Vulnerabilities > CVE-2018-0158 - Memory Leak vulnerability in Cisco IOS and IOS XE

047910
CVSS 8.6 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
cisco
CWE-401
nessus

Summary

A vulnerability in the Internet Key Exchange Version 2 (IKEv2) module of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a memory leak or a reload of an affected device that leads to a denial of service (DoS) condition. The vulnerability is due to incorrect processing of certain IKEv2 packets. An attacker could exploit this vulnerability by sending crafted IKEv2 packets to an affected device to be processed. A successful exploit could cause an affected device to continuously consume memory and eventually reload, resulting in a DoS condition. Cisco Bug IDs: CSCvf22394.

Nessus

  • NASL familyCISCO
    NASL idCISCO-SA-20180328-IKE-IOS.NASL
    descriptionAccording to its self-reported version, Cisco IOS is affected by a denial of service (DoS) vulnerability in the Internet Key Exchange Version 2 (IKEv2) module due to incorrect processing of certain IKEv2 packets. An unauthenticated, remote attacker can exploit this, by sending crafted IKEv2 packets to an affected device, in order to cause a memory leak or a reload of an affected device, leading to a DoS condition. Please see the included Cisco BIDs and Cisco Security Advisory for more information. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id131325
    published2019-11-27
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131325
    titleCisco IOS Software Internet Key Exchange Memory Leak (cisco-sa-20180328-ike)
    code
    #TRUSTED 0deeeacfacc34a45a5ab429bad594ac9e3b8917ee07b5783cda540823cd4b827c06633f4d370b0c36543ebc2980528d325a937f4c989a184e9f9d6b1eb00f326f751d5b352ce20a016158b586bf2a16c545a53705e638b26a8b6815e71745f2a7a3e4a2c3d4fd9ce782aa9819ed27f8219e8f2690713652119ff41c62de31a28ccd81a517d5370eda1d9eb8a491ca158849d1a17963e3f019105981f451ce3e811ab4229ea4bc282a7fb59f3f83c4f1e629366820b76c0be4bf58e2eb9ea30dc8e43ebdfd7955c51b5f6d00f78f62bbb948041bab56159a8c289c54a69a01d246a93875a1cc886be1125b7422cd9d468903f4086d9239be56ba5e53c1d877503178b0e723015f81bbd9d4659adec56f25fa17b26a74eeebf1b145ebf406140bbb7d742ebc4fe8857ef524338caa4656db7ca6397f9e979aa08c6b19cede4e2dfd0fb2eeabe5cca80666f8973b4849a6faf25b2991b9e595bc31291963b5f941bcb39c3a27a7e753f5584049957b03c9b952099e2385c74b788c4a527321ebc1aee1fdb06537ffa02e328ea7dab3cd27a1c429f8992a92d57ed7fdb4a35b0c2df66d28e6d8a07dfebe50e86c070b375b588c68dfc6f464623c786ab6bfcc5ce9b03da6a1c7f266ebedfe0983aee06edf86862044fe29445c3c559a90f030c8565d7dd9336e8990bb761d281da7bdf0ec9968e637371af86bf79b3572f17e09308
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include('compat.inc');
    
    if (description)
    {
      script_id(131325);
      script_version("1.4");
      script_cvs_date("Date: 2019/12/04");
    
      script_cve_id("CVE-2018-0158");
      script_bugtraq_id(103566);
      script_xref(name:"CISCO-BUG-ID", value:"CSCvf22394");
      script_xref(name:"CISCO-SA", value:"cisco-sa-20180328-ike");
    
      script_name(english:"Cisco IOS Software Internet Key Exchange Memory Leak (cisco-sa-20180328-ike)");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote device is missing a vendor-supplied security patch.");
      script_set_attribute(attribute:"description", value:
    "According to its self-reported version, Cisco IOS is affected by a denial of service (DoS) vulnerability in the
    Internet Key Exchange Version 2 (IKEv2) module due to incorrect processing of certain IKEv2 packets. An
    unauthenticated, remote attacker can exploit this, by sending crafted IKEv2 packets to an affected device, in order to
    cause a memory leak or a reload of an affected device, leading to a DoS condition.
    
    Please see the included Cisco BIDs and Cisco Security Advisory for more information.
    
    Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
    number.");
      # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-ike
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c962b883");
      script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf22394");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to the relevant fixed version referenced in Cisco bug ID(s) CSCvf22394.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-0158");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/03/28");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/03/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/27");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CISCO");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("cisco_ios_version.nasl");
      script_require_keys("Host/Cisco/IOS/Version");
    
      exit(0);
    }
    
    include('cisco_workarounds.inc');
    include('ccf.inc');
    
    product_info = cisco::get_product_info(name:'Cisco IOS');
    
    version_list = make_list(
      '15.2(4)E',
      '15.2(4)E1',
      '15.2(4)E2',
      '15.2(4m)E1',
      '15.2(5)E',
      '15.2(4)E3',
      '15.2(5a)E',
      '15.2(5)E1',
      '15.2(5b)E',
      '15.2(4m)E3',
      '15.2(5c)E',
      '15.2(4n)E2',
      '15.2(4o)E2',
      '15.2(5a)E1',
      '15.2(4)E4',
      '15.2(5)E2',
      '15.2(4p)E1',
      '15.2(6)E',
      '15.2(5)E2b',
      '15.2(5)E2c',
      '15.2(4m)E2',
      '15.2(4o)E3',
      '15.2(4q)E1',
      '15.2(6)E0a',
      '15.2(6)E0c',
      '15.2(4s)E1',
      '15.2(4s)E2',
      '15.5(3)S',
      '15.5(3)S1',
      '15.5(3)S1a',
      '15.5(3)S2',
      '15.5(3)S0a',
      '15.5(3)S3',
      '15.5(3)S4',
      '15.5(3)S5',
      '15.2(4)EA',
      '15.2(4)EA1',
      '15.2(4)EA3',
      '15.2(5)EA',
      '15.2(4)EA4',
      '15.2(4)EA5',
      '15.5(3)M',
      '15.5(3)M1',
      '15.5(3)M0a',
      '15.5(3)M2',
      '15.5(3)M2a',
      '15.5(3)M3',
      '15.5(3)M4',
      '15.5(3)M4a',
      '15.5(3)M5',
      '15.5(3)M4b',
      '15.5(3)M4c',
      '15.5(3)M5a',
      '15.5(3)SN0a',
      '15.5(3)SN',
      '15.6(1)S',
      '15.6(2)S',
      '15.6(2)S1',
      '15.6(1)S1',
      '15.6(1)S2',
      '15.6(2)S2',
      '15.6(1)S3',
      '15.6(2)S3',
      '15.6(1)S4',
      '15.6(1)T',
      '15.6(2)T',
      '15.6(1)T0a',
      '15.6(1)T1',
      '15.6(2)T1',
      '15.6(1)T2',
      '15.6(2)T0a',
      '15.6(2)T2',
      '15.6(1)T3',
      '15.3(1)SY',
      '15.3(0)SY',
      '15.3(1)SY1',
      '15.3(1)SY2',
      '15.6(2)SP',
      '15.6(2)SP1',
      '15.6(2)SP2',
      '15.6(2)SP3b',
      '15.6(1)SN',
      '15.6(1)SN1',
      '15.6(2)SN',
      '15.6(1)SN2',
      '15.6(1)SN3',
      '15.6(3)SN',
      '15.6(4)SN',
      '15.6(5)SN',
      '15.6(6)SN',
      '15.6(7)SN',
      '15.6(7)SN1',
      '15.6(3)M',
      '15.6(3)M1',
      '15.6(3)M0a',
      '15.6(3)M1a',
      '15.6(3)M1b',
      '15.6(3)M2',
      '15.6(3)M2a',
      '15.2(4)EC1',
      '15.2(4)EC2',
      '15.4(1)SY',
      '15.4(1)SY1',
      '15.4(1)SY2',
      '15.5(1)SY'
    );
    
    workarounds = make_list(CISCO_WORKAROUNDS['show_udp_ike'],CISCO_WORKAROUNDS['show_ip_sock_ike']);
    workaround_params = make_list();
    
    reporting = make_array(
      'port'     , 0,
      'severity' , SECURITY_HOLE,
      'version'  , product_info['version'],
      'bug_id'   , 'CSCvf22394',
      'cmds'     , make_list('show udp', 'show ip sockets')
    );
    
    cisco::check_and_report(
      product_info:product_info,
      workarounds:workarounds,
      workaround_params:workaround_params,
      reporting:reporting,
      vuln_versions:version_list
    );
    
  • NASL familyCISCO
    NASL idCISCO-SA-20180328-IKE-IOSXE.NASL
    descriptionAccording to its self-reported version, Cisco IOS XE Software is affected by a denial of service (DoS) vulnerability in the Internet Key Exchange Version 2 (IKEv2) module due to incorrect processing of certain IKEv2 packets. An unauthenticated, remote attacker can exploit this, by sending crafted IKEv2 packets to an affected device, in order to cause a memory leak or a reload of an affected device, leading to a DoS condition. Please see the included Cisco BIDs and Cisco Security Advisory for more information. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id131326
    published2019-11-27
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131326
    titleCisco IOS XE Software Internet Key Exchange Memory Leak (cisco-sa-20180328-ike)
    code
    #TRUSTED 08fb2b74527656808a798d7be87be5c43e38421651d52ae5fb3069912ed9f17519f59323bf633ef13444a2f4468c17e1a31ec0f58c5d4770a3f3efd28dc6d5b5150ca8efd9d8f4ee4ab391f8c516f73f805f0456aad93d3e6dbcac8e50d30e2f6e4b9a688dcaaf6d55f7ef0c5f1ae38d2dc62b54a2f145bcba8a6de9010199d4c93f3d7473ffac911f47e39175d5878aaaceecec6a196ec8d19b65082eb8415397fa4b91a4ca8c043b24eb617406e6072035a7745aa85184f5058cc0405610374629e5931a85c392a2507927820b529e7e2710cd368154d4a1d3d6e14695c363b810b7a65023f883fa68f0a08e72f00cdadc11d1b1ebe13eac84df0299194858a3b3a76edf41470cf06cd15c3ef7a4d54cf733057d914b12737183f5147128ee3948d650194eb5c5b28cd7dad7135a8ccab80f084c17c0b84340a2fd7b2b00ca01e0f85163bc52d550298234c786492a1abb428d83d2e4704cb7fc85d2b872b2ff20e5de1d748183be47e6a570206dd0c7394241cbf80b062f14e26c679ee897b3126be61393c972723a49c02301ddc64f771a4bbc8e09e756df234f5bf6f15a128c82e95313a8654b6a720b230603f1a8c9de918796f1ea02e777127ec19fb4d4b764e1694e1087637f956661cad4bb3c210fa85055f1e2f757d8c2fea70e07cd2194b71beb58ff4777c6b3e37c6ad1e2e2cde8d4badea58d0d210f8b2e1aaf
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include('compat.inc');
    
    if (description)
    {
      script_id(131326);
      script_version("1.4");
      script_cvs_date("Date: 2019/12/04");
    
      script_cve_id("CVE-2018-0158");
      script_bugtraq_id(103566);
      script_xref(name:"CISCO-BUG-ID", value:"CSCvf22394");
      script_xref(name:"CISCO-SA", value:"cisco-sa-20180328-ike");
    
      script_name(english:"Cisco IOS XE Software Internet Key Exchange Memory Leak (cisco-sa-20180328-ike)");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote device is missing a vendor-supplied security patch.");
      script_set_attribute(attribute:"description", value:
    "According to its self-reported version, Cisco IOS XE Software is affected by a denial of service (DoS) vulnerability in
    the Internet Key Exchange Version 2 (IKEv2) module due to incorrect processing of certain IKEv2 packets. An
    unauthenticated, remote attacker can exploit this, by sending crafted IKEv2 packets to an affected device, in order to
    cause a memory leak or a reload of an affected device, leading to a DoS condition.
    
    Please see the included Cisco BIDs and Cisco Security Advisory for more information.
    
    Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
    number.");
      # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-ike
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c962b883");
      script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf22394");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to the relevant fixed version referenced in Cisco bug ID(s) CSCvf22394.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-0158");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/03/28");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/03/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/27");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CISCO");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("cisco_ios_xe_version.nasl");
      script_require_keys("Host/Cisco/IOS-XE/Version");
    
      exit(0);
    }
    
    include('cisco_workarounds.inc');
    include('ccf.inc');
    
    product_info = cisco::get_product_info(name:'Cisco IOS XE Software');
    
    version_list = make_list(
      '3.16.0S',
      '3.16.1S',
      '3.16.0aS',
      '3.16.1aS',
      '3.16.2S',
      '3.16.2aS',
      '3.16.0bS',
      '3.16.0cS',
      '3.16.3S',
      '3.16.2bS',
      '3.16.3aS',
      '3.16.4S',
      '3.16.4aS',
      '3.16.4bS',
      '3.16.4gS',
      '3.16.5S',
      '3.16.4cS',
      '3.16.4dS',
      '3.16.4eS',
      '3.16.5aS',
      '3.16.5bS',
      '3.17.0S',
      '3.17.1S',
      '3.17.2S',
      '3.17.1aS',
      '3.17.3S',
      '3.17.4S',
      '16.1.1',
      '16.1.2',
      '16.1.3',
      '16.2.1',
      '16.2.2',
      '3.8.0E',
      '3.8.1E',
      '3.8.2E',
      '3.8.3E',
      '3.8.4E',
      '16.3.1',
      '16.3.2',
      '16.3.3',
      '16.3.1a',
      '16.3.4',
      '16.4.1',
      '16.4.2',
      '3.18.0aS',
      '3.18.0S',
      '3.18.1S',
      '3.18.2S',
      '3.18.3S',
      '3.18.0SP',
      '3.18.1SP',
      '3.18.1aSP',
      '3.18.1gSP',
      '3.18.1bSP',
      '3.18.1cSP',
      '3.18.2SP',
      '3.18.1hSP',
      '3.18.2aSP',
      '3.18.1iSP',
      '3.18.3bSP',
      '3.9.0E',
      '3.9.1E',
      '3.9.2E',
      '3.9.2bE',
      '3.10.0E',
      '3.10.0cE'
    );
    
    workarounds = make_list(CISCO_WORKAROUNDS['show_udp_ike'],CISCO_WORKAROUNDS['show_ip_sock_ike']);
    workaround_params = make_list();
    
    reporting = make_array(
      'port'     , 0,
      'severity' , SECURITY_HOLE,
      'version'  , product_info['version'],
      'bug_id'   , 'CSCvf22394',
      'cmds'     , make_list('show udp', 'show ip sockets')
    );
    
    cisco::check_and_report(
      product_info:product_info,
      workarounds:workarounds,
      workaround_params:workaround_params,
      reporting:reporting,
      vuln_versions:version_list
    );