Vulnerabilities > CVE-2018-0161 - Unspecified vulnerability in Cisco IOS 15.2(5)E

047910
CVSS 6.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
SINGLE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
COMPLETE
network
cisco
nessus
NVD
Published: 2018-03-28
Updated: 2019-10-03

Summary

A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS Software running on certain models of Cisco Catalyst Switches could allow an authenticated, remote attacker to cause a denial of service (DoS) condition, aka a GET MIB Object ID Denial of Service Vulnerability. The vulnerability is due to a condition that could occur when the affected software processes an SNMP read request that contains a request for the ciscoFlashMIB object ID (OID). An attacker could trigger this vulnerability by issuing an SNMP GET request for the ciscoFlashMIB OID on an affected device. A successful exploit could cause the affected device to restart due to a SYS-3-CPUHOG. This vulnerability affects the following Cisco devices if they are running a vulnerable release of Cisco IOS Software and are configured to use SNMP Version 2 (SNMPv2) or SNMP Version 3 (SNMPv3): Cisco Catalyst 2960-L Series Switches, Cisco Catalyst Digital Building Series Switches 8P, Cisco Catalyst Digital Building Series Switches 8U. Cisco Bug IDs: CSCvd89541.

Vulnerable Configurations

Part Description Count
OS
Cisco
1
Hardware
Cisco
14

Nessus

  • NASL familyMisc.
    NASL idORACLE_ENTERPRISE_MANAGER_OPS_CENTER_APR_2019_CPU.NASL
    descriptionThe version of Oracle Enterprise Manager Cloud Control installed on the remote host is affected by multiple vulnerabilities in Enterprise Manager Base Platform component: - A deserialization vulnerability in Apache Commons FileUpload allows for remote code execution. (CVE-2016-1000031) - An information disclosure vulnerability exists in OpenSSL due to the potential for a side-channel timing attack. An unauthenticated attacker can exploit this to disclose potentially sensitive information. (CVE-2018-0734) - A denial of service (DoS) vulnerability exists in Apache HTTP Server 2.4.17 to 2.4.34, due to a design error. An unauthenticated, remote attacker can exploit this issue by sending continuous, large SETTINGS frames to cause a client to occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol. (CVE-2018-11763). - Networking component of Enterprise Manager Base Platform (Spring Framework) is easily exploited and may allow an unauthenticated, remote attacker to takeover the Enterprise Manager Base Platform. (CVE-2018-1258)
    last seen2020-06-01
    modified2020-06-02
    plugin id125147
    published2019-05-15
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125147
    titleOracle Enterprise Manager Ops Center (Apr 2019 CPU)
    code
    #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(125147);
  script_version("1.2");
  script_cvs_date("Date: 2019/05/17  9:44:17");

  script_cve_id(
    "CVE-2016-1000031",
    "CVE-2018-0161",
    "CVE-2018-0734",
    "CVE-2018-0735",
    "CVE-2018-5407",
    "CVE-2018-11763",
    "CVE-2017-9798",
    "CVE-2018-1258",
    "CVE-2018-11039",
    "CVE-2018-11040",
    "CVE-2018-1257",
    "CVE-2018-15756"
  );

  script_bugtraq_id(
    93604,
    100872,
    103573,
    104222,
    104260,
    105414,
    105703,
    105750,
    105758,
    105897,
    107984,
    107986
  );
  script_xref(name:"IAVA", value:"2019-A-0130");

  script_name(english:"Oracle Enterprise Manager Ops Center (Apr 2019 CPU)");
  script_summary(english:"Checks for the patch ID.");
  script_set_attribute(attribute:"synopsis", value:
"An enterprise management application installed on the remote host is
affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Oracle Enterprise Manager Cloud Control installed on
the remote host is affected by multiple vulnerabilities in
Enterprise Manager Base Platform component:

  - A deserialization vulnerability in Apache Commons
    FileUpload allows for remote code execution.
    (CVE-2016-1000031)

  - An information disclosure vulnerability exists in OpenSSL
    due to the potential for a side-channel timing attack.
    An unauthenticated attacker can exploit this to disclose
    potentially sensitive information. (CVE-2018-0734)

  - A denial of service (DoS) vulnerability exists in Apache
    HTTP Server 2.4.17 to 2.4.34, due to a design error. An
    unauthenticated, remote attacker can exploit this issue
    by sending continuous, large SETTINGS frames to cause a
    client to occupy a connection, server thread and CPU
    time without any connection timeout coming to effect.
    This affects only HTTP/2 connections. A possible
    mitigation is to not enable the h2 protocol.
    (CVE-2018-11763).

  - Networking component of Enterprise Manager Base Platform
    (Spring Framework) is easily exploited and may allow an
    unauthenticated, remote attacker to takeover the
    Enterprise Manager Base Platform. (CVE-2018-1258)

");
  # https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9166970d");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the April 2019
Oracle Critical Patch Update advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-1000031");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/04/16");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/04/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/15");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:enterprise_manager_ops_center");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("oracle_enterprise_manager_ops_center_installed.nbin");
  script_require_keys("installed_sw/Oracle Enterprise Manager Ops Center");

  exit(0);
}

include('global_settings.inc');
include('misc_func.inc');
include('install_func.inc');

get_kb_item_or_exit('Host/local_checks_enabled');
app_name = 'Oracle Enterprise Manager Ops Center';

install = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);
version = install['version'];
version_full = install['Full Patch Version'];
path = install['path'];
patch_version = install['Patch Version'];


patchid = NULL;
fix = NULL;

if (version_full =~ "^12\.3\.3\.")
{
  patchid = '29623885';
  fix = '1819';
} 

if (isnull(patchid))
  audit(AUDIT_HOST_NOT, 'affected');

if (ver_compare(ver:patch_version, fix:fix, strict:FALSE) != -1)
  audit(AUDIT_INST_PATH_NOT_VULN, app_name, version_full, path);

report = 
  '\n Path                : ' + path + 
  '\n Version             : ' + version + 
  '\n Ops Agent Version   : ' + version_full + 
  '\n Current Patch       : ' + patch_version + 
  '\n Fixed Patch Version : ' + fix +
  '\n Fix                 : ' + patchid;

security_report_v4(extra:report, severity:SECURITY_HOLE, port:0);
  • NASL familyCISCO
    NASL idCISCO-SA-20180328-SNMP.NASL
    descriptionAccording to its self-reported version, Cisco IOS is affected by a denial of service (DoS) vulnerability in the Simple Network Management Protocol (SNMP) subsystem running on certain models of Cisco Catalyst Switches due to a condition that could occur when the affected software processes an SNMP read request that contains a request for the ciscoFlashMIB object ID (OID). An authenticated, remote attacker can exploit this, by issuing an SNMP GET request for the ciscoFlashMIB OID on an affected device in order to cause the device to restart due to a SYS-3-CPUHOG. Please see the included Cisco BIDs and Cisco Security Advisory for more information. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id131324
    published2019-11-27
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131324
    titleCisco IOS Software Simple Network Management Protocol GET MIB Object ID DoS (cisco-sa-20180328-snmp)
    code
    #TRUSTED 21ffa66b5105a31797389c1dde8aac551a1c02cfd3c305387ab63d3c61fb3615f166599272aae9df900028f53efac2421562516131b775fcceaee5e04ab08b58a12d0c42434d7c80145e0d141f24147e5c67039f26dec089230c15768aad6f9847d5b012ffe85ff56ad0c39e9cc716fd16ad81ded283f58e4402e0b7bf366343b0431cead5f63930549458fd51e9a8a94866036509f2aea5147afa94e6937cbaf0b739737f0102ae319be9cfba8acc624eb7a807ce77fcb27e260a758d891535cf8dd1d6d884710c812e6a2ccb01bc609aa4486fe37ec01b3da718e19b5929714935f72fa564a2c7c156d2e4b962a6f694b3e8130a0751e0b93990cefb2f8ab3b5f62a9b1f0625367222c02fb23ddb7c2b645b96fac89a775bdd06ba8ab3fc55d01b039a64c50e17c58643215282911aeb2375039114d72b0b327e50b81f9b40b7bcce342dfc692552b47e8a719c3edcce81b6bb6b982333556f86dc600c1d896350b673fead043493779590f707801f32a70b869195c2e448e0b232ba1c7918277c4526291e551acf18869c27fb8d1909decbdc5b2c4f5c7612b264578ab22b4afd6038ca826a45dd7c85736b1a53deec300ec0385c97fc07d79ed38e917473f150d9550da19a8e355131b820fe10e1ea5d0359eda22e6e99d248f2d8841e2b29b240dd83594c177f95c46b665eae5bf36001bfab2914ece8165123f0110a61
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(131324);
  script_version("1.4");
  script_cvs_date("Date: 2019/12/04");

  script_cve_id("CVE-2018-0161");
  script_bugtraq_id(103573);
  script_xref(name:"CISCO-BUG-ID", value:"CSCvd89541");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20180328-snmp");

  script_name(english:"Cisco IOS Software Simple Network Management Protocol GET MIB Object ID DoS (cisco-sa-20180328-snmp)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco IOS is affected by a denial of service (DoS) vulnerability in the Simple
Network Management Protocol (SNMP) subsystem running on certain models of Cisco Catalyst Switches due to a condition
that could occur when the affected software processes an SNMP read request that contains a request for the ciscoFlashMIB
object ID (OID). An authenticated, remote attacker can exploit this, by issuing an SNMP GET request for the
ciscoFlashMIB OID on an affected device in order to cause the device to restart due to a SYS-3-CPUHOG.

Please see the included Cisco BIDs and Cisco Security Advisory for more information.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-snmp
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?61dd3327");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd89541");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID(s) CSCvd89541.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-0161");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/03/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/03/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/27");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_version.nasl");
  script_require_keys("Host/Cisco/IOS/Version", "Host/Cisco/IOS/Model");

  exit(0);
}

include('cisco_workarounds.inc');
include('ccf.inc');

product_info = cisco::get_product_info(name:'Cisco IOS');

if (
    product_info.model !~ "(^|[^0-9])2960L" &&
    product_info.model !~ "CDB-8P" &&
    product_info.model !~ "CDB-8U"
   )
  audit(AUDIT_HOST_NOT, "affected");

version_list = make_list(
  '15.2(5)E',
  '15.2(5a)E',
  '15.2(5)E1',
  '15.2(5b)E',
  '15.2(5c)E',
  '15.2(5a)E1',
  '15.2(5)E2',
  '15.2(5)E2b',
  '15.2(5)E2c',
  '15.2(5)EX',
  '15.2(5)EA',
  '15.6(2)SP3b'
);

workarounds = make_list(CISCO_WORKAROUNDS['snmp']);
workaround_params = make_list();

reporting = make_array(
  'port'     , 0,
  'severity' , SECURITY_WARNING,
  'version'  , product_info['version'],
  'bug_id'   , 'CSCvd89541',
  'cmds'     , make_list('show running-config')
);

cisco::check_and_report(
  product_info:product_info,
  workarounds:workarounds,
  workaround_params:workaround_params,
  reporting:reporting,
  vuln_versions:version_list,
  switch_only:TRUE
);

References