Vulnerabilities > CVE-2018-0180 - Unspecified vulnerability in Cisco IOS

047910
CVSS 7.1 - HIGH
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
COMPLETE
network
cisco
nessus
NVD
Published: 2018-03-28
Updated: 2019-10-09

Summary

Multiple vulnerabilities in the Login Enhancements (Login Block) feature of Cisco IOS Software could allow an unauthenticated, remote attacker to trigger a reload of an affected system, resulting in a denial of service (DoS) condition. These vulnerabilities affect Cisco devices that are running Cisco IOS Software Release 15.4(2)T, 15.4(3)M, or 15.4(2)CG and later. Cisco Bug IDs: CSCuy32360, CSCuz60599.

Vulnerable Configurations

Part Description Count
OS
Cisco
120
Hardware
Cisco
12

Nessus

NASL familyCISCO
NASL idCISCO-SA-20180328-SLOGIN.NASL
descriptionAccording to its self-reported version, Cisco IOS Software is affected by two denial of service (DoS) vulnerabilities the Login Enhancements (Login Block) feature due to an attempt to free an area of memory that has not been previously allocated. An unauthenticated, remote attacker can trigger a reload of an affected device, resulting in a DoS condition as follows: - By attempting to log in to an affected device via Secure Shell (SSH) or Telnet with invalid credentials multiple times. (CVE-2018-0179) - By attempting to log in to an affected device via Secure Shell (SSH) or Telnet with invalid credentials multiple times while the administrator modifies the
last seen2020-06-01
modified2020-06-02
plugin id131951
published2019-12-11
reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/131951
titleNessus script CISCO-SA-20180328-SLOGIN.NASL
code
#TRUSTED 9f9bdc77c6b09488188de3db5e23ca9937dbf0ddb8e093c1e11d4602c445cb6c496f18844058677213a60f51894f779ea741d5802b60eaf746ba72075c299db18d90b14d0a0f147432e3471259cb05b304c2453dfd4bd78f0462103e7282a755b960fea5637e39156888d19f79d3d120aee28bbe56560b94fdcc8669c1c5d649f29554d7e8fc0049c6bbed11c4db45b434e8ab516984afd555d59eaa71191f72dcae397c72e872774a6d2ebc22c6f88c452acfe64ac4cd57fca62b9a0586c81410e4ba84a4902572daf18d9842003702e9b76083e575e3c2a52681cc79e2f6d4cbb88a53ec8e2f365d0775d5bfed895e7ea2a8117727d820e9f1f86c2f3aad06bdcf190a864c79db10449317d86662fefc21a3d9db2808fff07a7d0c7758ec2f38107f6fcf3df55c3dc67f6a1f705de13f045322c323bc1cc547329f3c5cfe3b4be713991035ad6e815076f7b0dd58e20f4b163b4163915aed3824f17a1dfef950b0a6032db9b0d518e61bf84091a157cd9e09c00019510842aae31c4b742d645485a8cb53dd7d0ffe74c880ddbfe07167b511878ec67ca499fa90f2702770c8fac7b15b8a83709d74fd8df34ff2e7913d4125c6f31e089069d10d509424012423ad89b9f1ab711a7da8762cabdd67522d731e90b5b91d3bdaa796c5862427fc45b04a905b3c93a80f8a72f1a8c4ed1368eb48cd401c70064aad1a7b53a3e7e0
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(131951);
  script_version("1.4");
  script_cvs_date("Date: 2019/12/16");

  script_cve_id("CVE-2018-0179", "CVE-2018-0180");
  script_bugtraq_id(103556);
  script_xref(name:"CISCO-BUG-ID", value:"CSCuy32360");
  script_xref(name:"CISCO-BUG-ID", value:"CSCuz60599");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20180328-slogin");

  script_name(english:"Cisco IOS Software Login Enhancements Login Block Multiple DoS Vulnerabilities
(cisco-sa-20180328-slogin)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco IOS Software is affected by two denial of service (DoS) vulnerabilities
the Login Enhancements (Login Block) feature due to an attempt to free an area of memory that has not been previously
allocated. An unauthenticated, remote attacker can trigger a reload of an affected device, resulting in a DoS condition
as follows:

  - By attempting to log in to an affected device via Secure Shell (SSH) or Telnet with invalid credentials
    multiple times. (CVE-2018-0179)

  - By attempting to log in to an affected device via Secure Shell (SSH) or Telnet with invalid credentials
    multiple times while the administrator modifies the 'login block-for' configuration. (CVE-2018-0180)

Please see the included Cisco BIDs and Cisco Security Advisory for more information.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-slogin
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9aa14dc5");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy32360");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuz60599");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID(s) CSCuy32360 and CSCuz60599.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-0180");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/03/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/03/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/11");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_version.nasl");
  script_require_keys("Host/Cisco/IOS/Version", "Settings/ParanoidReport");

  exit(0);
}

include('cisco_workarounds.inc');
include('ccf.inc');
include('audit.inc');

if (report_paranoia < 2) audit(AUDIT_PARANOID);

product_info = cisco::get_product_info(name:'Cisco IOS');
version = product_info['version'];

if (version !~ '(^|[^0-9])15.5' || 'm' >!< tolower(version))
  audit(AUDIT_HOST_NOT, 'affected');

# Only need to check for login block-for, as the other BID covers fewer versions (<15.5(3)M3) and is a config check on
# login block-for and something else (login quiet-mode access-class)
vuln_ranges = [{'min_ver' : '15.5',  'fix_ver' : '15.5(3)M6'}]; # CSCuz60599, login block-for 

workarounds = make_list(CISCO_WORKAROUNDS['ios_login_block-for']);
workaround_params = make_list();

reporting = make_array(
  'port'     , 0,
  'severity' , SECURITY_WARNING,
  'version'  , product_info['version'],
  'bug_id'   , 'CSCuy32360, CSCuz60599',
  'cmds'     , make_list('show login')
);

cisco::check_and_report(
  product_info:product_info,
  workarounds:workarounds,
  reporting:reporting,
  vuln_ranges:vuln_ranges,
  workaround_params:workaround_params
);

References