Vulnerabilities > CVE-2016-6378 - Resource Management Errors vulnerability in Cisco IOS XE

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
cisco
CWE-399
nessus
NVD
Published: 2016-10-05
Updated: 2017-07-30

Summary

Cisco IOS XE 3.1 through 3.17 and 16.1 through 16.2 allows remote attackers to cause a denial of service (device reload) via crafted ICMP packets that require NAT, aka Bug ID CSCuw85853.

Vulnerable Configurations

Part Description Count
OS
Cisco
83

Common Weakness Enumeration (CWE)

Nessus

NASL familyCISCO
NASL idCISCO-SA-20160928-ESP-NAT.NASL
descriptionAccording to its self-reported version, Cisco IOS XE Software is affected by a denial of service (DoS) vulnerability in the implementation of Network Address Translation (NAT) functionality due to improper handling of malformed ICMP packets by the affected software. An unauthenticated, remote attacker could exploit this, via sending crafted ICMP packets that require NAT processing by an affected device, to cause the device to reload repeatedly. Please see the included Cisco BIDs and Cisco Security Advisory for more information. Note that Nessus has not tested for this issue but has instead relied only on the application
last seen2020-06-01
modified2020-06-02
plugin id130763
published2019-11-12
reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/130763
titleCisco IOS XE Software NAT DoS (cisco-sa-20160928-esp-nat)
code
#TRUSTED 9557211a43807d94ca3d0d1bf31c55642215dee71a38d17987730c00040c60cdf05a60575d150d0ab04045ae2fab7d3d50c482143468ebbe2ec5d24dd5a0866ce13030dc3767086882666cf5c5fcfb161851e73eed75c842dc58914af1fe734b835e3db7190146b2ace4fb1cd7be7958adeb4ccc05e0427df511c1d8e081a41484ad99b4f803e147e248aa12bd78e86c8c01d8e5a1c95bfaa7bbae093295607428f98adbc560dfb9498c6314770fc609a2d54a6e47ca1facbc77f16c3b763c7f8b3e07bbda9b34709d64ef2dddee2b69f6be87cd9de2cf8d0279c5590cbb9d5e91fbed2430485a49a2cd3baa8cc46450dd2ae63e17425e8f24cfcd460c7686bb51b1d5bad52bf4f5a6234968307bb990202b5a523e5b03ff89fabb57093133ade3674b4e56af3f308e82f50aac925b68cda5b5485205c0ff12b619609a377ae0c2e12b1440d1be634ba904648c055e2925e99f940748f61e12282ad673c6cddb8810884c0d2ef2dc6d35a2517d5c815779136138012d6a3d98c2533e24021672b1e92656b8d75c558172193e7a5d1ea3caf4d05ed0072e7afdb2edd9a7a997dca7fbc72ee4791cb7feddfca87e349c56798aea7e60547c8d8441b2bef2da9bc181a88847a276d1711e39c0f1018f3d8e3498f7cc7d8dbeb0c6e2a153a40084483e14a7d6b84b979a96d1647e81dd04f711724b5f743b84b746286470369d1fb7
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(130763);
  script_version("1.4");
  script_cvs_date("Date: 2019/11/13");

  script_cve_id("CVE-2016-6378");
  script_bugtraq_id(93200);
  script_xref(name:"CISCO-BUG-ID", value:"CSCuw85853");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20160928-esp-nat");

  script_name(english:"Cisco IOS XE Software NAT DoS (cisco-sa-20160928-esp-nat)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco IOS XE Software is affected by a denial of service (DoS) vulnerability in
the implementation of Network Address Translation (NAT) functionality due to improper handling of malformed ICMP
packets by the affected software. An unauthenticated, remote attacker could exploit this, via sending crafted ICMP
packets that require NAT processing by an affected device, to cause the device to reload repeatedly.

Please see the included Cisco BIDs and Cisco Security Advisory for more information.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-esp-nat
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4c3c8ff3");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuw85853");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCuw85853");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-6378");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/10/05");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/09/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/12");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_xe_version.nasl");
  script_require_keys("Host/Cisco/IOS-XE/Version");

  exit(0);
}

include('cisco_workarounds.inc');
include('ccf.inc');

product_info = cisco::get_product_info(name:'Cisco IOS XE Software');

version_list=make_list(
  '3.7.0S',
  '3.7.1S',
  '3.7.2S',
  '3.7.3S',
  '3.7.4S',
  '3.7.5S',
  '3.7.6S',
  '3.7.7S',
  '3.7.8S',
  '3.7.4aS',
  '3.7.2tS',
  '3.7.0bS',
  '3.8.0S',
  '3.8.1S',
  '3.8.2S',
  '3.9.1S',
  '3.9.0S',
  '3.9.2S',
  '3.9.1aS',
  '3.9.0aS',
  '3.10.0S',
  '3.10.1S',
  '3.10.2S',
  '3.10.3S',
  '3.10.4S',
  '3.10.5S',
  '3.10.6S',
  '3.10.2aS',
  '3.10.2tS',
  '3.11.1S',
  '3.11.2S',
  '3.11.0S',
  '3.11.3S',
  '3.11.4S',
  '3.12.0S',
  '3.12.1S',
  '3.12.2S',
  '3.12.3S',
  '3.12.0aS',
  '3.12.4S',
  '3.13.0S',
  '3.13.1S',
  '3.13.2S',
  '3.13.3S',
  '3.13.4S',
  '3.13.2aS',
  '3.13.0aS',
  '3.14.0S',
  '3.14.1S',
  '3.14.2S',
  '3.14.3S',
  '3.14.4S',
  '3.15.0S',
  '3.15.1S',
  '3.15.2S',
  '3.15.1xbS',
  '3.15.1cS',
  '3.15.2xbS',
  '3.15.3S',
  '3.16.0S',
  '3.16.1S',
  '3.16.0aS',
  '3.16.1aS',
  '3.16.0bS',
  '3.16.0cS',
  '3.17.0S',
  '16.1.1',
  '16.1.2',
  '16.1.3',
  '16.2.1',
  '16.5.1'
);

workarounds = make_list(CISCO_WORKAROUNDS['nat']);
workaround_params = make_list();

reporting = make_array(
  'port'     , 0,
  'severity' , SECURITY_HOLE,
  'version'  , product_info['version'],
  'bug_id'   , 'CSCuw85853',
  'cmds'     , make_list('show running-config')
);

cisco::check_and_report(
    product_info:product_info,
    workarounds:workarounds,
    workaround_params:workaround_params,
    reporting:reporting,
    vuln_versions:version_list);

References