Vulnerabilities > CVE-2016-1348 - Resource Management Errors vulnerability in Cisco IOS and IOS XE

047910
CVSS 7.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
COMPLETE
network
low complexity
cisco
CWE-399
nessus

Summary

Cisco IOS 15.0 through 15.5 and IOS XE 3.3 through 3.16 allow remote attackers to cause a denial of service (device reload) via a crafted DHCPv6 Relay message, aka Bug ID CSCus55821.

Vulnerable Configurations

Part Description Count
OS
Cisco
189

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyCISCO
    NASL idCISCO-SA-20160323-DHCPV6-IOSXE.NASL
    descriptionAccording to its self-reported version, the Cisco IOS XE software running on the remote device is affected by a denial of service vulnerability in the DHCPv6 Relay feature due to improper validation of DHCPv6 relay messages. An unauthenticated, remote attacker can exploit this issue, via a crafted DHCPv6 relay message, to cause the device to reload.
    last seen2020-06-01
    modified2020-06-02
    plugin id90354
    published2016-04-06
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/90354
    titleCisco IOS XE DHCPv6 Relay Message Handling DoS (cisco-sa-20160323-dhcpv6)
    code
    #TRUSTED 4e346cf134fab484d2fd9b952ecd1818a51940f58e09fb66814448b7f0a2c68cdb40e782dcf170c6fa45bff3ed13aa92fb43209d33105a3aa81ad170efddd2d228e03f40d799bfb09fda74077551a307502f20ab9522e4f4e1c9227047660650f76ab608d2f409b769e168a9a891693099e3d2027465a30c6a67fab56a4f5332767f48f1564d24c8f552d23a642aae506428d92bd1ec8c4cebee85fa5035e7fae489ae29d0615b5a7c8ce0b7d766cb16ea42e4cb56d2b16ab098cbbca112c18239b441028ab7c59625fbe687a1d2afb5b92024fdaa33dbc745db66454764ddffd63036d750105aa42bd961f36021ad918314ac9c4b1ccb088e5271a1284d291f1f8b29df07702be076b350cb434d4783bd60b61150eaef95e620741171514006a8dee603655ae23d69a2826e900696fbf8c4d1752e48d04fae4591d5b3c3b8c115634a537e02805782e41b5ed83fe4c97b99eb06a14d2b440940f868d4974d93aa4aac992de8ec7dcc4a75d0dabe2b6b2806b0c08dee606c1edd3e38ecaa6ebf2de56ac7acbd24096de4e4182cf367c44bc2f71bee757349d0ebd4eadfff1bd46b474595bb58f4a9c2705bb35364ccd1116311a9708133820c59aae90e4a299365a4f9efe3dd35b0d793ac1fd89098114fbc942734329185a3c6e1021bd2eb137416aff932ab22a0fa3e5e9a4b6c0b71b8551f4d59cbc09e6d6de5e4c9480ad4
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(90354);
      script_version("1.10");
      script_cvs_date("Date: 2019/11/20");
    
      script_cve_id("CVE-2016-1348");
      script_xref(name:"CISCO-BUG-ID", value:"CSCus55821");
      script_xref(name:"CISCO-SA", value:"cisco-sa-20160323-dhcpv6");
    
      script_name(english:"Cisco IOS XE DHCPv6 Relay Message Handling DoS (cisco-sa-20160323-dhcpv6)");
      script_summary(english:"Checks the IOS XE version.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote device is missing a vendor-supplied security patch.");
      script_set_attribute(attribute:"description", value:
    "According to its self-reported version, the Cisco IOS XE software
    running on the remote device is affected by a denial of service
    vulnerability in the DHCPv6 Relay feature due to improper validation
    of DHCPv6 relay messages. An unauthenticated, remote attacker can
    exploit this issue, via a crafted DHCPv6 relay message, to cause the
    device to reload.");
      # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160323-dhcpv6
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?239272f7");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to the relevant fixed version referenced in Cisco bug ID
    CSCus55821.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-1348");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/03/23");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/03/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/04/06");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CISCO");
    
      script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("cisco_ios_xe_version.nasl");
      script_require_keys("Host/Cisco/IOS-XE/Version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("cisco_func.inc");
    include("cisco_kb_cmd_func.inc");
    
    version = get_kb_item_or_exit("Host/Cisco/IOS-XE/Version");
    
    fix = '';
    flag = 0;
    
    # Check for vuln version
    if ( ver == '3.8.0E' ) flag++;
    if ( ver == '3.3.0XO' ) flag++;
    if ( ver == '3.3.1XO' ) flag++;
    if ( ver == '3.3.2XO' ) flag++;
    if ( ver == '3.5.0E' ) flag++;
    if ( ver == '3.5.1E' ) flag++;
    if ( ver == '3.5.2E' ) flag++;
    if ( ver == '3.5.3E' ) flag++;
    if ( ver == '3.5.0S' ) flag++;
    if ( ver == '3.5.1S' ) flag++;
    if ( ver == '3.5.2S' ) flag++;
    if ( ver == '3.6.0E' ) flag++;
    if ( ver == '3.6.1E' ) flag++;
    if ( ver == '3.6.2aE' ) flag++;
    if ( ver == '3.6.2E' ) flag++;
    if ( ver == '3.6.3E' ) flag++;
    if ( ver == '3.6.0S' ) flag++;
    if ( ver == '3.6.1S' ) flag++;
    if ( ver == '3.6.2S' ) flag++;
    if ( ver == '3.7.0E' ) flag++;
    if ( ver == '3.7.1E' ) flag++;
    if ( ver == '3.7.2E' ) flag++;
    if ( ver == '3.7.0S' ) flag++;
    if ( ver == '3.7.1S' ) flag++;
    if ( ver == '3.7.2S' ) flag++;
    if ( ver == '3.7.2tS' ) flag++;
    if ( ver == '3.7.3S' ) flag++;
    if ( ver == '3.7.4S' ) flag++;
    if ( ver == '3.7.4aS' ) flag++;
    if ( ver == '3.7.5S' ) flag++;
    if ( ver == '3.7.6S' ) flag++;
    if ( ver == '3.7.7S' ) flag++;
    if ( ver == '3.8.0S' ) flag++;
    if ( ver == '3.8.1S' ) flag++;
    if ( ver == '3.8.2S' ) flag++;
    if ( ver == '3.9.0S' ) flag++;
    if ( ver == '3.9.0aS' ) flag++;
    if ( ver == '3.9.1S' ) flag++;
    if ( ver == '3.9.1aS' ) flag++;
    if ( ver == '3.9.2S' ) flag++;
    if ( ver == '3.10.0S' ) flag++;
    if ( ver == '3.10.1S' ) flag++;
    if ( ver == '3.10.1xbS' ) flag++;
    if ( ver == '3.10.2S' ) flag++;
    if ( ver == '3.10.3S' ) flag++;
    if ( ver == '3.10.4S' ) flag++;
    if ( ver == '3.10.5S' ) flag++;
    if ( ver == '3.10.6S' ) flag++;
    if ( ver == '3.11.0S' ) flag++;
    if ( ver == '3.11.1S' ) flag++;
    if ( ver == '3.11.2S' ) flag++;
    if ( ver == '3.11.3S' ) flag++;
    if ( ver == '3.11.4S' ) flag++;
    if ( ver == '3.12.0S' ) flag++;
    if ( ver == '3.12.1S' ) flag++;
    if ( ver == '3.12.4S' ) flag++;
    if ( ver == '3.12.2S' ) flag++;
    if ( ver == '3.12.3S' ) flag++;
    if ( ver == '3.13.2aS' ) flag++;
    if ( ver == '3.13.0S' ) flag++;
    if ( ver == '3.13.0aS' ) flag++;
    if ( ver == '3.13.1S' ) flag++;
    if ( ver == '3.13.2S' ) flag++;
    if ( ver == '3.13.3S' ) flag++;
    if ( ver == '3.13.4S' ) flag++;
    if ( ver == '3.14.0S' ) flag++;
    if ( ver == '3.14.1S' ) flag++;
    if ( ver == '3.14.2S' ) flag++;
    if ( ver == '3.14.3S' ) flag++;
    if ( ver == '3.15.1cS' ) flag++;
    if ( ver == '3.15.0S' ) flag++;
    if ( ver == '3.15.1S' ) flag++;
    if ( ver == '3.15.2S' ) flag++;
    if ( ver == '3.16.0S' ) flag++;
    if ( ver == '3.16.0cS' ) flag++;
    if ( ver == '3.16.1S' ) flag++;
    if ( ver == '3.16.1aS' ) flag++;
    
    # Check DHCPv6 Relay
    if (flag && get_kb_item("Host/local_checks_enabled"))
    {
      flag = 0;
    
      buf = cisco_command_kb_item("Host/Cisco/Config/show_ipv6_dhcp_interface", "show ipv6 dhcp interface");
      if (check_cisco_result(buf))
      {
        if ("is in relay mode" >< buf) flag = 1;
      }
      else if (cisco_needs_enable(buf))
      {
        flag = 1;
        override = 1;
      }
    }
    
    if (flag)
    {
      if (report_verbosity > 0)
      {
        report =
          '\n  Cisco bug ID      : CSCus55821' +
          '\n  Installed release : ' + version +
          '\n';
        security_hole(port:0, extra:report + cisco_caveat(override));
        exit(0);
      }
      else security_hole(port:0, extra:cisco_caveat(override));
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyCISCO
    NASL idCISCO-SA-20160323-DHCPV6-IOS.NASL
    descriptionAccording to its self-reported version, the Cisco IOS software running on the remote device is affected by a denial of service vulnerability in the DHCPv6 Relay feature due to improper validation of DHCPv6 relay messages. An unauthenticated, remote attacker can exploit this issue, via a crafted DHCPv6 relay message, to cause the device to reload.
    last seen2020-06-01
    modified2020-06-02
    plugin id90353
    published2016-04-06
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/90353
    titleCisco IOS DHCPv6 Relay Message Handling DoS (cisco-sa-20160323-dhcpv6)
    code
    #TRUSTED 3a973fb7935dac43dfb17b80176f7c852d71873976872f83a65ebf8423f6e14c5ac67fa3d970ab75f0480ab353404c98bd794c5485346c1471b1250c55a5fa5193265d71d735eb02dc555ffafbeeb16c828c9a10046ed47d5f048f06bf7800130865af326d4c86e8b0c827e6a937ac266ab3df9a130965503fda1cb5ae15a59a4f64aec110f80d88e855c01aa04eb854b7778ecc445d2a653d1cee861475713c2dbfc6c89ce069661b5b7d7dfca25a3a64841b5fcf51d1b3ba451600ea81ee65a5aa7795a63ea43f68b08fbdc8f89ba2221598e075075dc1ffb29e5632e805c3fb5226a8a845c8ea16ae13e54dc3cb949c4d90f05652575c6de347b762131b5468fd19f96d9b93b4dae9e6f149fc5b698009c209e322cd447e2e5aed9e1b12bb290847a78d342726e09ecff5051eede141256b31673c87689c8938cac75e68405e8b7a26215b9d5c3a28038ceccdd3a551ef5ebd4a205ede7b46b052026ce6fb7fd252cdf7f8b1689e3ef197655707b089b157342294f9c07759703b911095a53399c6d5f5930d72524c84079010733ed0370adb414044c9a74f8a3e6575153f38366d09460dc98e215482ec3622a2159b8457227d67517918ec55b67fad7a79c60cddda69f9c61211bff074b3f70aa23c43d4fc428fb6d49768334257f86f8428b71dfaf12212dcee50bf89c7a5313646905383aee08ce4c9ee6e15a3744b3b
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(90353);
      script_version("1.10");
      script_cvs_date("Date: 2019/11/20");
    
      script_cve_id("CVE-2016-1348");
      script_xref(name:"CISCO-BUG-ID", value:"CSCus55821");
      script_xref(name:"CISCO-SA", value:"cisco-sa-20160323-dhcpv6");
    
      script_name(english:"Cisco IOS DHCPv6 Relay Message Handling DoS (cisco-sa-20160323-dhcpv6)");
      script_summary(english:"Checks the IOS version.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote device is missing a vendor-supplied security patch.");
      script_set_attribute(attribute:"description", value:
    "According to its self-reported version, the Cisco IOS software running
    on the remote device is affected by a denial of service vulnerability
    in the DHCPv6 Relay feature due to improper validation of DHCPv6 relay
    messages. An unauthenticated, remote attacker can exploit this issue,
    via a crafted DHCPv6 relay message, to cause the device to reload.");
      # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160323-dhcpv6
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?239272f7");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to the relevant fixed version referenced in Cisco bug ID
    CSCus55821.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-1348");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/03/23");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/03/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/04/06");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CISCO");
    
      script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("cisco_ios_version.nasl");
      script_require_keys("Host/Cisco/IOS/Version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("cisco_func.inc");
    include("cisco_kb_cmd_func.inc");
    
    flag = 0;
    override = 0;
    
    ver = get_kb_item_or_exit("Host/Cisco/IOS/Version");
    
    # Check for vuln version
    if ( ver == '15.0(1)SY3' ) flag++;
    if ( ver == '15.0(1)SY4' ) flag++;
    if ( ver == '15.0(1)SY5' ) flag++;
    if ( ver == '15.0(1)SY6' ) flag++;
    if ( ver == '15.0(1)SY7' ) flag++;
    if ( ver == '15.0(1)SY7a' ) flag++;
    if ( ver == '15.0(1)SY8' ) flag++;
    if ( ver == '15.0(1)SY9' ) flag++;
    if ( ver == '15.1(1)SY1' ) flag++;
    if ( ver == '15.1(1)SY2' ) flag++;
    if ( ver == '15.1(1)SY3' ) flag++;
    if ( ver == '15.1(1)SY4' ) flag++;
    if ( ver == '15.1(1)SY5' ) flag++;
    if ( ver == '15.1(1)SY6' ) flag++;
    if ( ver == '15.1(2)SY' ) flag++;
    if ( ver == '15.1(2)SY1' ) flag++;
    if ( ver == '15.1(2)SY2' ) flag++;
    if ( ver == '15.1(2)SY3' ) flag++;
    if ( ver == '15.1(2)SY4' ) flag++;
    if ( ver == '15.1(2)SY4a' ) flag++;
    if ( ver == '15.1(2)SY5' ) flag++;
    if ( ver == '15.1(2)SY6' ) flag++;
    if ( ver == '15.2(1)E' ) flag++;
    if ( ver == '15.2(1)E1' ) flag++;
    if ( ver == '15.2(1)E2' ) flag++;
    if ( ver == '15.2(1)E3' ) flag++;
    if ( ver == '15.2(2)E' ) flag++;
    if ( ver == '15.2(2)E1' ) flag++;
    if ( ver == '15.2(2)E2' ) flag++;
    if ( ver == '15.2(2)E3' ) flag++;
    if ( ver == '15.2(2a)E1' ) flag++;
    if ( ver == '15.2(2a)E2' ) flag++;
    if ( ver == '15.2(3)E' ) flag++;
    if ( ver == '15.2(3)E1' ) flag++;
    if ( ver == '15.2(3)E2' ) flag++;
    if ( ver == '15.2(3a)E' ) flag++;
    if ( ver == '15.2(3m)E2' ) flag++;
    if ( ver == '15.2(3m)E3' ) flag++;
    if ( ver == '15.2(4)E' ) flag++;
    if ( ver == '15.2(2)EB' ) flag++;
    if ( ver == '15.2(2)EB1' ) flag++;
    if ( ver == '15.2(1)EY' ) flag++;
    if ( ver == '15.2(2)EA1' ) flag++;
    if ( ver == '15.2(2)EA2' ) flag++;
    if ( ver == '15.2(3)EA' ) flag++;
    if ( ver == '15.2(4)EA' ) flag++;
    if ( ver == '15.2(1)S' ) flag++;
    if ( ver == '15.2(1)S1' ) flag++;
    if ( ver == '15.2(1)S2' ) flag++;
    if ( ver == '15.2(2)S' ) flag++;
    if ( ver == '15.2(2)S0a' ) flag++;
    if ( ver == '15.2(2)S0c' ) flag++;
    if ( ver == '15.2(2)S1' ) flag++;
    if ( ver == '15.2(2)S2' ) flag++;
    if ( ver == '15.2(4)S' ) flag++;
    if ( ver == '15.2(4)S1' ) flag++;
    if ( ver == '15.2(4)S2' ) flag++;
    if ( ver == '15.2(4)S3' ) flag++;
    if ( ver == '15.2(4)S3a' ) flag++;
    if ( ver == '15.2(4)S4' ) flag++;
    if ( ver == '15.2(4)S4a' ) flag++;
    if ( ver == '15.2(4)S5' ) flag++;
    if ( ver == '15.2(4)S6' ) flag++;
    if ( ver == '15.2(4)S7' ) flag++;
    if ( ver == '15.2(2)SNG' ) flag++;
    if ( ver == '15.2(2)SNH1' ) flag++;
    if ( ver == '15.2(2)SNI' ) flag++;
    if ( ver == '15.2(1)SY' ) flag++;
    if ( ver == '15.2(1)SY0a' ) flag++;
    if ( ver == '15.2(1)SY1' ) flag++;
    if ( ver == '15.2(1)SY1a' ) flag++;
    if ( ver == '15.2(2)SY' ) flag++;
    if ( ver == '15.3(1)S' ) flag++;
    if ( ver == '15.3(1)S1' ) flag++;
    if ( ver == '15.3(1)S2' ) flag++;
    if ( ver == '15.3(2)S' ) flag++;
    if ( ver == '15.3(2)S0a' ) flag++;
    if ( ver == '15.3(2)S1' ) flag++;
    if ( ver == '15.3(2)S2' ) flag++;
    if ( ver == '15.3(3)S' ) flag++;
    if ( ver == '15.3(3)S1' ) flag++;
    if ( ver == '15.3(3)S1a' ) flag++;
    if ( ver == '15.3(3)S2' ) flag++;
    if ( ver == '15.3(3)S3' ) flag++;
    if ( ver == '15.3(3)S4' ) flag++;
    if ( ver == '15.3(3)S5' ) flag++;
    if ( ver == '15.3(3)S6' ) flag++;
    if ( ver == '15.4(1)S' ) flag++;
    if ( ver == '15.4(1)S1' ) flag++;
    if ( ver == '15.4(1)S2' ) flag++;
    if ( ver == '15.4(1)S3' ) flag++;
    if ( ver == '15.4(1)S4' ) flag++;
    if ( ver == '15.4(2)S' ) flag++;
    if ( ver == '15.4(2)S1' ) flag++;
    if ( ver == '15.4(2)S2' ) flag++;
    if ( ver == '15.4(2)S3' ) flag++;
    if ( ver == '15.4(2)S4' ) flag++;
    if ( ver == '15.4(3)S' ) flag++;
    if ( ver == '15.4(3)S1' ) flag++;
    if ( ver == '15.4(3)S2' ) flag++;
    if ( ver == '15.4(3)S3' ) flag++;
    if ( ver == '15.4(3)S4' ) flag++;
    if ( ver == '15.5(1)S' ) flag++;
    if ( ver == '15.5(1)S1' ) flag++;
    if ( ver == '15.5(1)S2' ) flag++;
    if ( ver == '15.5(1)S3' ) flag++;
    if ( ver == '15.5(2)S' ) flag++;
    if ( ver == '15.5(2)S1' ) flag++;
    if ( ver == '15.5(2)S2' ) flag++;
    if ( ver == '15.5(3)S' ) flag++;
    if ( ver == '15.5(3)S0a' ) flag++;
    if ( ver == '15.5(3)S1' ) flag++;
    if ( ver == '15.5(3)S1a' ) flag++;
    if ( ver == '15.5(3)SN' ) flag++;
    
    # Check for DHCPv6 Relay
    if (flag && get_kb_item("Host/local_checks_enabled"))
    {
      flag = 0;
    
      buf = cisco_command_kb_item("Host/Cisco/Config/show_ipv6_dhcp_interface", "show ipv6 dhcp interface");
      if (check_cisco_result(buf))
      {
        if ("is in relay mode" >< buf) flag = 1;
      }
      else if (cisco_needs_enable(buf))
      {
        flag = 1;
        override = 1;
      }
    }
    
    if (flag)
    {
      if (report_verbosity > 0)
      {
        report =
          '\n  Cisco bug ID      : CSCus55821' +
          '\n  Installed release : ' + ver +
          '\n';
        security_hole(port:0, extra:report + cisco_caveat(override));
        exit(0);
      }
      else security_hole(port:0, extra:cisco_caveat(override));
    }
    else audit(AUDIT_HOST_NOT, "affected");