Vulnerabilities > CVE-2016-1426 - Resource Management Errors vulnerability in Cisco IOS XR

047910
CVSS 7.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
COMPLETE
network
low complexity
cisco
CWE-399
nessus

Summary

Cisco IOS XR 5.x through 5.2.5 on NCS 6000 devices allows remote attackers to cause a denial of service (timer consumption and Route Processor reload) via crafted SSH traffic, aka Bug ID CSCux76819.

Common Weakness Enumeration (CWE)

Nessus

NASL familyCISCO
NASL idCISCO-SA-20160713-NCS6K-IOSXR.NASL
descriptionThe version of Cisco IOS XR running on the remote NCS 6000 device is affected by a denial of service vulnerability due to improper management of system timer resources. An unauthenticated, remote attacker can exploit this, via numerous management connections to the affected device, to consume resources, resulting in a nonoperational state and eventual reload of the Route Processor.
last seen2020-06-01
modified2020-06-02
plugin id93563
published2016-09-16
reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/93563
titleCisco IOS XR NCS 6000 Packet Timer Leak DoS (cisco-sa-20160713-ncs6k)
code
#TRUSTED 3f18b95c27494e8963653ec4f087279a57395a34c941359147c00da5336736d1d3045101e83c141b8bcd66481ccaeb64e81c95a6a67cc92e286286e5963b9feb1e4194248c7bec3534c1883aa89bafe3a983638358e2b07d12196a5e14771abaebafc393df23562fe8c661ac72302b249c201f386da0b8109081b59dedab2ee238d846e6e5b41f999159925a5545bdc9b569cd5f2c7a795b138e050b7e9ec43d772acf825722d85640023a292efa54cdb0d1b7741131aec0ebbdfebc54f735f1f873c33b921e50a9369d556532ea14242219eeb2d85af9592dcd2b68c4c324e7ecbab4e47ed22b6f7c142b529ec0997f196c6efa6604a4afdfc090901cf506192d3377f425ddcc5b31e66bfe4766e522e0a99bd132797fa90055db598b3ce9832aa28a4ebe1d8491f7e915d895c24b6b7fdb52aec7001e27ac4ab48048ac836d0208ed71bd5889197ab84fe325c8a5686ba00ae41f41170e479792cc0af3f71addabd1780ada9ab828ac2588e9e268d6433b1fb0d0884afde2066e1992a355f3606adb57b66bb6c18ff52143faab46d1856bdff95abb67195062ffdaff5090a38c948ca53c4c6b9de7ffd73ffbdaab0774eed696100fa3d75f023122122dd106e244c7ba3d933f94a42eb6ff5de451b69a4eb48ed7074ac5f1b8db655444d0da4eee9d72fdcc32ea0017007c3682fea97e66cd0a43bb5fcae7d241edb6fd48c6
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(93563);
  script_version("1.6");
  script_cvs_date("Date: 2019/11/14");

  script_cve_id("CVE-2016-1426");
  script_bugtraq_id(91748);
  script_xref(name:"CISCO-SA", value:"cisco-sa-20160713-ncs6k");
  script_xref(name:"CISCO-BUG-ID", value:"CSCux76819");

  script_name(english:"Cisco IOS XR NCS 6000 Packet Timer Leak DoS (cisco-sa-20160713-ncs6k)");
  script_summary(english:"Checks the IOS XR version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"The version of Cisco IOS XR running on the remote NCS 6000 device is
affected by a denial of service vulnerability due to improper
management of system timer resources. An unauthenticated, remote
attacker can exploit this, via numerous management connections to the
affected device, to consume resources, resulting in a nonoperational
state and eventual reload of the Route Processor.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160713-ncs6k
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?87b0a91e");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCux76819");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco advisory
cisco-sa-20160713-ncs6k.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/07/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/07/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/09/16");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xr");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_xr_version.nasl");
  script_require_keys("Host/Cisco/IOS-XR/Version");
  script_require_ports("CISCO/model", "Host/Cisco/IOS-XR/Model");

  exit(0);
}

include("audit.inc");
include("cisco_func.inc");
include("cisco_kb_cmd_func.inc");

version  = get_kb_item_or_exit("Host/Cisco/IOS-XR/Version");
model = get_kb_item("CISCO/model");
if (model)
{
  if (model !~ "^cisco([Nn]cs|NCS)-?(600[08]|6k)")
    audit(AUDIT_HOST_NOT, "an affected model");
}
else
{
  model = get_kb_item_or_exit("Host/Cisco/IOS-XR/Model");
  if ("NCS6K"    >!< model &&
      "NCS6008"  >!< model &&
      "NCS-6000" >!< model &&
      "NCS-6008" >!< model
     )
    audit(AUDIT_HOST_NOT, "an affected model");
}

# Affected versions include :
#  - 5.0.0-5.0.1
#  - 5.1.0-5.1.3
#  - 5.2.0-5.2.5
if (version !~ "^5\.(0\.[01]|1\.[0-3]|2\.[0-5])([^0-9]|$)")
  audit(AUDIT_INST_VER_NOT_VULN, 'Cisco IOS XR', version);

missing_pie  = '';

# Cisco SMUs per version (where available)
pies = make_array(
  '5.0.1', 'ncs6k-5.0.1.CSCux76819',
  '5.2.1', 'ncs6k-5.2.1.CSCux76819',
  '5.2.3', 'ncs6k-5.2.3.CSCux76819',
  '5.2.4', 'ncs6k-5.2.4.CSCux76819',
  '5.2.5', 'ncs6k-5.2.5.CSCux76819'
);

if (get_kb_item("Host/local_checks_enabled"))
{
  # Check for patches; only specific versions
  if (!isnull(pies[version]))
  {
    buf = cisco_command_kb_item("Host/Cisco/Config/show_install_package_all", "show install package all");
    if (check_cisco_result(buf))
    {
      if (pies[version] >!< buf)
        missing_pie = pies[version];
      else audit(AUDIT_HOST_NOT, "affected because patch "+pies[version]+" is installed");
    }
    else if (cisco_needs_enable(buf)) override = TRUE;
  }

  # Check if SSH, SCP, or SFTP is configured for management access
  buf = cisco_command_kb_item("Host/Cisco/Config/show_running-config", "show running-config");
  if (check_cisco_result(buf))
  {
    if ("ssh server v2" >!< buf)
      audit(AUDIT_HOST_NOT, "affected because SSH / SCP / and SFTP are not enabled for management access");
  }
  else if (cisco_needs_enable(buf)) override = TRUE;
}

security_report_cisco(
  port     : 0,
  severity : SECURITY_HOLE,
  override : override,
  version  : version,
  bug_id   : 'CSCux76819',
  cmds     : make_list('show running-config'),
  pie      : missing_pie
);