Vulnerabilities > CVE-2018-0160 - Double Free vulnerability in Cisco IOS XE 15.5(3)S

047910
CVSS 6.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
LOW
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
high complexity
cisco
CWE-415
nessus
NVD
Published: 2018-03-28
Updated: 2019-10-09

Summary

A vulnerability in Simple Network Management Protocol (SNMP) subsystem of Cisco IOS XE Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to improper management of memory resources, referred to as a double free. An attacker could exploit this vulnerability by sending crafted SNMP packets to an affected device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition. To exploit this vulnerability via SNMP Version 2c or earlier, the attacker must know the SNMP read-only community string for an affected system. To exploit this vulnerability via SNMP Version 3, the attacker must know the user credentials for the affected system. This vulnerability affects Cisco devices that are running a vulnerable release of Cisco IOS XE Software, have been configured to be queried over SNMP, and have Network Address Translation (NAT) enabled. Cisco Bug IDs: CSCve75818.

Vulnerable Configurations

Part Description Count
OS
Cisco
1
Hardware
Cisco
19

Common Weakness Enumeration (CWE)

Nessus

NASL familyCISCO
NASL idCISCO-SA-20180328-SNMP-DOS.NASL
descriptionAccording to its self-reported version, Cisco IOS XE Software is affected by a denial of service (DoS) vulnerability in the Simple Network Management Protocol (SNMP) subsystem due to improper management of memory resources, referred to as a double free. An authenticated, remote attacker can exploit this vulnerability by sending crafted SNMP packets to an affected device in order to cause the affected device to reload, resulting in a DoS condition. Please see the included Cisco BIDs and Cisco Security Advisory for more information. Note that Nessus has not tested for this issue but has instead relied only on the application
last seen2020-06-01
modified2020-06-02
plugin id132039
published2019-12-13
reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/132039
titleCisco IOS XE Software Simple Network Management Protocol Double-Free DoS (cisco-sa-20180328-snmp-dos)
code
#TRUSTED 810e7e4f68d8c5f648f711246522a48f6aa754a1ce5b7ddcf292308725d66107e9d80d09fac05c2b1ecf6b8fa925e243055a877c080f10e30901f20d9c9e7c416f830e4885b0e001341869e08304f54e4114f6e5fe51aa4934a02c6bef3081cb983e19dd3d220d7fca81d9d159f8f6fc89ea982431156ec70212b0b338b02491393451d6e442aa75c01880cc4522bfe49aaf32421a8121157c3303e860ca9f8ded423c8dd39a6d076b23ba285a8afac4dd68cd48a297721835434f10389a99f38a2cf9b58474560c808ef2142508611dd11b3e23fbd6bd6c0c8a69c4581141bbfb8f2d67bedb546228b82e29b07ce3afb0ae611f1e82ec713e088c4736191ac9fc545dc0ca52880ca2f3a7b0424281f01da7e8913f62dd39378f769015094b952e0bb6e283829286fdfb273a7ea883f952440adc259be2d47f242ff8fa7202a639183f5b632cfcfd1f1cafdbd5d253e15282b38b56b774b5a43ef1e6144c89f07fb15c0520dfc1353c99e2c6b474f4a214140b685f9e1a18b9e20ef0b705b67e8fccec7ee06f8aaf2fe546b99fc4fef0dcff10b36a3039b7161413f3b3595dc837e65448edd3394fb3b16031e6ef4ecce4923a594ea1a3f8162c4bf00d334ae89437a076f9dc7b8153627606ae66042a8d6770520af61d36eb8a845752c269bff00ff5f34715fec24ee3d84afc0fb33eefcf7da538ad1358d888e8187ac1ca9c
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(132039);
  script_version("1.4");
  script_cvs_date("Date: 2019/12/16");

  script_cve_id("CVE-2018-0160");
  script_bugtraq_id(103575);
  script_xref(name:"CISCO-BUG-ID", value:"CSCve75818");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20180328-snmp-dos");

  script_name(english:"Cisco IOS XE Software Simple Network Management Protocol Double-Free DoS (cisco-sa-20180328-snmp-dos)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco IOS XE Software is affected by a denial of service (DoS) vulnerability in
the Simple Network Management Protocol (SNMP) subsystem  due to improper management of memory resources, referred to as
a double free. An authenticated, remote attacker can exploit this vulnerability by sending crafted SNMP packets to an
affected device in order to cause the affected device to reload, resulting in a DoS condition.

Please see the included Cisco BIDs and Cisco Security Advisory for more information.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-snmp-dos
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0b77f9f4");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve75818");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID(s) CSCve75818.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-0160");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/03/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/03/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/13");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_xe_version.nasl");
  script_require_keys("Host/Cisco/IOS-XE/Version");

  exit(0);
}

include('cisco_workarounds.inc');
include('ccf.inc');

product_info = cisco::get_product_info(name:'Cisco IOS XE Software');

version_list = make_list(
  '3.15.0S',
  '3.15.1S',
  '3.15.2S',
  '3.15.1cS',
  '3.15.3S',
  '3.15.4S',
  '3.16.0S',
  '3.16.1S',
  '3.16.1aS',
  '3.16.2S',
  '3.16.0bS',
  '3.16.0cS',
  '3.16.3S',
  '3.16.2bS',
  '3.16.4aS',
  '3.16.4bS',
  '3.16.4gS',
  '3.16.5S',
  '3.16.4cS',
  '3.16.4dS',
  '3.16.4eS',
  '3.16.6S',
  '3.16.5aS',
  '3.16.5bS',
  '3.16.6bS',
  '3.17.0S',
  '3.17.1S',
  '3.17.2S',
  '3.17.1aS',
  '3.17.3S',
  '3.17.4S',
  '16.2.1',
  '16.2.2',
  '16.3.1',
  '16.3.2',
  '16.3.3',
  '16.3.1a',
  '16.3.4',
  '16.4.1',
  '16.4.2',
  '16.5.1',
  '16.5.1b',
  '16.5.2',
  '3.18.0aS',
  '3.18.1S',
  '3.18.0SP',
  '3.18.1SP',
  '3.18.1aSP',
  '3.18.1gSP',
  '3.18.2SP',
  '3.18.1hSP',
  '3.18.2aSP',
  '3.18.1iSP',
  '3.18.3SP',
  '3.18.3aSP',
  '3.18.3bSP',
  '16.6.1'
);

workarounds = make_list(CISCO_WORKAROUNDS['snmp']);
workaround_params = make_list();

reporting = make_array(
  'port'     , 0,
  'severity' , SECURITY_WARNING,
  'version'  , product_info['version'],
  'bug_id'   , 'CSCve75818',
  'cmds'     , make_list('show running-config')
);

cisco::check_and_report(
  product_info:product_info,
  workarounds:workarounds,
  workaround_params:workaround_params,
  reporting:reporting,
  vuln_versions:version_list
);

References