Vulnerabilities > CVE-2018-0409 - Out-of-bounds Read vulnerability in Cisco products
Summary
A vulnerability in the XCP Router service of the Cisco Unified Communications Manager IM & Presence Service (CUCM IM&P) and the Cisco TelePresence Video Communication Server (VCS) and Expressway could allow an unauthenticated, remote attacker to cause a temporary service outage for all IM&P users, resulting in a denial of service (DoS) condition. The vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending a malicious IPv4 or IPv6 packet to an affected device on TCP port 7400. An exploit could allow the attacker to overread a buffer, resulting in a crash and restart of the XCP Router service. Cisco Bug IDs: CSCvg97663, CSCvi55947.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Overread Buffers An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.
Nessus
NASL family CISCO NASL id CISCO-SA-20180815-UCMIMPS-DOS-TPVCS.NASL description According to its self-reported version, the Cisco TelePresence Video Communication Server (VCS) / Expressway running on the remote host is prior to 8.11. last seen 2020-06-01 modified 2020-06-02 plugin id 112218 published 2018-08-31 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/112218 title Cisco TelePresence VCS / Expressway < 8.11 DoS code #TRUSTED 75718fe9143ab149fa36d333d42a127d3f9d371eba3aec4f6318444c8fd82b85f11f34ac35b00f2e7dc0714a8cd3072f2b673bc2b27213a49cccdb4a67a6e9ce47067777ef4403494026c9746db23bf2ecf08ec4ebd9dd35aa1a9ddb248a810049d2e5ff29d0a5e9db2b631a1484a734870da7a8b132a18c0bb70a4c6651b5d3333ef908bf72166a4b6d18fa85d53df1621ecf55a9968659a8a61fcb28454688c35c01f0e3ead8eb5bbec586b6c8f15951d5580b3b14512e7cbb8f26080e7f21d92634d9dea555bd4180e6cd5be4fad14b4fb4ffe5904cf1c227fae37d05739424e81fa6a6b3d6799381ee2d6c3411a9ee14f6f55414faa9f10e4b690af78109929f6185274f3ab1e0e785fcc37fe325825ccefa6c53fa0ad9b6a5eec2fbb2ff36e67633c10ad52e9b4fae8200b623e91f652d0710d931f002a2a3b8aa31f1cba947d3bb119362ed01cbdc7ea8b8cde7cdc41f85d48fa4977d919dcda2311b662f0a3c49c1547d9be6ebde1fa724e65a8e09d145b1e0684dc8e21fe1ad4cde2e954b4136b3d83ac1871919dc8ebe2cc33acf605caade4aa01b511cbca2ea0f9796b6e013efa0bab870a71ffd345405934a7076ff9b067be52272f36deb2262567c482153a3a12718568eedd3e220da850d026a22e21131277e74cfa4c19739f55501c9e664396041ba7b8973ac9152740ea93e979cb3152ad3c341d0323c0bb6 # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(112218); script_version("1.7"); script_cvs_date("Date: 2019/12/20"); script_cve_id("CVE-2018-0409"); script_xref(name:"CISCO-BUG-ID", value:"CSCvi55947"); script_xref(name:"CISCO-SA", value:"cisco-sa-20180815-ucmimps-dos"); script_name(english:"Cisco TelePresence VCS / Expressway < 8.11 DoS"); script_summary(english:"Checks the software version."); script_set_attribute(attribute:"synopsis", value: "A video conferencing application running on the remote host is affected by a denial of service vulnerability."); script_set_attribute(attribute:"description", value: "According to its self-reported version, the Cisco TelePresence Video Communication Server (VCS) / Expressway running on the remote host is prior to 8.11."); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180815-ucmimps-dos script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?fb165fe3"); script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi55947"); script_set_attribute(attribute:"solution", value: "Upgrade to Cisco TelePresence VCS / Expressway version 8.11 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-0409"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/08/15"); script_set_attribute(attribute:"patch_publication_date", value:"2018/08/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/31"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/h:cisco:telepresence_video_communication_server"); script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:telepresence_video_communication_server_software"); script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:expressway_software"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CISCO"); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("cisco_telepresence_video_communication_server_detect.nbin"); script_require_keys("Cisco/TelePresence_VCS/Version"); exit(0); } include("audit.inc"); include("cisco_workarounds.inc"); include("ccf.inc"); product_info = cisco::get_product_info(name:"Cisco TelePresence VCS"); vuln_ranges = [{ 'min_ver' : '0', 'fix_ver' : '8.11' }]; workarounds = make_list(CISCO_WORKAROUNDS['no_workaround']); workaround_params = make_list(); reporting = make_array( 'port' , 0, 'severity' , SECURITY_WARNING, 'version' , product_info['version'], 'bug_id' , "CSCvi55947"); cisco::check_and_report(product_info:product_info, workarounds:workarounds, workaround_params:workaround_params, reporting:reporting, vuln_ranges:vuln_ranges);
NASL family CISCO NASL id CISCO-SA-20180815-UCMIMPS-DOS-CUPS.NASL description According to its self-reported version, the Cisco Unified Communications Manager is affected by a Denial-of-Service vulnerability. Please see the included Cisco BIDs and the Cisco Security Advisory for more information. last seen 2020-06-01 modified 2020-06-02 plugin id 112217 published 2018-08-31 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/112217 title Cisco Unified Communications Manager Denial-of-Service Vulnerability (DoS) code #TRUSTED 1b096101cb7f0851cf382e59c4a51247e36cab1e26586bb99f8806822380bab30f8f9d12b2c8ef42fdce05a85ed756bf72907b7073a818ef6caae6b4feb1bc46e76506ab4a86cdb3522b1c7eba5a6c484630ced61c9f4e5633d4283666e2c8a48941a7477e2a798734bb0b8aea796ea3c00d054c2e73c8d3a9e8ba3ab0cbfae75f52304f69468daf66a1bb29d3e58d8ed1515b3b5e9575327b352b7722e59ff03049cff657ebebad63fb92fa05d6abd3afb31e5038541ba8487b943a1bfc9a0f9ba796b1e27e7008d03528816e1e104e92499c99b058ac2dec161139c139223db1c697b802addab49a67290f928ad76c710013c40f7db64410bc5ea78df5832f87c1dde46083d9590736d1c0838771126a0c4ddbb310967b3f10f304a65ae0c07342cbf3b84897f72f8ed2b9e73b484d31c04b324151cf8f715ac547ec1e9aa27dbc28edbb0fc915042743dd38af1e7e6db04ed40412656110bd87b7a995957ab586b23f9b6eb2e7972067e5ec9665b3e55f04532ecba01d94b4f47abca71709ef43b42414bb8ca381d5a5990d641e3a3a03524ec7478a66c9e0ef60d841a65fdbc06a4f47654fc522d84bd7c9598314b997ca5e39faa089a8f499a526e2ebcd645cc95e467c92d4b9f481a230e415adb0183d0533b9668261e460e29d7d7c4ca3a58c0c6d0844062689c767f56de9cdaf609c0c22e2a09fcb1e9d54d59b14de # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(112217); script_version("1.7"); script_cvs_date("Date: 2019/12/20"); script_cve_id("CVE-2018-0409"); script_xref(name:"CISCO-BUG-ID", value:"CSCvg97663"); script_xref(name:"CISCO-SA", value:"cisco-sa-20180815-ucmimps-dos"); script_name(english:"Cisco Unified Communications Manager Denial-of-Service Vulnerability (DoS)"); script_summary(english:"Checks the Cisco Unified Communications Manager version."); script_set_attribute(attribute:"synopsis", value: "The remote device is missing a vendor-supplied security patch."); script_set_attribute(attribute:"description", value: "According to its self-reported version, the Cisco Unified Communications Manager is affected by a Denial-of-Service vulnerability. Please see the included Cisco BIDs and the Cisco Security Advisory for more information."); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180815-ucmimps-dos script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?fb165fe3"); script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg97663"); script_set_attribute(attribute:"solution", value: "Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvg97663."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-0409"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/08/15"); script_set_attribute(attribute:"patch_publication_date", value:"2018/08/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/31"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:unified_communications_manager"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CISCO"); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/UCOS/Cisco Unified Presence/version"); exit(0); } include("audit.inc"); include("cisco_workarounds.inc"); include("ccf.inc"); product_info = cisco::get_product_info(name:"Cisco Unified Presence"); version_list = make_list('10.5.2'); vuln_ranges = [{ 'min_ver' : '0', 'fix_ver' : '10.5.2' }, { 'min_ver' : '11.0.1', 'fix_ver' : '11.5.1.14900.32' }, { 'min_ver' : '12.0.1', 'fix_ver' : '12.0.1.12000.3' }]; workarounds = make_list(CISCO_WORKAROUNDS['no_workaround']); workaround_params = make_list(); reporting = make_array( 'port' , 0, 'severity' , SECURITY_WARNING, 'version' , product_info['version'], 'bug_id' , "CSCvg97663"); cisco::check_and_report(product_info:product_info, workarounds:workarounds, workaround_params:workaround_params, reporting:reporting, vuln_versions:version_list, vuln_ranges:vuln_ranges);
References
- http://www.securityfocus.com/bid/105102
- http://www.securityfocus.com/bid/105102
- http://www.securityfocus.com/bid/105104
- http://www.securityfocus.com/bid/105104
- http://www.securitytracker.com/id/1041533
- http://www.securitytracker.com/id/1041533
- http://www.securitytracker.com/id/1041534
- http://www.securitytracker.com/id/1041534
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180815-ucmimps-dos
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180815-ucmimps-dos