Vulnerabilities > CVE-2016-1350 - Resource Management Errors vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
Cisco IOS 15.3 and 15.4, Cisco IOS XE 3.8 through 3.11, and Cisco Unified Communications Manager allow remote attackers to cause a denial of service (device reload) via malformed SIP messages, aka Bug ID CSCuj23293.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
OS | 13 | |
OS | 1 | |
OS | 1 | |
OS | 2 | |
OS | 1 | |
OS | 1 |
Common Weakness Enumeration (CWE)
Nessus
NASL family CISCO NASL id CISCO-SA-20160323-SIP-IOS.NASL description According to its self-reported version, the Cisco IOS software running on the remote device is affected by a denial of service vulnerability in the Session Initiation Protocol (SIP) gateway implementation due to improper handling of malformed SIP messages. An unauthenticated, remote attacker can exploit this, via crafted SIP messages, to cause memory leakage, resulting in an eventual reload of the affected device. last seen 2020-06-01 modified 2020-06-02 plugin id 90310 published 2016-04-01 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90310 title Cisco IOS SIP Memory Leak DoS (CSCuj23293) code #TRUSTED 447e591047064ae1f7d34dfaa408459647131a22a4d0da4bd316d12a0d2018938dd8209c9302f5d783ce7edf41a72186065055d9ad8d457e5d716f14825a54fb538d7689414e88d76abf9f58e8cf486fe13e6bf73b6349f26509dc332b109b17e7a458dbbcb24dc8b96231a2b007c398dfde9013980ac12331cae544e1d086ef12b65c9083f117e7fb7d35acc95b8407829b09539509251ab6539143acef5f4e99e9cba70ee6ec94b4192bee74437f268a99899047864cb2ec1ba5375193553a188a02c9cb8829bf87a47bd352a8395e0fe5d94d3f14f1d15f3b338b67dbe28e22ed00f6041eea2fe9f13285f4c6b259e66cf47a63d2b80aa9f8ca6cb8b21f249610e67be93468c61852e5514e97962f4bf84653529320d49693c2a4fe76dfc0e2a305b25c9aa09815b4789280d121a149aba94f4786f118155d0d05ec3c18ed76bf007625680a3e5b6280ec5a383dd2bc646861956b520d38dd0cca0e37b4a2e7d20115193564e73786f00161105b0e3cd0211be0d4620c6b5b437f838950d8c6ab945c136c39e2a1428ce78b3a81767d17932948f67dde577d26ba03307cbb01a2c1dea67e880ee95a9c6c3516394cf5f66deef82e0b58ab73426ff1df4aa38b6e30d6dcf63c51a257d8ea28878debc90f1dd19b9862f47c51625ebbc1efe813b4c5253dbd9379fadd512239bf160b569d59e4086648ef349acf2695f93346 # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(90310); script_version("1.9"); script_cvs_date("Date: 2019/11/20"); script_cve_id("CVE-2016-1350"); script_xref(name:"CISCO-BUG-ID", value:"CSCuj23293"); script_xref(name:"CISCO-SA", value:"cisco-sa-20160323-sip"); script_name(english:"Cisco IOS SIP Memory Leak DoS (CSCuj23293)"); script_summary(english:"Checks the IOS version."); script_set_attribute(attribute:"synopsis", value: "The remote device is affected by denial of service vulnerability."); script_set_attribute(attribute:"description", value: "According to its self-reported version, the Cisco IOS software running on the remote device is affected by a denial of service vulnerability in the Session Initiation Protocol (SIP) gateway implementation due to improper handling of malformed SIP messages. An unauthenticated, remote attacker can exploit this, via crafted SIP messages, to cause memory leakage, resulting in an eventual reload of the affected device."); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160323-sip script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ddc3f527"); script_set_attribute(attribute:"see_also", value:"https://quickview.cloudapps.cisco.com/quickview/bug/CSCuj23293"); script_set_attribute(attribute:"solution", value: "Apply the relevant patch referenced in the Cisco security advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-1350"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/03/23"); script_set_attribute(attribute:"patch_publication_date", value:"2016/03/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/04/01"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CISCO"); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("cisco_ios_version.nasl"); script_require_keys("Host/Cisco/IOS/Version"); exit(0); } include("audit.inc"); include("cisco_func.inc"); include("cisco_kb_cmd_func.inc"); flag = 0; override = 0; ver = get_kb_item_or_exit("Host/Cisco/IOS/Version"); affected = make_list( "15.3(3)M", "15.3(3)M1", "15.3(3)M2", "15.3(1)S1", "15.3(1)S2", "15.3(2)S0a", "15.3(2)S2", "15.3(1)T", "15.3(1)T1", "15.3(1)T2", "15.3(1)T3", "15.3(1)T4", "15.3(2)T", "15.3(2)T1", "15.3(2)T2", "15.3(2)T3", "15.3(2)T4", "15.4(1)CG", "15.4(2)CG", "15.4(1)T", "15.4(1)T1", "15.4(2)T" ); flag = 0; foreach badver (affected) { if (badver == ver) { flag = 1; break; } } # Configuration check if (flag && get_kb_item("Host/local_checks_enabled")) { pat = " CCSIP_(UDP|TCP)_SOCKET(\r?\n|$)"; flag = 0; buf = cisco_command_kb_item("Host/Cisco/Config/show_processes_include_sip","show processes | include SIP "); if (check_cisco_result(buf)) { if ( preg(multiline:TRUE, pattern:pat, string:buf) ) flag = 1; } else if (cisco_needs_enable(buf)) { flag = 1; override = 1; } } if (flag) { order = make_list('Cisco bug ID', 'Installed release'); report = make_array( order[0], "CSCuj23293", order[1], ver ); if (report_verbosity > 0) report = report_items_str(report_items:report, ordered_fields:order) + cisco_caveat(override); else # Cisco Caveat is always reported report = cisco_caveat(override); security_hole(port:0, extra:report); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family CISCO NASL id CISCO-SA-20160323-SIP-IOSXE.NASL description According to its self-reported version, the Cisco IOS XE software running on the remote device is affected by a denial of service vulnerability in the Session Initiation Protocol (SIP) gateway implementation due to improper handling of malformed SIP messages. An unauthenticated, remote attacker can exploit this, via crafted SIP messages, to cause memory leakage, resulting in an eventual reload of the affected device. last seen 2020-06-01 modified 2020-06-02 plugin id 90311 published 2016-04-01 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90311 title Cisco IOS XE SIP Memory Leak DoS (CSCuj23293) code #TRUSTED 90b60e12bb1dad040956df034a8982a5664299447b13cc1dd85d1c5e3cee9ae73161ccf62e48bfa09f1dfb9b47c562c5811c2445e83c30ebc75629557d129e0594765a7b9bb8b3aed9201331845e79dffc71a5a7accfd6c9610ed3fc3f8a46b363b28aedd2935c7b66124a8b091c9db87ecffb3adbcb6fb8bd1a235ada97b0dbd56d031d3346271c2965d2de2ebe3ae0d9699abaa69a28edec28ca292a3efe85571d5a4b319d813d36a820889b0ccbf53253ceb94f19d4efe859e9d484e3425a2bcc4e2ae72fab55e230e022f5be06fc781a829cb31bcdb75cfdff28055db761a88fa1e5226bcd9c09ffbd29fd22a583779c92a3b924efb014847e2791d0ff0c1ad0ccbfd08e1df9dbee0244410c2aa18903d337cf2b1aaa1731c37544050cbbfc5f9dd0ef75d13d1a9bdf15f280c4e8f95dace8c0b72bef43f18a435ae848b0c50c6dd932beff1e60e3c1f6a9860342e1eeef04c495276a7cc48ba9b45f2b82aa68763abbc5989951ab69d04efa42afe9e9bbd76c6e8821647cb3de84981adc5749739232a12a9e26e288eb3405150ad95bfb204dc5b70a57ebe7e8d05e2b859b91e215427e5cbdf92b0e69cee6664e35c5bdfb6568516b8ee447a70dd61017ef0d27714d63532f325eecd358e5c99bfcb87b68a295444fb27148fd1d497171da73d6392c3987b366f985f59b547d3c55a1dd6eebcf72d24ee83774bd06ab60 # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(90311); script_version("1.9"); script_cvs_date("Date: 2019/11/20"); script_cve_id("CVE-2016-1350"); script_xref(name:"CISCO-BUG-ID", value:"CSCuj23293"); script_xref(name:"CISCO-SA", value:"cisco-sa-20160323-sip"); script_name(english:"Cisco IOS XE SIP Memory Leak DoS (CSCuj23293)"); script_summary(english:"Checks the IOS-XE version."); script_set_attribute(attribute:"synopsis", value: "TThe remote device is affected by denial of service vulnerability."); script_set_attribute(attribute:"description", value: "According to its self-reported version, the Cisco IOS XE software running on the remote device is affected by a denial of service vulnerability in the Session Initiation Protocol (SIP) gateway implementation due to improper handling of malformed SIP messages. An unauthenticated, remote attacker can exploit this, via crafted SIP messages, to cause memory leakage, resulting in an eventual reload of the affected device."); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160323-sip script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ddc3f527"); script_set_attribute(attribute:"see_also", value:"https://quickview.cloudapps.cisco.com/quickview/bug/CSCuj23293"); script_set_attribute(attribute:"solution", value: "Apply the relevant patch referenced in the Cisco security advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-1350"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/03/23"); script_set_attribute(attribute:"patch_publication_date", value:"2016/03/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/04/01"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CISCO"); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("cisco_ios_xe_version.nasl"); script_require_keys("Host/Cisco/IOS-XE/Version"); exit(0); } include("audit.inc"); include("cisco_func.inc"); include("cisco_kb_cmd_func.inc"); version = get_kb_item_or_exit("Host/Cisco/IOS-XE/Version"); flag = 0; override = 0; affected = make_list( "3.8.0S", "3.8.1S", "3.8.2S", "3.9.0S", "3.9.0aS", "3.9.1S", "3.9.1aS", "3.9.2S", "3.10.0S", "3.10.1S", "3.10.1xbS", "3.10.2S", "3.11.0S" ); flag = 0; foreach badver (affected) { if (badver == version) { flag = 1; break; } } # Configuration check if (flag && get_kb_item("Host/local_checks_enabled")) { pat = " CCSIP_(UDP|TCP)_SOCKET(\r?\n|$)"; flag = 0; buf = cisco_command_kb_item("Host/Cisco/Config/show_processes_include_sip","show processes | include SIP "); if (check_cisco_result(buf)) { if ( preg(multiline:TRUE, pattern:pat, string:buf) ) flag = 1; } else if (cisco_needs_enable(buf)) { flag = 1; override = 1; } } if (flag) { order = make_list('Cisco bug ID', 'Installed release'); report = make_array( order[0], "CSCuj23293", order[1], version ); if (report_verbosity > 0) report = report_items_str(report_items:report, ordered_fields:order) + cisco_caveat(override); else # Cisco Caveat is always reported report = cisco_caveat(override); security_hole(port:0, extra:report); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family CISCO NASL id CISCO_CUCM_A-20160323-SIP.NASL description According to its self-reported version, the Cisco Unified Communications Manager (CUCM) running on the remote device is affected by a denial of service vulnerability in the Session Initiation Protocol (SIP) gateway implementation due to improper handling of malformed SIP messages. An unauthenticated, remote attacker can exploit this, via crafted SIP messages, to cause memory leakage, resulting in an eventual reload of the affected device. last seen 2020-06-01 modified 2020-06-02 plugin id 90312 published 2016-04-01 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/90312 title Cisco Unified Communications Manager SIP Memory Leak DoS (CSCuv39370) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(90312); script_version("1.9"); script_cvs_date("Date: 2018/07/06 11:26:06"); script_cve_id("CVE-2016-1350"); script_bugtraq_id(85372); script_xref(name:"CISCO-BUG-ID", value:"CSCuv39370"); script_xref(name:"CISCO-SA", value:"cisco-sa-20160323-sip"); script_name(english:"Cisco Unified Communications Manager SIP Memory Leak DoS (CSCuv39370)"); script_summary(english:"Checks the version of Cisco Unified Communications Manager (CUCM)."); script_set_attribute(attribute:"synopsis", value: "The remote device is affected by denial of service vulnerability."); script_set_attribute(attribute:"description", value: "According to its self-reported version, the Cisco Unified Communications Manager (CUCM) running on the remote device is affected by a denial of service vulnerability in the Session Initiation Protocol (SIP) gateway implementation due to improper handling of malformed SIP messages. An unauthenticated, remote attacker can exploit this, via crafted SIP messages, to cause memory leakage, resulting in an eventual reload of the affected device."); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160323-sip script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ddc3f527"); script_set_attribute(attribute:"see_also", value:"https://quickview.cloudapps.cisco.com/quickview/bug/CSCuv39370"); script_set_attribute(attribute:"solution", value: "Upgrade to Cisco Unified Communications Manager version 9.1(2)SU4 / 10.5(2)SU3 / 11.0(1)SU1 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/03/23"); script_set_attribute(attribute:"patch_publication_date", value:"2016/03/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/04/01"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:unified_communications_manager"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CISCO"); script_copyright(english:"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc."); script_dependencies("cisco_ucm_detect.nbin"); script_require_keys("Host/Cisco/CUCM/Version", "Host/Cisco/CUCM/Version_Display"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); ver = get_kb_item_or_exit("Host/Cisco/CUCM/Version"); ver_display = get_kb_item_or_exit("Host/Cisco/CUCM/Version_Display"); fix_display = FALSE; app_name = "Cisco Unified Communications Manager (CUCM)"; if (ver =~ "^8\." && ver_compare(ver:ver, fix:'8.6.1.20015.1', strict:FALSE) < 0) fix_display = "8.6(1.20015.1)"; else if (ver =~ "^8\.6\.2\." && ver_compare(ver:ver, fix:'8.6.2.26169.1', strict:FALSE) < 0) fix_display = "8.6(2.26169.1)"; else if (ver =~ "^9\." && ver_compare(ver:ver, fix:'9.1.2.14102.1', strict:FALSE) < 0) fix_display = "9.1(2)su4 / 9.1(2.14102.1)"; else if (ver =~ "^10\." && ver_compare(ver:ver, fix:'10.5.2.13033.1', strict:FALSE) < 0) fix_display = "10.5(2)su3 / 10.5(2.13033.1)"; else if (ver =~ "^11\." && ver_compare(ver:ver, fix:'11.0.1.21006.1', strict:FALSE) < 0) fix_display = "11.0(1)su1 / 11.0(1.21006.1)"; if (!fix_display) audit(AUDIT_INST_VER_NOT_VULN, app_name, ver_display); order = make_list('Cisco bug ID', 'Installed release', 'Fixed release'); report = make_array( order[0], "CSCuv39370", order[1], ver_display, order[2], fix_display ); report = report_items_str(report_items:report, ordered_fields:order); security_report_v4(extra:report, port:0, severity:SECURITY_HOLE);
References
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160323-sip
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160323-sip
- http://www.securityfocus.com/bid/85372
- http://www.securityfocus.com/bid/85372
- http://www.securitytracker.com/id/1035420
- http://www.securitytracker.com/id/1035420
- http://www.securitytracker.com/id/1035421
- http://www.securitytracker.com/id/1035421