilities > CVE-2015-6432 - Resource Management Errors vulnerability in Cisco IOS XR

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
cisco
CWE-399
nessus

Summary

Cisco IOS XR 4.2.0, 4.3.0, 5.0.0, 5.1.0, 5.2.0, 5.2.2, 5.2.4, 5.3.0, and 5.3.2 does not properly restrict the number of Path Computation Elements (PCEs) for OSPF LSA opaque area updates, which allows remote attackers to cause a denial of service (device reload) via a crafted update, aka Bug ID CSCuw83486.

Common Weakness Enumeration (CWE)

Nessus

NASL familyCISCO
NASL idCISCO-SA-20160104-IOSXR.NASL
descriptionThe remote Cisco IOS XR device is affected by a denial of service vulnerability due to the number of Open Shortest Path First (OSPF) Path Computation Elements (PCEs) configured for the OSPF Link State Advertisement (LSA) opaque area update. An unauthenticated, remote attacker can exploit this, via a specially crafted OSPF LSA update, to cause a denial of service condition.
last seen2020-06-01
modified2020-06-02
plugin id87819
published2016-01-08
reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/87819
titleCisco IOS XR OSPF Link State Advertisement PCE DoS (cisco-sa-20160104-iosxr)
code
#TRUSTED 439e1dd2ffd6447b84c95491a46559ef5ee8adbd7cede52f915f94bb720f39efe3dcc6d52a0ea4269595341e11852a41154c140dabc313486593b0e2b3f1ba165d525e329003bb575d99908c71badc73913e58d3662551605d07115586e3d9c203297e67da7cdc4f51975260ccdca50d0a75af38edcbbb98b059de8efacaaba7b90c28dc62d8ac6f43c7c5f10197346509949b5e11c15c417dfee71f6aa9af4331fca92f52b653698db15788c91447230a15786abefdb230fd3e40d3862db5dbde0324b60c46b7626b7107bfa7a939e39abc3df63e208f8c33cc3a3ff2aa6013325f3834f2a40bd54a3cce9cc3e6e1256a6e47e10a6f333b7dde73b3292bc6d957c20279923cecb13258bd9dc14573fea506b040029c7cfe084fcef4e0067e47f1a3f190f4dc2b2ac515e798cbfdfc878b640e698570a10a586415f4aec0ead54c393f8e9bb79efb449e5d466a32598e7ea178fc0d78839825b0a93e7cf45f15e573f72123be2acf9778a4fbf09142ae02278e0340a0d048af702103280844f9367acd773a83e6bf8897509ecb15dc9eff220a4f59e5c194664fc559d6717ed7fb55a3a290a1c9dde13418866304b4a3b0c79257a52401f62946b394a33818cc78958a9c27612ca6464c0367641b213ac79462175073b3eace88276a2665f8ceea408854a4eeec571b9f34a6171c2a8619b26b0f069c139ec130a0778d3ab7ea
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(87819);
  script_version("1.12");
  script_cvs_date("Date: 2019/11/22");

  script_cve_id("CVE-2015-6432");
  script_bugtraq_id(79831);
  script_xref(name:"CISCO-BUG-ID", value:"CSCuw83486");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20160104-iosxr");

  script_name(english:"Cisco IOS XR OSPF Link State Advertisement PCE DoS (cisco-sa-20160104-iosxr)");
  script_summary(english:"Checks the IOS XR version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"The remote Cisco IOS XR device is affected by a denial of service
vulnerability due to the number of Open Shortest Path First (OSPF)
Path Computation Elements (PCEs) configured for the OSPF Link State
Advertisement (LSA) opaque area update. An unauthenticated, remote
attacker can exploit this, via a specially crafted OSPF LSA update, to
cause a denial of service condition.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160104-iosxr
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6160ca1f");
  script_set_attribute(attribute:"solution", value:
"Apply the relevant patch referenced in Cisco Security Advisory
cisco-sa-20160104-iosxr.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-6432");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/01/04");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/01/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/01/08");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xr");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_xr_version.nasl");
  script_require_keys("Host/Cisco/IOS-XR/Version");

  exit(0);
}

include("audit.inc");
include("cisco_func.inc");
include("cisco_kb_cmd_func.inc");

flag = 0;
override = 0;

cbi = "CSCuw83486";

version = get_kb_item_or_exit("Host/Cisco/IOS-XR/Version");

if( version =~ '^4\\.[23]\\.0([^0-9]|$)' ) flag = 1;
if( version =~ '^5\\.[0-3]\\.0([^0-9]|$)' ) flag = 1;
if( version =~ '^5\\.2\\.[24]([^0-9]|$)' ) flag = 1;
if( version == '5.3.2' ) flag = 1;

if (get_kb_item("Host/local_checks_enabled") && flag)
{
  flag = 0;

  buf = cisco_command_kb_item("Host/Cisco/Config/show_running-config", "show running-config");
  if (check_cisco_result(buf))
  {
    if( preg(multiline:TRUE, pattern:"^pce ", string:buf))
      flag = 1;
  }
  else if (cisco_needs_enable(buf))
  {
    flag = 1;
    override = 1;
  }
}

if (flag)
{
  if (report_verbosity > 0)
  {
    report =
      '\n  Cisco bug ID      : ' + cbi +
      '\n  Installed release : ' + version +
      '\n';

    security_warning(port:0, extra:report + cisco_caveat(override));
  }
  else security_warning(port:0, extra:cisco_caveat(override));
}
else audit(AUDIT_HOST_NOT, "affected");