Vulnerabilities > CVE-2018-0158 - Memory Leak vulnerability in Cisco IOS and IOS XE
Summary
A vulnerability in the Internet Key Exchange Version 2 (IKEv2) module of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a memory leak or a reload of an affected device that leads to a denial of service (DoS) condition. The vulnerability is due to incorrect processing of certain IKEv2 packets. An attacker could exploit this vulnerability by sending crafted IKEv2 packets to an affected device to be processed. A successful exploit could cause an affected device to continuously consume memory and eventually reload, resulting in a DoS condition. Cisco Bug IDs: CSCvf22394.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family CISCO NASL id CISCO-SA-20180328-IKE-IOS.NASL description According to its self-reported version, Cisco IOS is affected by a denial of service (DoS) vulnerability in the Internet Key Exchange Version 2 (IKEv2) module due to incorrect processing of certain IKEv2 packets. An unauthenticated, remote attacker can exploit this, by sending crafted IKEv2 packets to an affected device, in order to cause a memory leak or a reload of an affected device, leading to a DoS condition. Please see the included Cisco BIDs and Cisco Security Advisory for more information. Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 131325 published 2019-11-27 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131325 title Cisco IOS Software Internet Key Exchange Memory Leak (cisco-sa-20180328-ike) code #TRUSTED 0deeeacfacc34a45a5ab429bad594ac9e3b8917ee07b5783cda540823cd4b827c06633f4d370b0c36543ebc2980528d325a937f4c989a184e9f9d6b1eb00f326f751d5b352ce20a016158b586bf2a16c545a53705e638b26a8b6815e71745f2a7a3e4a2c3d4fd9ce782aa9819ed27f8219e8f2690713652119ff41c62de31a28ccd81a517d5370eda1d9eb8a491ca158849d1a17963e3f019105981f451ce3e811ab4229ea4bc282a7fb59f3f83c4f1e629366820b76c0be4bf58e2eb9ea30dc8e43ebdfd7955c51b5f6d00f78f62bbb948041bab56159a8c289c54a69a01d246a93875a1cc886be1125b7422cd9d468903f4086d9239be56ba5e53c1d877503178b0e723015f81bbd9d4659adec56f25fa17b26a74eeebf1b145ebf406140bbb7d742ebc4fe8857ef524338caa4656db7ca6397f9e979aa08c6b19cede4e2dfd0fb2eeabe5cca80666f8973b4849a6faf25b2991b9e595bc31291963b5f941bcb39c3a27a7e753f5584049957b03c9b952099e2385c74b788c4a527321ebc1aee1fdb06537ffa02e328ea7dab3cd27a1c429f8992a92d57ed7fdb4a35b0c2df66d28e6d8a07dfebe50e86c070b375b588c68dfc6f464623c786ab6bfcc5ce9b03da6a1c7f266ebedfe0983aee06edf86862044fe29445c3c559a90f030c8565d7dd9336e8990bb761d281da7bdf0ec9968e637371af86bf79b3572f17e09308 # # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(131325); script_version("1.4"); script_cvs_date("Date: 2019/12/04"); script_cve_id("CVE-2018-0158"); script_bugtraq_id(103566); script_xref(name:"CISCO-BUG-ID", value:"CSCvf22394"); script_xref(name:"CISCO-SA", value:"cisco-sa-20180328-ike"); script_name(english:"Cisco IOS Software Internet Key Exchange Memory Leak (cisco-sa-20180328-ike)"); script_set_attribute(attribute:"synopsis", value: "The remote device is missing a vendor-supplied security patch."); script_set_attribute(attribute:"description", value: "According to its self-reported version, Cisco IOS is affected by a denial of service (DoS) vulnerability in the Internet Key Exchange Version 2 (IKEv2) module due to incorrect processing of certain IKEv2 packets. An unauthenticated, remote attacker can exploit this, by sending crafted IKEv2 packets to an affected device, in order to cause a memory leak or a reload of an affected device, leading to a DoS condition. Please see the included Cisco BIDs and Cisco Security Advisory for more information. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-ike script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c962b883"); script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf22394"); script_set_attribute(attribute:"solution", value: "Upgrade to the relevant fixed version referenced in Cisco bug ID(s) CSCvf22394."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-0158"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/03/28"); script_set_attribute(attribute:"patch_publication_date", value:"2018/03/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/27"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CISCO"); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("cisco_ios_version.nasl"); script_require_keys("Host/Cisco/IOS/Version"); exit(0); } include('cisco_workarounds.inc'); include('ccf.inc'); product_info = cisco::get_product_info(name:'Cisco IOS'); version_list = make_list( '15.2(4)E', '15.2(4)E1', '15.2(4)E2', '15.2(4m)E1', '15.2(5)E', '15.2(4)E3', '15.2(5a)E', '15.2(5)E1', '15.2(5b)E', '15.2(4m)E3', '15.2(5c)E', '15.2(4n)E2', '15.2(4o)E2', '15.2(5a)E1', '15.2(4)E4', '15.2(5)E2', '15.2(4p)E1', '15.2(6)E', '15.2(5)E2b', '15.2(5)E2c', '15.2(4m)E2', '15.2(4o)E3', '15.2(4q)E1', '15.2(6)E0a', '15.2(6)E0c', '15.2(4s)E1', '15.2(4s)E2', '15.5(3)S', '15.5(3)S1', '15.5(3)S1a', '15.5(3)S2', '15.5(3)S0a', '15.5(3)S3', '15.5(3)S4', '15.5(3)S5', '15.2(4)EA', '15.2(4)EA1', '15.2(4)EA3', '15.2(5)EA', '15.2(4)EA4', '15.2(4)EA5', '15.5(3)M', '15.5(3)M1', '15.5(3)M0a', '15.5(3)M2', '15.5(3)M2a', '15.5(3)M3', '15.5(3)M4', '15.5(3)M4a', '15.5(3)M5', '15.5(3)M4b', '15.5(3)M4c', '15.5(3)M5a', '15.5(3)SN0a', '15.5(3)SN', '15.6(1)S', '15.6(2)S', '15.6(2)S1', '15.6(1)S1', '15.6(1)S2', '15.6(2)S2', '15.6(1)S3', '15.6(2)S3', '15.6(1)S4', '15.6(1)T', '15.6(2)T', '15.6(1)T0a', '15.6(1)T1', '15.6(2)T1', '15.6(1)T2', '15.6(2)T0a', '15.6(2)T2', '15.6(1)T3', '15.3(1)SY', '15.3(0)SY', '15.3(1)SY1', '15.3(1)SY2', '15.6(2)SP', '15.6(2)SP1', '15.6(2)SP2', '15.6(2)SP3b', '15.6(1)SN', '15.6(1)SN1', '15.6(2)SN', '15.6(1)SN2', '15.6(1)SN3', '15.6(3)SN', '15.6(4)SN', '15.6(5)SN', '15.6(6)SN', '15.6(7)SN', '15.6(7)SN1', '15.6(3)M', '15.6(3)M1', '15.6(3)M0a', '15.6(3)M1a', '15.6(3)M1b', '15.6(3)M2', '15.6(3)M2a', '15.2(4)EC1', '15.2(4)EC2', '15.4(1)SY', '15.4(1)SY1', '15.4(1)SY2', '15.5(1)SY' ); workarounds = make_list(CISCO_WORKAROUNDS['show_udp_ike'],CISCO_WORKAROUNDS['show_ip_sock_ike']); workaround_params = make_list(); reporting = make_array( 'port' , 0, 'severity' , SECURITY_HOLE, 'version' , product_info['version'], 'bug_id' , 'CSCvf22394', 'cmds' , make_list('show udp', 'show ip sockets') ); cisco::check_and_report( product_info:product_info, workarounds:workarounds, workaround_params:workaround_params, reporting:reporting, vuln_versions:version_list );
NASL family CISCO NASL id CISCO-SA-20180328-IKE-IOSXE.NASL description According to its self-reported version, Cisco IOS XE Software is affected by a denial of service (DoS) vulnerability in the Internet Key Exchange Version 2 (IKEv2) module due to incorrect processing of certain IKEv2 packets. An unauthenticated, remote attacker can exploit this, by sending crafted IKEv2 packets to an affected device, in order to cause a memory leak or a reload of an affected device, leading to a DoS condition. Please see the included Cisco BIDs and Cisco Security Advisory for more information. Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 131326 published 2019-11-27 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131326 title Cisco IOS XE Software Internet Key Exchange Memory Leak (cisco-sa-20180328-ike) code #TRUSTED 08fb2b74527656808a798d7be87be5c43e38421651d52ae5fb3069912ed9f17519f59323bf633ef13444a2f4468c17e1a31ec0f58c5d4770a3f3efd28dc6d5b5150ca8efd9d8f4ee4ab391f8c516f73f805f0456aad93d3e6dbcac8e50d30e2f6e4b9a688dcaaf6d55f7ef0c5f1ae38d2dc62b54a2f145bcba8a6de9010199d4c93f3d7473ffac911f47e39175d5878aaaceecec6a196ec8d19b65082eb8415397fa4b91a4ca8c043b24eb617406e6072035a7745aa85184f5058cc0405610374629e5931a85c392a2507927820b529e7e2710cd368154d4a1d3d6e14695c363b810b7a65023f883fa68f0a08e72f00cdadc11d1b1ebe13eac84df0299194858a3b3a76edf41470cf06cd15c3ef7a4d54cf733057d914b12737183f5147128ee3948d650194eb5c5b28cd7dad7135a8ccab80f084c17c0b84340a2fd7b2b00ca01e0f85163bc52d550298234c786492a1abb428d83d2e4704cb7fc85d2b872b2ff20e5de1d748183be47e6a570206dd0c7394241cbf80b062f14e26c679ee897b3126be61393c972723a49c02301ddc64f771a4bbc8e09e756df234f5bf6f15a128c82e95313a8654b6a720b230603f1a8c9de918796f1ea02e777127ec19fb4d4b764e1694e1087637f956661cad4bb3c210fa85055f1e2f757d8c2fea70e07cd2194b71beb58ff4777c6b3e37c6ad1e2e2cde8d4badea58d0d210f8b2e1aaf # # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(131326); script_version("1.4"); script_cvs_date("Date: 2019/12/04"); script_cve_id("CVE-2018-0158"); script_bugtraq_id(103566); script_xref(name:"CISCO-BUG-ID", value:"CSCvf22394"); script_xref(name:"CISCO-SA", value:"cisco-sa-20180328-ike"); script_name(english:"Cisco IOS XE Software Internet Key Exchange Memory Leak (cisco-sa-20180328-ike)"); script_set_attribute(attribute:"synopsis", value: "The remote device is missing a vendor-supplied security patch."); script_set_attribute(attribute:"description", value: "According to its self-reported version, Cisco IOS XE Software is affected by a denial of service (DoS) vulnerability in the Internet Key Exchange Version 2 (IKEv2) module due to incorrect processing of certain IKEv2 packets. An unauthenticated, remote attacker can exploit this, by sending crafted IKEv2 packets to an affected device, in order to cause a memory leak or a reload of an affected device, leading to a DoS condition. Please see the included Cisco BIDs and Cisco Security Advisory for more information. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-ike script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c962b883"); script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf22394"); script_set_attribute(attribute:"solution", value: "Upgrade to the relevant fixed version referenced in Cisco bug ID(s) CSCvf22394."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-0158"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/03/28"); script_set_attribute(attribute:"patch_publication_date", value:"2018/03/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/27"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CISCO"); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("cisco_ios_xe_version.nasl"); script_require_keys("Host/Cisco/IOS-XE/Version"); exit(0); } include('cisco_workarounds.inc'); include('ccf.inc'); product_info = cisco::get_product_info(name:'Cisco IOS XE Software'); version_list = make_list( '3.16.0S', '3.16.1S', '3.16.0aS', '3.16.1aS', '3.16.2S', '3.16.2aS', '3.16.0bS', '3.16.0cS', '3.16.3S', '3.16.2bS', '3.16.3aS', '3.16.4S', '3.16.4aS', '3.16.4bS', '3.16.4gS', '3.16.5S', '3.16.4cS', '3.16.4dS', '3.16.4eS', '3.16.5aS', '3.16.5bS', '3.17.0S', '3.17.1S', '3.17.2S', '3.17.1aS', '3.17.3S', '3.17.4S', '16.1.1', '16.1.2', '16.1.3', '16.2.1', '16.2.2', '3.8.0E', '3.8.1E', '3.8.2E', '3.8.3E', '3.8.4E', '16.3.1', '16.3.2', '16.3.3', '16.3.1a', '16.3.4', '16.4.1', '16.4.2', '3.18.0aS', '3.18.0S', '3.18.1S', '3.18.2S', '3.18.3S', '3.18.0SP', '3.18.1SP', '3.18.1aSP', '3.18.1gSP', '3.18.1bSP', '3.18.1cSP', '3.18.2SP', '3.18.1hSP', '3.18.2aSP', '3.18.1iSP', '3.18.3bSP', '3.9.0E', '3.9.1E', '3.9.2E', '3.9.2bE', '3.10.0E', '3.10.0cE' ); workarounds = make_list(CISCO_WORKAROUNDS['show_udp_ike'],CISCO_WORKAROUNDS['show_ip_sock_ike']); workaround_params = make_list(); reporting = make_array( 'port' , 0, 'severity' , SECURITY_HOLE, 'version' , product_info['version'], 'bug_id' , 'CSCvf22394', 'cmds' , make_list('show udp', 'show ip sockets') ); cisco::check_and_report( product_info:product_info, workarounds:workarounds, workaround_params:workaround_params, reporting:reporting, vuln_versions:version_list );
References
- http://www.securityfocus.com/bid/103566
- http://www.securityfocus.com/bid/103566
- http://www.securitytracker.com/id/1040595
- http://www.securitytracker.com/id/1040595
- https://ics-cert.us-cert.gov/advisories/ICSA-18-107-03
- https://ics-cert.us-cert.gov/advisories/ICSA-18-107-03
- https://ics-cert.us-cert.gov/advisories/ICSA-18-107-04
- https://ics-cert.us-cert.gov/advisories/ICSA-18-107-04
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-ike
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-ike