Vulnerabilities > CVE-2016-1426 - Resource Management Errors vulnerability in Cisco IOS XR

#TRUSTED 3f18b95c27494e8963653ec4f087279a57395a34c941359147c00da5336736d1d3045101e83c141b8bcd66481ccaeb64e81c95a6a67cc92e286286e5963b9feb1e4194248c7bec3534c1883aa89bafe3a983638358e2b07d12196a5e14771abaebafc393df23562fe8c661ac72302b249c201f386da0b8109081b59dedab2ee238d846e6e5b41f999159925a5545bdc9b569cd5f2c7a795b138e050b7e9ec43d772acf825722d85640023a292efa54cdb0d1b7741131aec0ebbdfebc54f735f1f873c33b921e50a9369d556532ea14242219eeb2d85af9592dcd2b68c4c324e7ecbab4e47ed22b6f7c142b529ec0997f196c6efa6604a4afdfc090901cf506192d3377f425ddcc5b31e66bfe4766e522e0a99bd132797fa90055db598b3ce9832aa28a4ebe1d8491f7e915d895c24b6b7fdb52aec7001e27ac4ab48048ac836d0208ed71bd5889197ab84fe325c8a5686ba00ae41f41170e479792cc0af3f71addabd1780ada9ab828ac2588e9e268d6433b1fb0d0884afde2066e1992a355f3606adb57b66bb6c18ff52143faab46d1856bdff95abb67195062ffdaff5090a38c948ca53c4c6b9de7ffd73ffbdaab0774eed696100fa3d75f023122122dd106e244c7ba3d933f94a42eb6ff5de451b69a4eb48ed7074ac5f1b8db655444d0da4eee9d72fdcc32ea0017007c3682fea97e66cd0a43bb5fcae7d241edb6fd48c6
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(93563);
  script_version("1.6");
  script_cvs_date("Date: 2019/11/14");

  script_cve_id("CVE-2016-1426");
  script_bugtraq_id(91748);
  script_xref(name:"CISCO-SA", value:"cisco-sa-20160713-ncs6k");
  script_xref(name:"CISCO-BUG-ID", value:"CSCux76819");

  script_name(english:"Cisco IOS XR NCS 6000 Packet Timer Leak DoS (cisco-sa-20160713-ncs6k)");
  script_summary(english:"Checks the IOS XR version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"The version of Cisco IOS XR running on the remote NCS 6000 device is
affected by a denial of service vulnerability due to improper
management of system timer resources. An unauthenticated, remote
attacker can exploit this, via numerous management connections to the
affected device, to consume resources, resulting in a nonoperational
state and eventual reload of the Route Processor.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160713-ncs6k
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?87b0a91e");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCux76819");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco advisory
cisco-sa-20160713-ncs6k.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/07/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/07/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/09/16");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xr");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_xr_version.nasl");
  script_require_keys("Host/Cisco/IOS-XR/Version");
  script_require_ports("CISCO/model", "Host/Cisco/IOS-XR/Model");

  exit(0);
}

include("audit.inc");
include("cisco_func.inc");
include("cisco_kb_cmd_func.inc");

version  = get_kb_item_or_exit("Host/Cisco/IOS-XR/Version");
model = get_kb_item("CISCO/model");
if (model)
{
  if (model !~ "^cisco([Nn]cs|NCS)-?(600[08]|6k)")
    audit(AUDIT_HOST_NOT, "an affected model");
}
else
{
  model = get_kb_item_or_exit("Host/Cisco/IOS-XR/Model");
  if ("NCS6K"    >!< model &&
      "NCS6008"  >!< model &&
      "NCS-6000" >!< model &&
      "NCS-6008" >!< model
     )
    audit(AUDIT_HOST_NOT, "an affected model");
}

# Affected versions include :
#  - 5.0.0-5.0.1
#  - 5.1.0-5.1.3
#  - 5.2.0-5.2.5
if (version !~ "^5\.(0\.[01]|1\.[0-3]|2\.[0-5])([^0-9]|$)")
  audit(AUDIT_INST_VER_NOT_VULN, 'Cisco IOS XR', version);

missing_pie  = '';

# Cisco SMUs per version (where available)
pies = make_array(
  '5.0.1', 'ncs6k-5.0.1.CSCux76819',
  '5.2.1', 'ncs6k-5.2.1.CSCux76819',
  '5.2.3', 'ncs6k-5.2.3.CSCux76819',
  '5.2.4', 'ncs6k-5.2.4.CSCux76819',
  '5.2.5', 'ncs6k-5.2.5.CSCux76819'
);

if (get_kb_item("Host/local_checks_enabled"))
{
  # Check for patches; only specific versions
  if (!isnull(pies[version]))
  {
    buf = cisco_command_kb_item("Host/Cisco/Config/show_install_package_all", "show install package all");
    if (check_cisco_result(buf))
    {
      if (pies[version] >!< buf)
        missing_pie = pies[version];
      else audit(AUDIT_HOST_NOT, "affected because patch "+pies[version]+" is installed");
    }
    else if (cisco_needs_enable(buf)) override = TRUE;
  }

  # Check if SSH, SCP, or SFTP is configured for management access
  buf = cisco_command_kb_item("Host/Cisco/Config/show_running-config", "show running-config");
  if (check_cisco_result(buf))
  {
    if ("ssh server v2" >!< buf)
      audit(AUDIT_HOST_NOT, "affected because SSH / SCP / and SFTP are not enabled for management access");
  }
  else if (cisco_needs_enable(buf)) override = TRUE;
}

security_report_cisco(
  port     : 0,
  severity : SECURITY_HOLE,
  override : override,
  version  : version,
  bug_id   : 'CSCux76819',
  cmds     : make_list('show running-config'),
  pie      : missing_pie
);