Vulnerabilities > CVE-2016-1459 - Resource Management Errors vulnerability in Cisco IOS and IOS XE

CVSS 4.9 - MEDIUM

Attack vector

NETWORK

Attack complexity

HIGH

Privileges required

SINGLE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

COMPLETE

network

high complexity

cisco

CWE-399

nessus

NVD

Published: 2016-07-17

Updated: 2017-09-01

Summary

Cisco IOS 12.4 and 15.0 through 15.5 and IOS XE 3.13 through 3.17 allow remote authenticated users to cause a denial of service (device reload) via crafted attributes in a BGP message, aka Bug ID CSCuz21061.

Vulnerable Configurations

Part	Description	Count
OS	Cisco Cisco IOS 12.4\(4\)Xc7 Cisco IOS 12.4\(15\)T17 Cisco IOS 12.4\(19A\) Cisco IOS 12.4\(22\)Yb2 Cisco IOS 12.4\(24\)Gc4 Cisco IOS 12.4\(24\)Gc5 Cisco IOS 15.0\(1\)Ex Cisco IOS 15.0\(1\)M Cisco IOS 15.0\(1\)M9 Cisco IOS 15.0\(1\)M10 Cisco IOS 15.0\(1\)S Cisco IOS 15.0\(1\)Sy Cisco IOS 15.0\(2\)Sg Cisco IOS 15.1\(3\)T4 Cisco IOS 15.1\(4\)Gc2 Cisco IOS 15.1\(4\)M10 Cisco IOS 15.2\(3\)T4 Cisco IOS 15.2\(4\)Gc3 Cisco IOS 15.2\(4\)M10 Cisco IOS 15.3\(2\)T4 Cisco IOS 15.3\(3\)M Cisco IOS 15.3\(3\)M7 Cisco IOS 15.4\(2\)T4 Cisco IOS 15.4\(3\)M5 Cisco IOS 15.5\(2\)T3 Cisco IOS 15.5\(3\)M3 Cisco IOS XE 3.13.2S Cisco IOS XE 3.13.3S Cisco IOS XE 3.13.4S Cisco IOS XE 3.13.5S Cisco IOS XE 3.14.0S Cisco IOS XE 3.14.1S Cisco IOS XE 3.14.2S Cisco IOS XE 3.14.3S Cisco IOS XE 3.14.4S Cisco IOS XE 3.15.1Cs Cisco IOS XE 3.15.2S Cisco IOS XE 3.15.3S Cisco IOS XE 3.16.0Cs Cisco IOS XE 3.16.1As Cisco IOS XE 3.16.2S Cisco IOS XE 3.16.3S Cisco IOS XE 3.17.0S Cisco IOS XE 3.17.1S Cisco IOS XE 3.17.2S	45

Common Weakness Enumeration (CWE)

CWE-399 - Resource Management Errors

Nessus

NASL family	CISCO
NASL id	CISCO-SA-20160715-BGP-IOSXE.NASL
description	The Cisco IOS XE Software running on the remote device is missing a security patch. It is, therefore, affected by a denial of service vulnerability in the Border Gateway Protocol (BGP) message processing functions due to improper processing of BGP attributes. An authenticated, remote attacker can exploit this, via specially crafted BGP messages under certain unspecified conditions, to cause the affected device to reload. Note that Nessus has not tested for the presence of the workarounds referenced in the vendor advisory.
last seen	2020-06-01
modified	2020-06-02
plugin id	93123
published	2016-08-26
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/93123
title	Cisco IOS XE Software Border Gateway Protocol Message Processing DoS (cisco-sa-20160715-bgp)
code	#TRUSTED 53c229a78bd2158715b4b4536fd1d072518d875b6e427f404218e5937b53a74125123cb2765799f3f33924d23482b44f79863ad97bc236d1c468a2b0284b8e27545dfdf9b2fe43f4a8a9f44ae4c4dd8f391f20e83a3d8c0fc25a987ee69ef3df7f9185cf9273bdcefd765ec26c19d52e7b60f140c089b7a637ea2c87669e401fe04a23b13ff77dfd1ea8ab8de7f6b5b9617e49e9869dfadcb25b3461ba01af4754f62511ce89e949274f50d428cae62170fa306344e7f2bc97fc513bd001730458fc7bb048c1bb840e2de09f9e93c410e3fd72e893cf08743073f112d5122b3f9d810dcde4500ce3a99c526052c2de4e08e4007a557cc30b232063690fe7eafa26ab6273c943e80251cc960a7ad26fd5f042cdbf801732f95d207c80fc02a6d9f12933ab3b7cce9c74fa7cdba52d7c83881b1172091a362a8d30fbb61cd9eeb9eeceac512aafaafbe67cafd5d827a2fc2e12e47c76810b0f8592e77bb9d848d24b5710b488fd789480edcb5ef7a2696f07f51b9b3bdfef9b71e6659374dc1fcd625815e214f298d1f9955e730eb3437e946f94771f78292419a72a01f2f704dd28483567deee35b79a02600b5c5210360dac29bc36c19b75a6ef7d1fa809a7e8805ec26c884e6f77d87e789c4f53090afb17421b6f7457a0eb8fb77d1305289892f950f9d4f165d5e04287a8ff2de625d4dd00c0519997aecebfb9ac7efcd496 # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(93123); script_version("1.6"); script_cvs_date("Date: 2019/11/14"); script_cve_id("CVE-2016-1459"); script_bugtraq_id(91800); script_xref(name:"CISCO-BUG-ID", value:"CSCuz21061"); script_xref(name:"CISCO-SA", value:"cisco-sa-20160715-bgp"); script_name(english:"Cisco IOS XE Software Border Gateway Protocol Message Processing DoS (cisco-sa-20160715-bgp)"); script_summary(english:"Checks the IOS XE version."); script_set_attribute(attribute:"synopsis", value: "The remote device is missing a vendor-supplied security patch."); script_set_attribute(attribute:"description", value: "The Cisco IOS XE Software running on the remote device is missing a security patch. It is, therefore, affected by a denial of service vulnerability in the Border Gateway Protocol (BGP) message processing functions due to improper processing of BGP attributes. An authenticated, remote attacker can exploit this, via specially crafted BGP messages under certain unspecified conditions, to cause the affected device to reload. Note that Nessus has not tested for the presence of the workarounds referenced in the vendor advisory."); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160715-bgp script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?94ed1c7e"); script_set_attribute(attribute:"solution", value: "Apply the relevant patch referenced in Cisco Security Advisory cisco-sa-20160715-bgp. Alternatively, set a 'maxpath-limit' value for BGP MIBs or suppress the use of BGP MIBs."); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:S/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/07/15"); script_set_attribute(attribute:"patch_publication_date", value:"2016/07/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/08/26"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CISCO"); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("cisco_ios_xe_version.nasl"); script_require_keys("Host/Cisco/IOS-XE/Version"); exit(0); } include("audit.inc"); include("cisco_func.inc"); include("cisco_kb_cmd_func.inc"); app_name = "Cisco IOS-XE"; version = get_kb_item_or_exit("Host/Cisco/IOS-XE/Version"); if ( version != "Cisco IOS XE Software 3.13S 3.13.5S" && version != "Cisco IOS XE Software 3.13S 3.13.2S" && version != "Cisco IOS XE Software 3.13S 3.13.3S" && version != "Cisco IOS XE Software 3.13S 3.13.4S" && version != "Cisco IOS XE Software 3.14S 3.14.0S" && version != "Cisco IOS XE Software 3.14S 3.14.1S" && version != "Cisco IOS XE Software 3.14S 3.14.2S" && version != "Cisco IOS XE Software 3.14S 3.14.3S" && version != "Cisco IOS XE Software 3.14S 3.14.4S" && version != "Cisco IOS XE Software 3.15S 3.15.1cS" && version != "Cisco IOS XE Software 3.15S 3.15.3S" && version != "Cisco IOS XE Software 3.15S 3.15.2S" && version != "Cisco IOS XE Software 3.17S 3.17.0S" && version != "Cisco IOS XE Software 3.17S 3.17.2S" && version != "Cisco IOS XE Software 3.17S 3.17.1S" && version != "Cisco IOS XE Software 3.16S 3.16.3S" && version != "Cisco IOS XE Software 3.16S 3.16.0cS" && version != "Cisco IOS XE Software 3.16S 3.16.1aS" && version != "Cisco IOS XE Software 3.16S 3.16.2S" ) audit(AUDIT_INST_VER_NOT_VULN, app_name, version); # We don't check for workarounds, so only flag if paranoid if (report_paranoia < 2) audit(AUDIT_PARANOID); ## If the target does not have BGP active, exit caveat = ''; # Since cisco_ios_version.nasl removes "Host/local_checks_enabled" when report_paranoia > 1, # we will try to run the command without checking for local checks; a failure will return NULL buf = cisco_command_kb_item("Host/Cisco/Config/show_ip_bgp", "show ip bgp", 0); # check_cisco_result() would cause false positives on devices that do not support BGP, # so we are only looking for authorization-related error messages or NULL if ( ("% This command is not authorized" >< buf) \|\| ("ERROR: Command authorization failed" >< buf) \|\| empty_or_null(buf) ) caveat = cisco_caveat(); else if (!preg(pattern:"BGP table version", multiline:TRUE, string:buf)) audit(AUDIT_HOST_NOT, "affected because BGP is not active"); if (report_verbosity > 0) { report = '\n Cisco bug ID : CSCuz21061' + '\n Installed release : ' + version + '\n Fixed release : ' + report_fixed_version + '\n'; security_warning(port:0, extra:report + caveat); } else security_warning(port:0, extra:caveat);

NASL family	CISCO
NASL id	CISCO-SA-20160715-BGP-IOS.NASL
description	The Cisco IOS Software running on the remote device is missing a security patch. It is, therefore, affected by a denial of service vulnerability in the Border Gateway Protocol (BGP) message processing functions due to improper processing of BGP attributes. An authenticated, remote attacker can exploit this, via specially crafted BGP messages under certain unspecified conditions, to cause the affected device to reload. Note that Nessus has not tested for the presence of the workarounds referenced in the vendor advisory.
last seen	2020-06-01
modified	2020-06-02
plugin id	93122
published	2016-08-26
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/93122
title	Cisco IOS Software Border Gateway Protocol Message Processing DoS (cisco-sa-20160715-bgp)

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Nessus

References