Vulnerabilities > CVE-2016-1350 - Resource Management Errors vulnerability in Cisco IOS and IOS XE

CVSS 7.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

COMPLETE

network

low complexity

cisco

CWE-399

nessus

NVD

Published: 2016-03-26

Updated: 2017-05-12

Summary

Cisco IOS 15.3 and 15.4, Cisco IOS XE 3.8 through 3.11, and Cisco Unified Communications Manager allow remote attackers to cause a denial of service (device reload) via malformed SIP messages, aka Bug ID CSCuj23293.

Vulnerable Configurations

Part	Description	Count
OS	Cisco Cisco IOS 15.3\\$1\\$S1 Cisco IOS 15.3\\$1\\$S2 Cisco IOS 15.3\\$1\\$T Cisco IOS 15.3\\$1\\$T1 Cisco IOS 15.3\\$1\\$T2 Cisco IOS 15.3\\$1\\$T3 Cisco IOS 15.3\\$1\\$T4 Cisco IOS 15.3\\$2\\$S0A Cisco IOS 15.3\\$2\\$S2 Cisco IOS 15.3\\$2\\$T Cisco IOS 15.3\\$2\\$T1 Cisco IOS 15.3\\$2\\$T2 Cisco IOS 15.3\\$2\\$T3 Cisco IOS 15.3\\$2\\$T4 Cisco IOS 15.3\\$3\\$M Cisco IOS 15.3\\$3\\$M1 Cisco IOS 15.3\\$3\\$M2 Cisco IOS 15.4\\$1\\$Cg Cisco IOS 15.4\\$1\\$T Cisco IOS 15.4\\$1\\$T1 Cisco IOS 15.4\\$2\\$Cg Cisco IOS 15.4\\$2\\$T Cisco IOS XE 3.8.0S Cisco IOS XE 3.8.1S Cisco IOS XE 3.8.2S Cisco IOS XE 3.9.0As Cisco IOS XE 3.9.0S Cisco IOS XE 3.9.1As Cisco IOS XE 3.9.1S Cisco IOS XE 3.9.2S Cisco IOS XE 3.10.0S Cisco IOS XE 3.10.1S Cisco IOS XE 3.10.1Xbs Cisco IOS XE 3.10.2S Cisco IOS XE 3.11.0S	35

Common Weakness Enumeration (CWE)

CWE-399 - Resource Management Errors

Nessus

NASL family	CISCO
NASL id	CISCO-SA-20160323-SIP-IOS.NASL
description	According to its self-reported version, the Cisco IOS software running on the remote device is affected by a denial of service vulnerability in the Session Initiation Protocol (SIP) gateway implementation due to improper handling of malformed SIP messages. An unauthenticated, remote attacker can exploit this, via crafted SIP messages, to cause memory leakage, resulting in an eventual reload of the affected device.
last seen	2020-06-01
modified	2020-06-02
plugin id	90310
published	2016-04-01
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/90310
title	Cisco IOS SIP Memory Leak DoS (CSCuj23293)
code	#TRUSTED 447e591047064ae1f7d34dfaa408459647131a22a4d0da4bd316d12a0d2018938dd8209c9302f5d783ce7edf41a72186065055d9ad8d457e5d716f14825a54fb538d7689414e88d76abf9f58e8cf486fe13e6bf73b6349f26509dc332b109b17e7a458dbbcb24dc8b96231a2b007c398dfde9013980ac12331cae544e1d086ef12b65c9083f117e7fb7d35acc95b8407829b09539509251ab6539143acef5f4e99e9cba70ee6ec94b4192bee74437f268a99899047864cb2ec1ba5375193553a188a02c9cb8829bf87a47bd352a8395e0fe5d94d3f14f1d15f3b338b67dbe28e22ed00f6041eea2fe9f13285f4c6b259e66cf47a63d2b80aa9f8ca6cb8b21f249610e67be93468c61852e5514e97962f4bf84653529320d49693c2a4fe76dfc0e2a305b25c9aa09815b4789280d121a149aba94f4786f118155d0d05ec3c18ed76bf007625680a3e5b6280ec5a383dd2bc646861956b520d38dd0cca0e37b4a2e7d20115193564e73786f00161105b0e3cd0211be0d4620c6b5b437f838950d8c6ab945c136c39e2a1428ce78b3a81767d17932948f67dde577d26ba03307cbb01a2c1dea67e880ee95a9c6c3516394cf5f66deef82e0b58ab73426ff1df4aa38b6e30d6dcf63c51a257d8ea28878debc90f1dd19b9862f47c51625ebbc1efe813b4c5253dbd9379fadd512239bf160b569d59e4086648ef349acf2695f93346 # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(90310); script_version("1.9"); script_cvs_date("Date: 2019/11/20"); script_cve_id("CVE-2016-1350"); script_xref(name:"CISCO-BUG-ID", value:"CSCuj23293"); script_xref(name:"CISCO-SA", value:"cisco-sa-20160323-sip"); script_name(english:"Cisco IOS SIP Memory Leak DoS (CSCuj23293)"); script_summary(english:"Checks the IOS version."); script_set_attribute(attribute:"synopsis", value: "The remote device is affected by denial of service vulnerability."); script_set_attribute(attribute:"description", value: "According to its self-reported version, the Cisco IOS software running on the remote device is affected by a denial of service vulnerability in the Session Initiation Protocol (SIP) gateway implementation due to improper handling of malformed SIP messages. An unauthenticated, remote attacker can exploit this, via crafted SIP messages, to cause memory leakage, resulting in an eventual reload of the affected device."); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160323-sip script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ddc3f527"); script_set_attribute(attribute:"see_also", value:"https://quickview.cloudapps.cisco.com/quickview/bug/CSCuj23293"); script_set_attribute(attribute:"solution", value: "Apply the relevant patch referenced in the Cisco security advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-1350"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/03/23"); script_set_attribute(attribute:"patch_publication_date", value:"2016/03/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/04/01"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CISCO"); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("cisco_ios_version.nasl"); script_require_keys("Host/Cisco/IOS/Version"); exit(0); } include("audit.inc"); include("cisco_func.inc"); include("cisco_kb_cmd_func.inc"); flag = 0; override = 0; ver = get_kb_item_or_exit("Host/Cisco/IOS/Version"); affected = make_list( "15.3(3)M", "15.3(3)M1", "15.3(3)M2", "15.3(1)S1", "15.3(1)S2", "15.3(2)S0a", "15.3(2)S2", "15.3(1)T", "15.3(1)T1", "15.3(1)T2", "15.3(1)T3", "15.3(1)T4", "15.3(2)T", "15.3(2)T1", "15.3(2)T2", "15.3(2)T3", "15.3(2)T4", "15.4(1)CG", "15.4(2)CG", "15.4(1)T", "15.4(1)T1", "15.4(2)T" ); flag = 0; foreach badver (affected) { if (badver == ver) { flag = 1; break; } } # Configuration check if (flag && get_kb_item("Host/local_checks_enabled")) { pat = " CCSIP_(UDP\|TCP)_SOCKET(\r?\n\|$)"; flag = 0; buf = cisco_command_kb_item("Host/Cisco/Config/show_processes_include_sip","show processes \| include SIP "); if (check_cisco_result(buf)) { if ( preg(multiline:TRUE, pattern:pat, string:buf) ) flag = 1; } else if (cisco_needs_enable(buf)) { flag = 1; override = 1; } } if (flag) { order = make_list('Cisco bug ID', 'Installed release'); report = make_array( order[0], "CSCuj23293", order[1], ver ); if (report_verbosity > 0) report = report_items_str(report_items:report, ordered_fields:order) + cisco_caveat(override); else # Cisco Caveat is always reported report = cisco_caveat(override); security_hole(port:0, extra:report); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	CISCO
NASL id	CISCO-SA-20160323-SIP-IOSXE.NASL
description	According to its self-reported version, the Cisco IOS XE software running on the remote device is affected by a denial of service vulnerability in the Session Initiation Protocol (SIP) gateway implementation due to improper handling of malformed SIP messages. An unauthenticated, remote attacker can exploit this, via crafted SIP messages, to cause memory leakage, resulting in an eventual reload of the affected device.
last seen	2020-06-01
modified	2020-06-02
plugin id	90311
published	2016-04-01
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/90311
title	Cisco IOS XE SIP Memory Leak DoS (CSCuj23293)
code	#TRUSTED 90b60e12bb1dad040956df034a8982a5664299447b13cc1dd85d1c5e3cee9ae73161ccf62e48bfa09f1dfb9b47c562c5811c2445e83c30ebc75629557d129e0594765a7b9bb8b3aed9201331845e79dffc71a5a7accfd6c9610ed3fc3f8a46b363b28aedd2935c7b66124a8b091c9db87ecffb3adbcb6fb8bd1a235ada97b0dbd56d031d3346271c2965d2de2ebe3ae0d9699abaa69a28edec28ca292a3efe85571d5a4b319d813d36a820889b0ccbf53253ceb94f19d4efe859e9d484e3425a2bcc4e2ae72fab55e230e022f5be06fc781a829cb31bcdb75cfdff28055db761a88fa1e5226bcd9c09ffbd29fd22a583779c92a3b924efb014847e2791d0ff0c1ad0ccbfd08e1df9dbee0244410c2aa18903d337cf2b1aaa1731c37544050cbbfc5f9dd0ef75d13d1a9bdf15f280c4e8f95dace8c0b72bef43f18a435ae848b0c50c6dd932beff1e60e3c1f6a9860342e1eeef04c495276a7cc48ba9b45f2b82aa68763abbc5989951ab69d04efa42afe9e9bbd76c6e8821647cb3de84981adc5749739232a12a9e26e288eb3405150ad95bfb204dc5b70a57ebe7e8d05e2b859b91e215427e5cbdf92b0e69cee6664e35c5bdfb6568516b8ee447a70dd61017ef0d27714d63532f325eecd358e5c99bfcb87b68a295444fb27148fd1d497171da73d6392c3987b366f985f59b547d3c55a1dd6eebcf72d24ee83774bd06ab60 # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(90311); script_version("1.9"); script_cvs_date("Date: 2019/11/20"); script_cve_id("CVE-2016-1350"); script_xref(name:"CISCO-BUG-ID", value:"CSCuj23293"); script_xref(name:"CISCO-SA", value:"cisco-sa-20160323-sip"); script_name(english:"Cisco IOS XE SIP Memory Leak DoS (CSCuj23293)"); script_summary(english:"Checks the IOS-XE version."); script_set_attribute(attribute:"synopsis", value: "TThe remote device is affected by denial of service vulnerability."); script_set_attribute(attribute:"description", value: "According to its self-reported version, the Cisco IOS XE software running on the remote device is affected by a denial of service vulnerability in the Session Initiation Protocol (SIP) gateway implementation due to improper handling of malformed SIP messages. An unauthenticated, remote attacker can exploit this, via crafted SIP messages, to cause memory leakage, resulting in an eventual reload of the affected device."); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160323-sip script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ddc3f527"); script_set_attribute(attribute:"see_also", value:"https://quickview.cloudapps.cisco.com/quickview/bug/CSCuj23293"); script_set_attribute(attribute:"solution", value: "Apply the relevant patch referenced in the Cisco security advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-1350"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/03/23"); script_set_attribute(attribute:"patch_publication_date", value:"2016/03/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/04/01"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CISCO"); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("cisco_ios_xe_version.nasl"); script_require_keys("Host/Cisco/IOS-XE/Version"); exit(0); } include("audit.inc"); include("cisco_func.inc"); include("cisco_kb_cmd_func.inc"); version = get_kb_item_or_exit("Host/Cisco/IOS-XE/Version"); flag = 0; override = 0; affected = make_list( "3.8.0S", "3.8.1S", "3.8.2S", "3.9.0S", "3.9.0aS", "3.9.1S", "3.9.1aS", "3.9.2S", "3.10.0S", "3.10.1S", "3.10.1xbS", "3.10.2S", "3.11.0S" ); flag = 0; foreach badver (affected) { if (badver == version) { flag = 1; break; } } # Configuration check if (flag && get_kb_item("Host/local_checks_enabled")) { pat = " CCSIP_(UDP\|TCP)_SOCKET(\r?\n\|$)"; flag = 0; buf = cisco_command_kb_item("Host/Cisco/Config/show_processes_include_sip","show processes \| include SIP "); if (check_cisco_result(buf)) { if ( preg(multiline:TRUE, pattern:pat, string:buf) ) flag = 1; } else if (cisco_needs_enable(buf)) { flag = 1; override = 1; } } if (flag) { order = make_list('Cisco bug ID', 'Installed release'); report = make_array( order[0], "CSCuj23293", order[1], version ); if (report_verbosity > 0) report = report_items_str(report_items:report, ordered_fields:order) + cisco_caveat(override); else # Cisco Caveat is always reported report = cisco_caveat(override); security_hole(port:0, extra:report); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	CISCO
NASL id	CISCO_CUCM_A-20160323-SIP.NASL
description	According to its self-reported version, the Cisco Unified Communications Manager (CUCM) running on the remote device is affected by a denial of service vulnerability in the Session Initiation Protocol (SIP) gateway implementation due to improper handling of malformed SIP messages. An unauthenticated, remote attacker can exploit this, via crafted SIP messages, to cause memory leakage, resulting in an eventual reload of the affected device.
last seen	2020-06-01
modified	2020-06-02
plugin id	90312
published	2016-04-01
reporter	This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/90312
title	Cisco Unified Communications Manager SIP Memory Leak DoS (CSCuv39370)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(90312); script_version("1.9"); script_cvs_date("Date: 2018/07/06 11:26:06"); script_cve_id("CVE-2016-1350"); script_bugtraq_id(85372); script_xref(name:"CISCO-BUG-ID", value:"CSCuv39370"); script_xref(name:"CISCO-SA", value:"cisco-sa-20160323-sip"); script_name(english:"Cisco Unified Communications Manager SIP Memory Leak DoS (CSCuv39370)"); script_summary(english:"Checks the version of Cisco Unified Communications Manager (CUCM)."); script_set_attribute(attribute:"synopsis", value: "The remote device is affected by denial of service vulnerability."); script_set_attribute(attribute:"description", value: "According to its self-reported version, the Cisco Unified Communications Manager (CUCM) running on the remote device is affected by a denial of service vulnerability in the Session Initiation Protocol (SIP) gateway implementation due to improper handling of malformed SIP messages. An unauthenticated, remote attacker can exploit this, via crafted SIP messages, to cause memory leakage, resulting in an eventual reload of the affected device."); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160323-sip script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ddc3f527"); script_set_attribute(attribute:"see_also", value:"https://quickview.cloudapps.cisco.com/quickview/bug/CSCuv39370"); script_set_attribute(attribute:"solution", value: "Upgrade to Cisco Unified Communications Manager version 9.1(2)SU4 / 10.5(2)SU3 / 11.0(1)SU1 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/03/23"); script_set_attribute(attribute:"patch_publication_date", value:"2016/03/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/04/01"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:unified_communications_manager"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CISCO"); script_copyright(english:"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc."); script_dependencies("cisco_ucm_detect.nbin"); script_require_keys("Host/Cisco/CUCM/Version", "Host/Cisco/CUCM/Version_Display"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); ver = get_kb_item_or_exit("Host/Cisco/CUCM/Version"); ver_display = get_kb_item_or_exit("Host/Cisco/CUCM/Version_Display"); fix_display = FALSE; app_name = "Cisco Unified Communications Manager (CUCM)"; if (ver =~ "^8\." && ver_compare(ver:ver, fix:'8.6.1.20015.1', strict:FALSE) < 0) fix_display = "8.6(1.20015.1)"; else if (ver =~ "^8\.6\.2\." && ver_compare(ver:ver, fix:'8.6.2.26169.1', strict:FALSE) < 0) fix_display = "8.6(2.26169.1)"; else if (ver =~ "^9\." && ver_compare(ver:ver, fix:'9.1.2.14102.1', strict:FALSE) < 0) fix_display = "9.1(2)su4 / 9.1(2.14102.1)"; else if (ver =~ "^10\." && ver_compare(ver:ver, fix:'10.5.2.13033.1', strict:FALSE) < 0) fix_display = "10.5(2)su3 / 10.5(2.13033.1)"; else if (ver =~ "^11\." && ver_compare(ver:ver, fix:'11.0.1.21006.1', strict:FALSE) < 0) fix_display = "11.0(1)su1 / 11.0(1.21006.1)"; if (!fix_display) audit(AUDIT_INST_VER_NOT_VULN, app_name, ver_display); order = make_list('Cisco bug ID', 'Installed release', 'Fixed release'); report = make_array( order[0], "CSCuv39370", order[1], ver_display, order[2], fix_display ); report = report_items_str(report_items:report, ordered_fields:order); security_report_v4(extra:report, port:0, severity:SECURITY_HOLE);

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Nessus

References