Vulnerabilities > CVE-2017-3876 - Denial of Service vulnerability in Cisco IOS XR Software

047910
CVSS 7.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
COMPLETE
network
low complexity
cisco
nessus
NVD
Published: 2017-05-16
Updated: 2019-10-03

Summary

A vulnerability in the Event Management Service daemon (emsd) of Cisco IOS XR routers could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on the affected device. The vulnerability is due to improper handling of gRPC requests. An attacker could exploit this vulnerability by repeatedly sending unauthenticated gRPC requests to the affected device. A successful exploit could allow the attacker to crash the device in such a manner that manual intervention is required to recover. This vulnerability affects all Cisco IOS XR platforms that are running release 6.1.1 of Cisco IOS XR Software when the gRPC service is enabled on the device. The gRPC service is not enabled by default. Cisco Bug IDs: CSCvb14441.

Vulnerable Configurations

Part Description Count
OS
Cisco
2

Nessus

NASL familyCISCO
NASL idCISCO-SA-20170503-IOSXR.NASL
descriptionAccording to its self-reported version and configuration, the Cisco IOS XR software running on the remote device is affected by a denial of service vulnerability in the Event Management Service daemon (emsd) due to improper handling of gRPC requests. An unauthenticated, remote attacker can exploit this, by repeatedly sending unauthenticated gRPC requests, to crash the device in such a manner than manual intervention is required to recover.
last seen2020-06-01
modified2020-06-02
plugin id99981
published2017-05-04
reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/99981
titleCisco IOS XR Software Event Management Service gRPC Handling DoS (cisco-sa-20170503-ios-xr)
code
#TRUSTED 89fe20359858a8033bd427599dea6d08ee93f4328625016f2a5ec4e924fd870eca2bd721b7d1bf7c7da809a67542cd4b472a7e5a0df67f41581f40257245145d72462b582e3790737bd29ed1d73b2cd81f82226d6c875b845444335feedaffae19b7f8ea5a2d68ad1711365bc53494b3c9acc44366c6644f9eb3f03bfa173ee0ed133df75e3dc3892a2088e989160b424f3269cec0ee137465c81a3647beb6aea70ca8c832171e935415d979fdb7972d645295475f98f2b133e11afb60bed54cceefed2eae4da9ebd62ae453869493b92f501484c012eb1c93572795fa53fb82a282832deb57c7864856434053c3d486d6920f407092822a9d728b14daf6f5e12cd4daa16a001fa48ac6ed329ddaa58bd45f4b47284fd3b6c522e950ca215060c2f446fe0cbba8ba30b3089fbd9bcf1babe41e5e06fcb9d031e26781efc3d5c350c7431533bd291bfd203618861033ca48aede742818aa3d285a505fafcd4233eca9a22efba16499a07450cbb574943d3322f0596a0d1dd624f4934eb9b21328860c0ad4a7106cad222e99f2d3427a7559ce66da7c9e598cb2f72766acf2c71b8d529c649c7543341cbfe55c8a3ba1c3ff6932f8bcfacee2609402c89d23e8e887750d4013884690308b81451c6f59e17ad9d9dc7e47214594f9622312641f824c7edffcf2a3c6b476655f05e2eb2a7d9309cdbaa72691c9c8cf3ba912696167
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(99981);
  script_version("1.11");
  script_cvs_date("Date: 2019/11/13");

  script_cve_id("CVE-2017-3876");
  script_bugtraq_id(98284);
  script_xref(name:"CISCO-BUG-ID", value:"CSCvb14441");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20170503-ios-xr");

  script_name(english:"Cisco IOS XR Software Event Management Service gRPC Handling DoS (cisco-sa-20170503-ios-xr)");
  script_summary(english:"Checks the IOS XR version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version and configuration, the Cisco
IOS XR software running on the remote device is affected by a denial
of service vulnerability in the Event Management Service daemon (emsd)
due to improper handling of gRPC requests. An unauthenticated, remote
attacker can exploit this, by repeatedly sending unauthenticated gRPC
requests, to crash the device in such a manner than manual
intervention is required to recover.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170503-ios-xr
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?716c8dcf");
  # https://www.networkworld.com/article/3194146/cisco-subnet/cisco-drops-critical-security-warning-on-vpn-router-3-high-priority-caveats.html#tk.rss_security
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a897d8e7");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb14441");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID
CSCvb14441.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"in_the_news", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/03");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/05/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/05/04");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xr");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_xr_version.nasl");
  script_require_keys("Host/Cisco/IOS-XR/Version");

  exit(0);
}

include("audit.inc");
include("cisco_func.inc");
include("cisco_kb_cmd_func.inc");

version  = get_kb_item_or_exit("Host/Cisco/IOS-XR/Version");

cmds = make_list();

flag = 0;
override = 0;

# Known Affected: 6.1.0 and 6.1.1 with gRPC service enabled and configured
if ((version == "6.1.1" || version == "6.1.0")
  && get_kb_item("Host/local_checks_enabled"))
{
  buf = cisco_command_kb_item("Host/Cisco/Config/show_run_include_grpc", "show run | include grpc");
  if (check_cisco_result(buf))
  {
    if ("grpc" >< buf && "!" >< buf)
    {
      cmds = make_list(cmds, "show run | include grpc");
      flag = 1;
    }
  }
  else if (cisco_needs_enable(buf))
    override = 1;

  if (!flag && !override) audit(AUDIT_OS_CONF_NOT_VULN, "Cisco IOS XR", version);
}

if (flag || override)
{
  security_report_cisco(
    port     : 0,
    severity : SECURITY_HOLE,
    override : override,
    version  : version,
    bug_id   : "CSCvb14441",
    cmds     : cmds
  );
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

References