Vulnerabilities > CVE-2018-0161 - Unspecified vulnerability in Cisco IOS 15.2(5)E
Attack vector
NETWORK Attack complexity
HIGH Privileges required
LOW Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS Software running on certain models of Cisco Catalyst Switches could allow an authenticated, remote attacker to cause a denial of service (DoS) condition, aka a GET MIB Object ID Denial of Service Vulnerability. The vulnerability is due to a condition that could occur when the affected software processes an SNMP read request that contains a request for the ciscoFlashMIB object ID (OID). An attacker could trigger this vulnerability by issuing an SNMP GET request for the ciscoFlashMIB OID on an affected device. A successful exploit could cause the affected device to restart due to a SYS-3-CPUHOG. This vulnerability affects the following Cisco devices if they are running a vulnerable release of Cisco IOS Software and are configured to use SNMP Version 2 (SNMPv2) or SNMP Version 3 (SNMPv3): Cisco Catalyst 2960-L Series Switches, Cisco Catalyst Digital Building Series Switches 8P, Cisco Catalyst Digital Building Series Switches 8U. Cisco Bug IDs: CSCvd89541.
Vulnerable Configurations
Nessus
NASL family Misc. NASL id ORACLE_ENTERPRISE_MANAGER_OPS_CENTER_APR_2019_CPU.NASL description The version of Oracle Enterprise Manager Cloud Control installed on the remote host is affected by multiple vulnerabilities in Enterprise Manager Base Platform component: - A deserialization vulnerability in Apache Commons FileUpload allows for remote code execution. (CVE-2016-1000031) - An information disclosure vulnerability exists in OpenSSL due to the potential for a side-channel timing attack. An unauthenticated attacker can exploit this to disclose potentially sensitive information. (CVE-2018-0734) - A denial of service (DoS) vulnerability exists in Apache HTTP Server 2.4.17 to 2.4.34, due to a design error. An unauthenticated, remote attacker can exploit this issue by sending continuous, large SETTINGS frames to cause a client to occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol. (CVE-2018-11763). - Networking component of Enterprise Manager Base Platform (Spring Framework) is easily exploited and may allow an unauthenticated, remote attacker to takeover the Enterprise Manager Base Platform. (CVE-2018-1258) last seen 2020-06-01 modified 2020-06-02 plugin id 125147 published 2019-05-15 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/125147 title Oracle Enterprise Manager Ops Center (Apr 2019 CPU) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(125147); script_version("1.2"); script_cvs_date("Date: 2019/05/17 9:44:17"); script_cve_id( "CVE-2016-1000031", "CVE-2018-0161", "CVE-2018-0734", "CVE-2018-0735", "CVE-2018-5407", "CVE-2018-11763", "CVE-2017-9798", "CVE-2018-1258", "CVE-2018-11039", "CVE-2018-11040", "CVE-2018-1257", "CVE-2018-15756" ); script_bugtraq_id( 93604, 100872, 103573, 104222, 104260, 105414, 105703, 105750, 105758, 105897, 107984, 107986 ); script_xref(name:"IAVA", value:"2019-A-0130"); script_name(english:"Oracle Enterprise Manager Ops Center (Apr 2019 CPU)"); script_summary(english:"Checks for the patch ID."); script_set_attribute(attribute:"synopsis", value: "An enterprise management application installed on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Oracle Enterprise Manager Cloud Control installed on the remote host is affected by multiple vulnerabilities in Enterprise Manager Base Platform component: - A deserialization vulnerability in Apache Commons FileUpload allows for remote code execution. (CVE-2016-1000031) - An information disclosure vulnerability exists in OpenSSL due to the potential for a side-channel timing attack. An unauthenticated attacker can exploit this to disclose potentially sensitive information. (CVE-2018-0734) - A denial of service (DoS) vulnerability exists in Apache HTTP Server 2.4.17 to 2.4.34, due to a design error. An unauthenticated, remote attacker can exploit this issue by sending continuous, large SETTINGS frames to cause a client to occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol. (CVE-2018-11763). - Networking component of Enterprise Manager Base Platform (Spring Framework) is easily exploited and may allow an unauthenticated, remote attacker to takeover the Enterprise Manager Base Platform. (CVE-2018-1258) "); # https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9166970d"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the April 2019 Oracle Critical Patch Update advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-1000031"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/04/16"); script_set_attribute(attribute:"patch_publication_date", value:"2019/04/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/15"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"agent", value:"unix"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:enterprise_manager_ops_center"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("oracle_enterprise_manager_ops_center_installed.nbin"); script_require_keys("installed_sw/Oracle Enterprise Manager Ops Center"); exit(0); } include('global_settings.inc'); include('misc_func.inc'); include('install_func.inc'); get_kb_item_or_exit('Host/local_checks_enabled'); app_name = 'Oracle Enterprise Manager Ops Center'; install = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE); version = install['version']; version_full = install['Full Patch Version']; path = install['path']; patch_version = install['Patch Version']; patchid = NULL; fix = NULL; if (version_full =~ "^12\.3\.3\.") { patchid = '29623885'; fix = '1819'; } if (isnull(patchid)) audit(AUDIT_HOST_NOT, 'affected'); if (ver_compare(ver:patch_version, fix:fix, strict:FALSE) != -1) audit(AUDIT_INST_PATH_NOT_VULN, app_name, version_full, path); report = '\n Path : ' + path + '\n Version : ' + version + '\n Ops Agent Version : ' + version_full + '\n Current Patch : ' + patch_version + '\n Fixed Patch Version : ' + fix + '\n Fix : ' + patchid; security_report_v4(extra:report, severity:SECURITY_HOLE, port:0);NASL family CISCO NASL id CISCO-SA-20180328-SNMP.NASL description According to its self-reported version, Cisco IOS is affected by a denial of service (DoS) vulnerability in the Simple Network Management Protocol (SNMP) subsystem running on certain models of Cisco Catalyst Switches due to a condition that could occur when the affected software processes an SNMP read request that contains a request for the ciscoFlashMIB object ID (OID). An authenticated, remote attacker can exploit this, by issuing an SNMP GET request for the ciscoFlashMIB OID on an affected device in order to cause the device to restart due to a SYS-3-CPUHOG. Please see the included Cisco BIDs and Cisco Security Advisory for more information. Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 131324 published 2019-11-27 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131324 title Cisco IOS Software Simple Network Management Protocol GET MIB Object ID DoS (cisco-sa-20180328-snmp) code #TRUSTED 21ffa66b5105a31797389c1dde8aac551a1c02cfd3c305387ab63d3c61fb3615f166599272aae9df900028f53efac2421562516131b775fcceaee5e04ab08b58a12d0c42434d7c80145e0d141f24147e5c67039f26dec089230c15768aad6f9847d5b012ffe85ff56ad0c39e9cc716fd16ad81ded283f58e4402e0b7bf366343b0431cead5f63930549458fd51e9a8a94866036509f2aea5147afa94e6937cbaf0b739737f0102ae319be9cfba8acc624eb7a807ce77fcb27e260a758d891535cf8dd1d6d884710c812e6a2ccb01bc609aa4486fe37ec01b3da718e19b5929714935f72fa564a2c7c156d2e4b962a6f694b3e8130a0751e0b93990cefb2f8ab3b5f62a9b1f0625367222c02fb23ddb7c2b645b96fac89a775bdd06ba8ab3fc55d01b039a64c50e17c58643215282911aeb2375039114d72b0b327e50b81f9b40b7bcce342dfc692552b47e8a719c3edcce81b6bb6b982333556f86dc600c1d896350b673fead043493779590f707801f32a70b869195c2e448e0b232ba1c7918277c4526291e551acf18869c27fb8d1909decbdc5b2c4f5c7612b264578ab22b4afd6038ca826a45dd7c85736b1a53deec300ec0385c97fc07d79ed38e917473f150d9550da19a8e355131b820fe10e1ea5d0359eda22e6e99d248f2d8841e2b29b240dd83594c177f95c46b665eae5bf36001bfab2914ece8165123f0110a61 # # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(131324); script_version("1.4"); script_cvs_date("Date: 2019/12/04"); script_cve_id("CVE-2018-0161"); script_bugtraq_id(103573); script_xref(name:"CISCO-BUG-ID", value:"CSCvd89541"); script_xref(name:"CISCO-SA", value:"cisco-sa-20180328-snmp"); script_name(english:"Cisco IOS Software Simple Network Management Protocol GET MIB Object ID DoS (cisco-sa-20180328-snmp)"); script_set_attribute(attribute:"synopsis", value: "The remote device is missing a vendor-supplied security patch."); script_set_attribute(attribute:"description", value: "According to its self-reported version, Cisco IOS is affected by a denial of service (DoS) vulnerability in the Simple Network Management Protocol (SNMP) subsystem running on certain models of Cisco Catalyst Switches due to a condition that could occur when the affected software processes an SNMP read request that contains a request for the ciscoFlashMIB object ID (OID). An authenticated, remote attacker can exploit this, by issuing an SNMP GET request for the ciscoFlashMIB OID on an affected device in order to cause the device to restart due to a SYS-3-CPUHOG. Please see the included Cisco BIDs and Cisco Security Advisory for more information. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-snmp script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?61dd3327"); script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd89541"); script_set_attribute(attribute:"solution", value: "Upgrade to the relevant fixed version referenced in Cisco bug ID(s) CSCvd89541."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-0161"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/03/28"); script_set_attribute(attribute:"patch_publication_date", value:"2018/03/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/27"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CISCO"); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("cisco_ios_version.nasl"); script_require_keys("Host/Cisco/IOS/Version", "Host/Cisco/IOS/Model"); exit(0); } include('cisco_workarounds.inc'); include('ccf.inc'); product_info = cisco::get_product_info(name:'Cisco IOS'); if ( product_info.model !~ "(^|[^0-9])2960L" && product_info.model !~ "CDB-8P" && product_info.model !~ "CDB-8U" ) audit(AUDIT_HOST_NOT, "affected"); version_list = make_list( '15.2(5)E', '15.2(5a)E', '15.2(5)E1', '15.2(5b)E', '15.2(5c)E', '15.2(5a)E1', '15.2(5)E2', '15.2(5)E2b', '15.2(5)E2c', '15.2(5)EX', '15.2(5)EA', '15.6(2)SP3b' ); workarounds = make_list(CISCO_WORKAROUNDS['snmp']); workaround_params = make_list(); reporting = make_array( 'port' , 0, 'severity' , SECURITY_WARNING, 'version' , product_info['version'], 'bug_id' , 'CSCvd89541', 'cmds' , make_list('show running-config') ); cisco::check_and_report( product_info:product_info, workarounds:workarounds, workaround_params:workaround_params, reporting:reporting, vuln_versions:version_list, switch_only:TRUE );