Vulnerabilities > CVE-2018-0155 - Improper Handling of Exceptional Conditions vulnerability in Cisco IOS and IOS XE
Summary
A vulnerability in the Bidirectional Forwarding Detection (BFD) offload implementation of Cisco Catalyst 4500 Series Switches and Cisco Catalyst 4500-X Series Switches could allow an unauthenticated, remote attacker to cause a crash of the iosd process, causing a denial of service (DoS) condition. The vulnerability is due to insufficient error handling when the BFD header in a BFD packet is incomplete. An attacker could exploit this vulnerability by sending a crafted BFD message to or across an affected switch. A successful exploit could allow the attacker to trigger a reload of the system. This vulnerability affects Catalyst 4500 Supervisor Engine 6-E (K5), Catalyst 4500 Supervisor Engine 6L-E (K10), Catalyst 4500 Supervisor Engine 7-E (K10), Catalyst 4500 Supervisor Engine 7L-E (K10), Catalyst 4500E Supervisor Engine 8-E (K10), Catalyst 4500E Supervisor Engine 8L-E (K10), Catalyst 4500E Supervisor Engine 9-E (K10), Catalyst 4500-X Series Switches (K10), Catalyst 4900M Switch (K5), Catalyst 4948E Ethernet Switch (K5). Cisco Bug IDs: CSCvc40729.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family CISCO NASL id CISCO-SA-20180328.NASL description A denial of service (DoS) vulnerability exists in the Bidirectional Forwarding Detection (BFD) offload implementation of Cisco Catalyst 4500 Series Switches and Cisco Catalyst 4500-X Series Switches due to insufficient error handling when the BFD header in a BFD packet is incomplete. An unauthenticated, remote attacker can exploit this issue by sending crafted BFD message to or across an affected switch. If the attacker is succesful then this could allow the attacker to trigger a reload of the system. Please see the included Cisco BIDs and Cisco Security Advisory for more information last seen 2020-04-30 modified 2020-04-23 plugin id 135922 published 2020-04-23 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135922 title Cisco IOS and IOS XE Software Denial of Service Vulnerability (cisco-sa-20180328-bfd) code # # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(135922); script_version("1.2"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/24"); script_cve_id("CVE-2018-0155"); script_bugtraq_id(103565); script_xref(name:"CISCO-BUG-ID", value:"CSCvc40729"); script_xref(name:"CISCO-SA", value:"cisco-sa-20180328-bfd"); script_name(english:"Cisco IOS and IOS XE Software Denial of Service Vulnerability (cisco-sa-20180328-bfd)"); script_set_attribute(attribute:"synopsis", value: "The remote device is missing a vendor-supplied security patch"); script_set_attribute(attribute:"description", value: "A denial of service (DoS) vulnerability exists in the Bidirectional Forwarding Detection (BFD) offload implementation of Cisco Catalyst 4500 Series Switches and Cisco Catalyst 4500-X Series Switches due to insufficient error handling when the BFD header in a BFD packet is incomplete. An unauthenticated, remote attacker can exploit this issue by sending crafted BFD message to or across an affected switch. If the attacker is succesful then this could allow the attacker to trigger a reload of the system. Please see the included Cisco BIDs and Cisco Security Advisory for more information"); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-bfd script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c66d9346"); script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvc40729"); script_set_attribute(attribute:"solution", value: "Upgrade to the relevant fixed version referenced in Cisco bug IDs CSCvc40729"); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-0155"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_cwe_id(388); script_set_attribute(attribute:"vuln_publication_date", value:"2018/03/28"); script_set_attribute(attribute:"patch_publication_date", value:"2018/03/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/23"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CISCO"); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("cisco_ios_version.nasl"); script_require_keys("Host/Cisco/show_ver"); exit(0); } include('ccf.inc'); include('cisco_workarounds.inc'); product_info = cisco::get_product_info(name:'Cisco IOS'); if (product_info['model'] !~ "4(500(E|-X)?)|(9(00M|48E))") audit(AUDIT_DEVICE_NOT_VULN, 'The Model ' + product_info['model']); vuln_versions = [ '15.1SG', '15.1(1)SG', '15.1(2)SG', '15.1(1)SG1', '15.1(1)SG2', '15.1(2)SG1', '15.1(2)SG2', '15.1(2)SG3', '15.1(2)SG4', '15.1(2)SG5', '15.1(2)SG6', '15.1(2)SG7', '15.1(2)SG8', '15.2E', '15.2(1)E', '15.2(2)E', '15.2(1)E1', '15.2(3)E', '15.2(1)E3', '15.2(2)E1', '15.2(2b)E', '15.2(4)E', '15.2(3)E1', '15.2(2)E2', '15.2(2)E3', '15.2(3)E2', '15.2(3)E3', '15.2(4)E1', '15.2(2)E4', '15.2(2)E5', '15.2(4)E2', '15.2(3)E4', '15.2(4)E3', '15.2(2)E6', '15.2(2)E5a', '15.2(3)E5', '15.2(2)E5b', '15.2(4)E4', '15.2(2)E7', '15.2(4)E5', '15.2(2)E7b', '15.2(4)E5a', '15.2(4s)E2' ]; workarounds = make_list(CISCO_WORKAROUNDS['bfd']); workaround_params = []; reporting = make_array( 'port' , 0, 'severity' , SECURITY_HOLE, 'version' , product_info['version'] ); cisco::check_and_report( product_info:product_info, workarounds : workarounds, workaround_params : workaround_params, reporting : reporting, vuln_versions : vuln_versions );
NASL family CISCO NASL id CISCO-SA-20180328-BFD.NASL description According to its self-reported version, Cisco IOS is affected by a denial of service (DoS) vulnerability in the Bidirectional Forwarding Detection (BFD) offload implementation due to insufficient error handling when the BFD header in a BFD packet is incomplete. An unauthenticated, remote attacker could exploit this, by sending a crafted BFD message to or across an affected switch, in order to crash the iosd process and trigger a system reload. Please see the included Cisco BIDs and Cisco Security Advisory for more information. Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 132680 published 2020-01-07 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132680 title Cisco IOS Software Bidirectional Forwarding Detection DoS (cisco-sa-20180328-bfd) code #TRUSTED 96abbf4d08fc0e64a92c87ed64d3d03eab80d7068d36588fa6a0a0d90cc9b99029353cc0b6bbfb4d256a0824e7f441e629961e88e93142e5f5d959eba7ac074716d73ec5e512ec0d84df325e0f0535faa567fef060237d97c029f19472b2ab74b13a85ba4f2e2d4b28379884f1feef7f285e427112da4249c9bb794b19456048167cab356b20cf5a91c86a3c113ee9b002fcaaff762df32588b380eaeec09bacec177ab17827b9450971ba4979845b4d6589f9cfddc2dbc275279f62b57cf83c3268e3ec31c3604cf65310de5f4322439bf0e98a64ae6edb98c313d3c00648033a3bbb4391a2ddec9e69a6838b4550a9369cf762622db2d8062d2c091b1191765354f7bf76a44987ebe7b9667b4a677e0680bd9e08c88197910e48f315d46869b55def9e1e1596c08ae98362d23cb84cf1b103e11989514368537d7ffc95839d08e6f440a9f5f7dcad9404db254af02a0440ebe2df0939760dff80d89d04effe884906105316feb9afd8f34b6a0667c0af49cc4b969727a5b85aa4987d1c5389e182dfc8c0d45722706288d72e18f1f6cb7999bf5c596733b805b475ba0fad3d4c4651bf65d1fb751703f64e6d8b4073f50a456541359ab8c6626d7b8333ad852bfd22fe2914efa9127d0b5b84d3f43f6c018b1c19f7da8b276cbb191592fbe3fa4e54cfc23778670b0b36e6b4ea28a0605c9acb8fc61e888bfb165bbf682152 # # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(132680); script_version("1.4"); script_cvs_date("Date: 2020/01/09"); script_cve_id("CVE-2018-0155"); script_bugtraq_id(103565); script_xref(name:"CISCO-BUG-ID", value:"CSCvc40729"); script_xref(name:"CISCO-SA", value:"cisco-sa-20180328-bfd"); script_xref(name:"IAVA", value:"2018-A-0098"); script_name(english:"Cisco IOS Software Bidirectional Forwarding Detection DoS (cisco-sa-20180328-bfd)"); script_set_attribute(attribute:"synopsis", value: "The remote device is missing a vendor-supplied security patch."); script_set_attribute(attribute:"description", value: "According to its self-reported version, Cisco IOS is affected by a denial of service (DoS) vulnerability in the Bidirectional Forwarding Detection (BFD) offload implementation due to insufficient error handling when the BFD header in a BFD packet is incomplete. An unauthenticated, remote attacker could exploit this, by sending a crafted BFD message to or across an affected switch, in order to crash the iosd process and trigger a system reload. Please see the included Cisco BIDs and Cisco Security Advisory for more information. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-bfd script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c66d9346"); script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvc40729"); script_set_attribute(attribute:"solution", value: "Upgrade to the relevant fixed version referenced in Cisco bug ID(s) CSCvc40729."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-0155"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/03/28"); script_set_attribute(attribute:"patch_publication_date", value:"2018/03/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/07"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CISCO"); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("cisco_ios_version.nasl"); script_require_keys("Host/Cisco/IOS/Version", "Host/Cisco/IOS/Model", "Settings/ParanoidReport"); exit(0); } include('audit.inc'); include('cisco_workarounds.inc'); include('ccf.inc'); if (report_paranoia < 2) audit(AUDIT_PARANOID); product_info = cisco::get_product_info(name:'Cisco IOS'); if ('catalyst' >!< tolower(product_info.model) || product_info.model !~ "4[59]\d\d(^\d|$)") audit(AUDIT_HOST_NOT, "affected"); version_list = make_list( '15.1(1)SG', '15.1(2)SG', '15.1(1)SG1', '15.1(1)SG2', '15.1(2)SG1', '15.1(2)SG2', '15.1(2)SG3', '15.1(2)SG4', '15.1(2)SG5', '15.1(2)SG6', '15.1(2)SG7', '15.1(2)SG8', '15.2(1)E', '15.2(2)E', '15.2(1)E1', '15.2(3)E', '15.2(1)E3', '15.2(2)E1', '15.2(2b)E', '15.2(4)E', '15.2(3)E1', '15.2(2)E2', '15.2(2)E3', '15.2(3)E2', '15.2(3)E3', '15.2(4)E1', '15.2(2)E4', '15.2(2)E5', '15.2(4)E2', '15.2(3)E4', '15.2(4)E3', '15.2(2)E6', '15.2(2)E5a', '15.2(3)E5', '15.2(2)E5b', '15.2(4)E4', '15.2(2)E7', '15.2(4)E5', '15.2(2)E7b', '15.2(4)E5a', '15.2(4s)E2' ); # Script is paranoid, so workarounds should be omitted workarounds = make_list(CISCO_WORKAROUNDS['no_workaround']); reporting = make_array( 'port' , 0, 'severity' , SECURITY_HOLE, 'version' , product_info['version'], 'bug_id' , 'CSCvc40729' ); cisco::check_and_report( product_info:product_info, workarounds:workarounds, reporting:reporting, vuln_versions:version_list );
References
- http://www.securityfocus.com/bid/103565
- http://www.securityfocus.com/bid/103565
- http://www.securitytracker.com/id/1040587
- http://www.securitytracker.com/id/1040587
- https://ics-cert.us-cert.gov/advisories/ICSA-18-107-05
- https://ics-cert.us-cert.gov/advisories/ICSA-18-107-05
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-bfd
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-bfd