Vulnerabilities > CVE-2018-0480 - Race Condition vulnerability in Cisco IOS XE 3.6(5)

047910
CVSS 6.1 - MEDIUM
Attack vector
ADJACENT_NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
high complexity
cisco
CWE-362
nessus

Summary

A vulnerability in the errdisable per VLAN feature of Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to cause the device to crash, leading to a denial of service (DoS) condition. The vulnerability is due to a race condition that occurs when the VLAN and port enter an errdisabled state, resulting in an incorrect state in the software. An attacker could exploit this vulnerability by sending frames that trigger the errdisable condition. A successful exploit could allow the attacker to cause the affected device to crash, leading to a DoS condition.

Vulnerable Configurations

Part Description Count
OS
Cisco
1

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.

Nessus

NASL familyCISCO
NASL idCISCO-SA-20180926-ERRDISABLE.NASL
descriptionAccording to its self-reported version, the IOS XE is affected by one or more vulnerabilities. Please see the included Cisco BIDs and the Cisco Security Advisory for more information.
last seen2020-04-30
modified2018-10-05
plugin id117946
published2018-10-05
reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/117946
titleCisco IOS XE Software Errdisable Vulnerabilities (cisco-sa-20180926-errdisable)
code
#TRUSTED 2991b96ed9326210d0cc911537584c987bd4eb82f01440dafb686a10436e7e18fab73244d8710457c9c276dd2bdc51efa788ab5aa2afba751aebb2e43a4bb4605aa92274c4cf62a74784ef92644d34326c3f66d8e4c27b57275636a425076c2587b01c107df1c4f65219b433006cd8c248ead314c0b18682e962b84058127816641a397f26358ecdb9fce1d17a09691086b6ce9739c24dfbedd68f010355b40efe9401712fe9b66d68440144e010e84d3fc3328235f199a8208e1262c36386685b9880c08791d689c497737c080468305311aa034ed3d89e517c93ad704fac4f70d2ea571d4f7e0a69fbe9ced51e9f8c9389247b5097723e5964ec235afc4917677d18e908cd4a6fc337a2b690a5cb1891f7a1a50d8ef408d59832df5b5992fa1bad979f0af581f8ce04082d6e1fceb0c38b4166a4a9ab07911fb815589de25b499fcb3f68e0cf68711853e313b9e012a423ed8739e450ce981675391431a50d1c6fe525cfe4ce37b4aba95ab24ae315b416fb6c0d15742f34bcdc8a68b24d2aa1762b97b7cbd7b029bf6add386f1d9a273cb2400463acb375dfb847c65c4734c6d2fee50b5e12fc91d2e2dc6a603b6cdb17288e12882c611c7a6cbf8d44af8592d85542358f0a4eefd1ca1c4e087225ab9e04152b56d6b4542018f508f745408e0d44a3c212032b29df8176ae8dd5703b733148cf84b426f2f6723e6e64b77f
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(117946);
  script_version("1.8");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/27");

  script_cve_id("CVE-2018-0480");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvh13611");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20180926-errdisable");

  script_name(english:"Cisco IOS XE Software Errdisable Vulnerabilities (cisco-sa-20180926-errdisable)");
  script_summary(english:"Checks the IOS XE version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, the IOS XE is affected
by one or more vulnerabilities. Please see the included Cisco BIDs
and the Cisco Security Advisory for more information.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-errdisable
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0a8eacb6");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvh13611");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID(s)
CSCvh13611.");
  script_set_cvss_base_vector("CVSS2#AV:A/AC:M/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-0480");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/09/26");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/09/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/10/05");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cpe:/o:cisco:ios_xe");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_xe_version.nasl");
  script_require_keys("Host/Cisco/IOS-XE/Version");

  exit(0);
}

include("audit.inc");
include("cisco_workarounds.inc");
include("ccf.inc");

product_info = cisco::get_product_info(name:"Cisco IOS XE Software");

version_list = make_list(
  "3.1.1SG",
  "3.1.0SG",
  "3.2.0SG",
  "3.2.1SG",
  "3.2.2SG",
  "3.2.3SG",
  "3.2.4SG",
  "3.2.5SG",
  "3.2.6SG",
  "3.2.7SG",
  "3.2.8SG",
  "3.2.9SG",
  "3.2.10SG",
  "3.2.11SG",
  "3.2.0XO",
  "3.3.0SG",
  "3.3.2SG",
  "3.3.1SG",
  "3.2.0SE",
  "3.2.1SE",
  "3.2.2SE",
  "3.2.3SE",
  "3.3.0SE",
  "3.3.1SE",
  "3.3.2SE",
  "3.3.3SE",
  "3.3.4SE",
  "3.3.5SE",
  "3.3.0XO",
  "3.3.1XO",
  "3.3.2XO",
  "3.4.0SG",
  "3.4.2SG",
  "3.4.1SG",
  "3.4.3SG",
  "3.4.4SG",
  "3.4.5SG",
  "3.4.6SG",
  "3.4.7SG",
  "3.4.8SG",
  "3.5.0E",
  "3.5.1E",
  "3.5.2E",
  "3.5.3E",
  "3.6.0E",
  "3.6.1E",
  "3.6.0aE",
  "3.6.0bE",
  "3.6.2aE",
  "3.6.2E",
  "3.6.3E",
  "3.6.4E",
  "3.6.5E",
  "3.6.6E",
  "3.6.5aE",
  "3.6.5bE",
  "3.6.7E",
  "3.6.7aE",
  "3.6.7bE",
  "3.3.0SQ",
  "3.3.1SQ",
  "3.4.0SQ",
  "3.4.1SQ",
  "3.7.0E",
  "3.7.1E",
  "3.7.2E",
  "3.7.3E",
  "3.7.4E",
  "3.7.5E",
  "3.5.0SQ",
  "3.5.1SQ",
  "3.5.2SQ",
  "3.5.3SQ",
  "3.5.4SQ",
  "3.5.5SQ",
  "3.5.6SQ",
  "3.5.7SQ",
  "3.2.0JA",
  "3.8.0E",
  "3.8.1E",
  "3.8.2E",
  "3.8.3E",
  "3.8.4E",
  "3.8.5E",
  "3.8.5aE",
  "3.9.0E",
  "3.9.1E",
  "3.9.2E",
  "3.9.2bE",
  "3.10.0E",
  "3.10.0cE"
);

workarounds = make_list(CISCO_WORKAROUNDS['errdisable_bpduguard'], CISCO_WORKAROUNDS['errdisable_psecure'], CISCO_WORKAROUNDS['errdisable_security']);
workaround_params = make_list();

reporting = make_array(
  'port'     , 0,
  'severity' , SECURITY_WARNING,
  'version'  , product_info['version'],
  'bug_id'   , "CSCvh13611",
  'cmds'     , make_list("show running-config", "show port-security")
);

cisco::check_and_report(product_info:product_info, workarounds:workarounds, workaround_params:workaround_params, reporting:reporting, vuln_versions:version_list, switch_only:TRUE);