Vulnerabilities > CVE-2018-0409 - Out-of-bounds Read vulnerability in Cisco products

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
cisco
CWE-125
nessus
NVD
Published: 2018-08-15
Updated: 2020-08-31

Summary

A vulnerability in the XCP Router service of the Cisco Unified Communications Manager IM & Presence Service (CUCM IM&P) and the Cisco TelePresence Video Communication Server (VCS) and Expressway could allow an unauthenticated, remote attacker to cause a temporary service outage for all IM&P users, resulting in a denial of service (DoS) condition. The vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending a malicious IPv4 or IPv6 packet to an affected device on TCP port 7400. An exploit could allow the attacker to overread a buffer, resulting in a crash and restart of the XCP Router service. Cisco Bug IDs: CSCvg97663, CSCvi55947.

Vulnerable Configurations

Part Description Count
Application
Cisco
13

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Overread Buffers
    An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.

Nessus

  • NASL familyCISCO
    NASL idCISCO-SA-20180815-UCMIMPS-DOS-TPVCS.NASL
    descriptionAccording to its self-reported version, the Cisco TelePresence Video Communication Server (VCS) / Expressway running on the remote host is prior to 8.11.
    last seen2020-06-01
    modified2020-06-02
    plugin id112218
    published2018-08-31
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/112218
    titleCisco TelePresence VCS / Expressway < 8.11 DoS
    code
    #TRUSTED 75718fe9143ab149fa36d333d42a127d3f9d371eba3aec4f6318444c8fd82b85f11f34ac35b00f2e7dc0714a8cd3072f2b673bc2b27213a49cccdb4a67a6e9ce47067777ef4403494026c9746db23bf2ecf08ec4ebd9dd35aa1a9ddb248a810049d2e5ff29d0a5e9db2b631a1484a734870da7a8b132a18c0bb70a4c6651b5d3333ef908bf72166a4b6d18fa85d53df1621ecf55a9968659a8a61fcb28454688c35c01f0e3ead8eb5bbec586b6c8f15951d5580b3b14512e7cbb8f26080e7f21d92634d9dea555bd4180e6cd5be4fad14b4fb4ffe5904cf1c227fae37d05739424e81fa6a6b3d6799381ee2d6c3411a9ee14f6f55414faa9f10e4b690af78109929f6185274f3ab1e0e785fcc37fe325825ccefa6c53fa0ad9b6a5eec2fbb2ff36e67633c10ad52e9b4fae8200b623e91f652d0710d931f002a2a3b8aa31f1cba947d3bb119362ed01cbdc7ea8b8cde7cdc41f85d48fa4977d919dcda2311b662f0a3c49c1547d9be6ebde1fa724e65a8e09d145b1e0684dc8e21fe1ad4cde2e954b4136b3d83ac1871919dc8ebe2cc33acf605caade4aa01b511cbca2ea0f9796b6e013efa0bab870a71ffd345405934a7076ff9b067be52272f36deb2262567c482153a3a12718568eedd3e220da850d026a22e21131277e74cfa4c19739f55501c9e664396041ba7b8973ac9152740ea93e979cb3152ad3c341d0323c0bb6
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(112218);
  script_version("1.7");
  script_cvs_date("Date: 2019/12/20");

  script_cve_id("CVE-2018-0409");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvi55947");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20180815-ucmimps-dos");

  script_name(english:"Cisco TelePresence VCS / Expressway < 8.11 DoS");
  script_summary(english:"Checks the software version.");

  script_set_attribute(attribute:"synopsis", value:
"A video conferencing application running on the remote host is
affected by a denial of service vulnerability.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, the Cisco TelePresence Video
Communication Server (VCS) / Expressway running on the remote host is
prior to 8.11.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180815-ucmimps-dos
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?fb165fe3");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi55947");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Cisco TelePresence VCS / Expressway version 8.11 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-0409");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");


  script_set_attribute(attribute:"vuln_publication_date", value:"2018/08/15");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/08/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/31");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:cisco:telepresence_video_communication_server");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:telepresence_video_communication_server_software");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:expressway_software");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_telepresence_video_communication_server_detect.nbin");
  script_require_keys("Cisco/TelePresence_VCS/Version");

  exit(0);
}

include("audit.inc");
include("cisco_workarounds.inc");
include("ccf.inc");

product_info = cisco::get_product_info(name:"Cisco TelePresence VCS");

vuln_ranges = [{ 'min_ver' : '0', 'fix_ver' : '8.11' }];

workarounds = make_list(CISCO_WORKAROUNDS['no_workaround']);
workaround_params = make_list();

reporting = make_array(
  'port'     , 0,
  'severity' , SECURITY_WARNING,
  'version'  , product_info['version'],
  'bug_id'   , "CSCvi55947");

cisco::check_and_report(product_info:product_info, workarounds:workarounds, workaround_params:workaround_params, reporting:reporting, vuln_ranges:vuln_ranges);
  • NASL familyCISCO
    NASL idCISCO-SA-20180815-UCMIMPS-DOS-CUPS.NASL
    descriptionAccording to its self-reported version, the Cisco Unified Communications Manager is affected by a Denial-of-Service vulnerability. Please see the included Cisco BIDs and the Cisco Security Advisory for more information.
    last seen2020-06-01
    modified2020-06-02
    plugin id112217
    published2018-08-31
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/112217
    titleCisco Unified Communications Manager Denial-of-Service Vulnerability (DoS)
    code
    #TRUSTED 1b096101cb7f0851cf382e59c4a51247e36cab1e26586bb99f8806822380bab30f8f9d12b2c8ef42fdce05a85ed756bf72907b7073a818ef6caae6b4feb1bc46e76506ab4a86cdb3522b1c7eba5a6c484630ced61c9f4e5633d4283666e2c8a48941a7477e2a798734bb0b8aea796ea3c00d054c2e73c8d3a9e8ba3ab0cbfae75f52304f69468daf66a1bb29d3e58d8ed1515b3b5e9575327b352b7722e59ff03049cff657ebebad63fb92fa05d6abd3afb31e5038541ba8487b943a1bfc9a0f9ba796b1e27e7008d03528816e1e104e92499c99b058ac2dec161139c139223db1c697b802addab49a67290f928ad76c710013c40f7db64410bc5ea78df5832f87c1dde46083d9590736d1c0838771126a0c4ddbb310967b3f10f304a65ae0c07342cbf3b84897f72f8ed2b9e73b484d31c04b324151cf8f715ac547ec1e9aa27dbc28edbb0fc915042743dd38af1e7e6db04ed40412656110bd87b7a995957ab586b23f9b6eb2e7972067e5ec9665b3e55f04532ecba01d94b4f47abca71709ef43b42414bb8ca381d5a5990d641e3a3a03524ec7478a66c9e0ef60d841a65fdbc06a4f47654fc522d84bd7c9598314b997ca5e39faa089a8f499a526e2ebcd645cc95e467c92d4b9f481a230e415adb0183d0533b9668261e460e29d7d7c4ca3a58c0c6d0844062689c767f56de9cdaf609c0c22e2a09fcb1e9d54d59b14de
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(112217);
  script_version("1.7");
  script_cvs_date("Date: 2019/12/20");

  script_cve_id("CVE-2018-0409");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvg97663");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20180815-ucmimps-dos");

  script_name(english:"Cisco Unified Communications Manager Denial-of-Service Vulnerability (DoS)");
  script_summary(english:"Checks the Cisco Unified Communications Manager version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, the Cisco Unified Communications Manager is affected
by a Denial-of-Service vulnerability. Please see the included Cisco BIDs
and the Cisco Security Advisory for more information.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180815-ucmimps-dos
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?fb165fe3");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg97663");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID
CSCvg97663.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-0409");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");


  script_set_attribute(attribute:"vuln_publication_date", value:"2018/08/15");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/08/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/31");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:unified_communications_manager");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/UCOS/Cisco Unified Presence/version");

  exit(0);
}

include("audit.inc");
include("cisco_workarounds.inc");
include("ccf.inc");

product_info = cisco::get_product_info(name:"Cisco Unified Presence");

version_list = make_list('10.5.2');

vuln_ranges = [{ 'min_ver' : '0', 'fix_ver' : '10.5.2' },
               { 'min_ver' : '11.0.1', 'fix_ver' : '11.5.1.14900.32' },
               { 'min_ver' : '12.0.1', 'fix_ver' : '12.0.1.12000.3' }];

workarounds = make_list(CISCO_WORKAROUNDS['no_workaround']);
workaround_params = make_list();

reporting = make_array(
  'port'     , 0,
  'severity' , SECURITY_WARNING,
  'version'  , product_info['version'],
  'bug_id'   , "CSCvg97663");

cisco::check_and_report(product_info:product_info, workarounds:workarounds, workaround_params:workaround_params, reporting:reporting, vuln_versions:version_list, vuln_ranges:vuln_ranges);

References