Vulnerabilities > CVE-2016-6376 - Resource Management Errors vulnerability in Cisco products

047910
CVSS 6.5 - MEDIUM
Attack vector
ADJACENT_NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
low complexity
cisco
CWE-399
nessus

Summary

The Adaptive Wireless Intrusion Prevention System (wIPS) feature on Cisco Wireless LAN Controller (WLC) devices before 8.0.140.0, 8.1.x and 8.2.x before 8.2.121.0, and 8.3.x before 8.3.102.0 allows remote attackers to cause a denial of service (device restart) via a malformed wIPS packet, aka Bug ID CSCuz40263.

Vulnerable Configurations

Part Description Count
Application
Cisco
95

Common Weakness Enumeration (CWE)

Nessus

NASL familyCISCO
NASL idCISCO-SA-20160831-WLC.NASL
descriptionAccording to its self-reported version, the remote Cisco Wireless LAN Controller (WLC) device is affected by multiple vulnerabilities : - A denial of service vulnerability exists in the traffic streams metrics (TSM) implementation using Inter-Access Point Protocol (IAPP). An unauthenticated, adjacent attacker can exploit this to cause a device restart by sending specially crafted IAPP packets which are subsequently followed by an SNMP request for TSM information. (CVE-2016-6375) - A denial of service vulnerability exists in the Cisco Adaptive Wireless Intrusion Prevention System (wIPS) implementation due to improper validation of wIPS packets. An unauthenticated, adjacent attacker can exploit this, via specially crafted wIPS packets, to cause the device to restart. (CVE-2016-6376)
last seen2020-06-01
modified2020-06-02
plugin id94108
published2016-10-18
reporterThis script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/94108
titleCisco Wireless LAN Controller Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(94108);
  script_version("1.8");
  script_cvs_date("Date: 2018/07/06 11:26:05");

  script_cve_id(
    "CVE-2016-6375",
    "CVE-2016-6376"
  );
  script_bugtraq_id(
    92712,
    92716
  );
  script_xref(name:"CISCO-SA", value:"cisco-sa-20160831-wlc-1");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20160831-wlc-2");
  script_xref(name:"CISCO-BUG-ID", value:"CSCuz40221");
  script_xref(name:"CISCO-BUG-ID", value:"CSCuz40263");

  script_name(english:"Cisco Wireless LAN Controller Multiple Vulnerabilities");
  script_summary(english:"Checks the WLC version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing vendor-supplied security patches.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, the remote Cisco Wireless LAN
Controller (WLC) device is affected by multiple vulnerabilities :

  - A denial of service vulnerability exists in the traffic
    streams metrics (TSM) implementation using Inter-Access
    Point Protocol (IAPP). An unauthenticated, adjacent
    attacker can exploit this to cause a device restart by
    sending specially crafted IAPP packets which are
    subsequently followed by an SNMP request for TSM
    information. (CVE-2016-6375)

  - A denial of service vulnerability exists in the Cisco
    Adaptive Wireless Intrusion Prevention System (wIPS)
    implementation due to improper validation of wIPS
    packets. An unauthenticated, adjacent attacker can
    exploit this, via specially crafted wIPS packets, to
    cause the device to restart. (CVE-2016-6376)");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160831-wlc-1
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?470657bf");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160831-wlc-2
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1a4df7fe");
  script_set_attribute(attribute:"solution", value:
"Apply the relevant patches referenced in Cisco bug ID CSCuz40221 and
CSCuz40263.");
  script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/08/31");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/08/31");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/10/18");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:wireless_lan_controller_software");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:cisco:wireless_lan_controller");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.");

  script_dependencies("cisco_wlc_version.nasl");
  script_require_keys("Host/Cisco/WLC/Version");

  exit(0);
}

include("audit.inc");
include("cisco_func.inc");

version = get_kb_item_or_exit("Host/Cisco/WLC/Version");
device = "Cisco Wireless LAN Controller";
model = get_kb_item("Host/Cisco/WLC/Model");
if (!empty_or_null(model))
  device += " " + model;
fix = "";

# 6.x, 7.x, 8.0.x < 8.0.140.0
if (
  version =~ "^[67]\." ||
  version =~ "^8\.0($|[^\.0-9])" ||
  version =~ "^8\.0\.([0-9]|[0-9][0-9]|1[0-3][0-9])($|[^0-9])"
)
  fix = "Upgrade to 8.0(140.0) or later.";

# 8.1 or 8.2.x < 8.2.121.0
if (
  version =~ "^8\.[12]($|[^\.0-9])" ||
  version =~ "^8\.2\.([0-9]|[0-9][0-9]|1[01][0-9]|120)($|[^0-9])"
)
  fix = "Upgrade to 8.2(121.0) or later.";

# 8.3.x < 8.3.102.0
if (
  version =~ "^8\.3($|[^\.0-9])" ||
  version =~ "^8\.3\.([0-9]|[0-9][0-9]|10[01])($|[^0-9])"
)
  fix = "Upgrade to 8.3(102.0) or later.";

if (!fix) audit(AUDIT_DEVICE_NOT_VULN, device, version);

order = make_list("Device", "Installed version", "Fixed version");
report = make_array(
  order[0], device,
  order[1], version,
  order[2], fix
);
report = report_items_str(report_items:report, ordered_fields:order);

security_report_v4(port:0, severity:SECURITY_WARNING, extra:report);