Vulnerabilities > CVE-2017-12234 - Unspecified vulnerability in Cisco IOS

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
cisco
nessus

Summary

Multiple vulnerabilities in the implementation of the Common Industrial Protocol (CIP) feature in Cisco IOS 12.4 through 15.6 could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition. The vulnerabilities are due to the improper parsing of crafted CIP packets destined to an affected device. An attacker could exploit these vulnerabilities by sending crafted CIP packets to be processed by an affected device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition. Cisco Bug IDs: CSCvc43709.

Vulnerable Configurations

Part Description Count
OS
Cisco
1841
Hardware
Cisco
54

Nessus

NASL familyCISCO
NASL idCISCO-SA-20170927-CIP.NASL
descriptionAccording to its self-reported version and configuration, the Cisco IOS software running on the remote device is affected by multiple denial of service vulnerabilities in the Common Industrial Protocol (CIP) feature due to improper processing of unusual but valid CIP requests. An unauthenticated, remote attacker can exploit this, via specially crafted CIP requests, to cause the switch to stop processing traffic, requiring a device restart to regain functionality.
last seen2020-06-01
modified2020-06-02
plugin id103668
published2017-10-05
reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/103668
titleCisco IOS Software CIP Multiple Vulnerabilities (cisco-sa-20170927-cip)
code
#TRUSTED 56cfca5818933788f892efcb7dfc440c04d02f7b8eaa71ec50a9f36965ff4347542529931e7de3f21d3aac4707658aa51d956f6afb4fb270a3e162e68fd9e5a7f32f4aa6a5f83d3b3bd145395969b15ccc78ba45bb7b34749e726e69f67b66382b76781012a64554572f5705645182eab63238ab2f34e0945b707b2eabb48667aa256ce01fedf0104f7db915841ce5393568f3907b9823334f9152cc407de6df252effaba9369207387afd728d1c0645e80939678d67e3f953ab61ee29ceb0d1f2ec2a1f12b882fa4d7b0000817a16f174ef8941d7030f871bc92d7ca624e99c7f659facf0cf26bcdafa9f22fe68d7f412522702dc332065cfd3abcf8ce9446f23b36c94f847b89bc1bb37e346d5f53566b69e81ad0ee44d14ecf7eae7d000738245d50be558a904f61ecaf3b663e34e79ea2f54d6e43d1d3dcc5b784bb8036e5230bcb3713d0d66d3ad04d068a199f2b8ce3cee5bf6728150a6c61052e05945f10640d308a3da9566aacddb915911a28b70d69418bbad9666056615f83ec4becf0848a244d552099e8005edf199b410fd8dc9ec4595770ebcfc820b69d8042b8bcc4a330565b9e8925ed3d395d4abcfef54e79954c17551581c792da4e3bf98c3a84cb1b83da624c12962e0af01724bf20c1c060b7eb3aefa08159e8b0b4ff92adb3f68eddd4435c5e26e157fbd4b6f93e44e281c707cda68a5a18d8b34b9a5
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(103668);
  script_version("1.8");
  script_cvs_date("Date: 2019/11/12");

  script_cve_id("CVE-2017-12233", "CVE-2017-12234");
  script_bugtraq_id(101038);
  script_xref(name:"CISCO-BUG-ID", value:"CSCuz95334");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvc43709");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20170927-cip");

  script_name(english:"Cisco IOS Software CIP Multiple Vulnerabilities (cisco-sa-20170927-cip)");
  script_summary(english:"Checks the IOS version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version and configuration, the Cisco
IOS software running on the remote device is affected by multiple
denial of service vulnerabilities in the Common Industrial Protocol
(CIP) feature due to improper processing of unusual but valid CIP
requests. An unauthenticated, remote attacker can exploit this, via
specially crafted CIP requests, to cause the switch to stop processing
traffic, requiring a device restart to regain functionality.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170927-cip
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8057e067");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug IDs
CSCuz95334 and CSCvc43709.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/09/27");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/09/27");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/10/05");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_version.nasl");
  script_require_keys("Host/Cisco/IOS/Version");

  exit(0);
}

include("audit.inc");
include("cisco_func.inc");
include("cisco_kb_cmd_func.inc");

flag = 0;
override = 0;

ver = get_kb_item_or_exit("Host/Cisco/IOS/Version");

vuln_versions = make_list(
  '15.2(2)EB',
  '15.2(1)EY1',
  '12.4(25e)JAO3a',
  '12.4(25e)JAO20s',
  '15.3(3)JN',
  '15.1(4)M11',
  '15.3(3)SA',
  '15.2(2)E3',
  '12.4(25e)JAP3',
  '12.4(25e)JAO5m',
  '15.1(4)M12',
  '15.2(2)EA1',
  '15.2(2)EA2',
  '15.2(3)EA',
  '15.2(3)EA1',
  '15.2(1)EY2',
  '15.2(2)JA3',
  '15.2(4)JB8',
  '15.3(3)JAX3',
  '15.3(3)JN5',
  '15.4(3)SN2',
  '15.5(2)SN0a',
  '15.2(2)EB1',
  '15.5(3)SN1',
  '15.3(3)JN6',
  '15.3(3)JBB3',
  '15.2(4)EA',
  '15.2(4)EA1',
  '12.4(25e)JAP1n',
  '15.3(3)JBB7',
  '15.3(3)JC30',
  '15.2(3)E2a',
  '15.3(3)JBB6a',
  '15.2(3)EX',
  '15.3(3)JPB',
  '15.2(2)EA3',
  '15.2(2)EB2',
  '15.2(5)E',
  '15.3(3)JNP2',
  '15.6(2)S0a',
  '15.2(4)EA3',
  '15.6(1)S1a',
  '12.4(25e)JAP9',
  '15.2(4)EC',
  '15.1(2)SG7a',
  '15.3(3)JC50',
  '15.3(3)JC51',
  '15.6(2)S2',
  '15.3(3)JN10',
  '15.2(4)EB',
  '15.2(5)EA',
  '15.2(4)EA4',
  '15.2(4)EC1',
  '15.2(4)EA2',
  '15.3(3)JPB2',
  '15.2(4)EA5',
  '15.2(2)E5b',
  '15.2(4)EC2',
  '15.2(5a)E1',
  '15.6(2)SP1b',
  '15.6(2)SP1c',
  '15.2(4a)EA5',
  '15.3(3)JPC3',
  '15.3(3)JDA3',
  '15.3(3)JNC4',
  '15.4(3)M7a',
  '15.6(2)S3',
  '15.3(3)JC7',
  '15.6(2)SP2a',
  '15.3(3)JND2',
  '15.3(3)JCA7',
  '15.0(2)SQD7',
  '15.2(5)E2a',
  '15.2(5)E2b',
  '15.3(3)JE1',
  '15.3(3)JN12'
);

# Check for vuln version
foreach version (vuln_versions)
{
  if (version == ver)
  {
    flag++;
    break;
  }
}

# Check that cip is enabled
if (flag && get_kb_item("Host/local_checks_enabled"))
{
  flag = 0;
  buf = cisco_command_kb_item("Host/Cisco/Config/show_run_|_include_cip",
                              "show run | include cip");
  if (check_cisco_result(buf))
  {
    if (preg(multiline:TRUE, pattern:"cip enable", string:buf))
      flag++;
  }
  else if (cisco_needs_enable(buf))
  {
    flag++;
    override++;
  }
}

if (flag)
{
  security_report_cisco(
    port     : 0,
    severity : SECURITY_HOLE,
    override : override,
    version  : ver,
    bug_id   : 'CSCuz95334 and CSCvc43709',
    cmds     : make_list('show running-config', 'show run | include cip')
  );
}
else audit(AUDIT_INST_VER_NOT_VULN, "Cisco IOS software", ver);