Vulnerabilities > CVE-2018-15372 - Unspecified vulnerability in Cisco IOS XE 16.8.1/16.9.1

047910
CVSS 4.8 - MEDIUM
Attack vector
ADJACENT_NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
NONE
low complexity
cisco
nessus
NVD
Published: 2018-10-05
Updated: 2019-10-09

Summary

A vulnerability in the MACsec Key Agreement (MKA) using Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) functionality of Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to bypass authentication and pass traffic through a Layer 3 interface of an affected device. The vulnerability is due to a logic error in the affected software. An attacker could exploit this vulnerability by connecting to and passing traffic through a Layer 3 interface of an affected device, if the interface is configured for MACsec MKA using EAP-TLS and is running in access-session closed mode. A successful exploit could allow the attacker to bypass 802.1x network access controls and gain access to the network.

Vulnerable Configurations

Part Description Count
OS
Cisco
2

Nessus

NASL familyCISCO
NASL idCISCO-SA-20180926-MACSEC.NASL
descriptionAccording to its self-reported version, Cisco IOS XE Software is affected by an authentication bypass vulnerability in the MACsec Key Agreement (MKA) using Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) functionality due to a logic error. An unauthenticated, adjacent attacker can exploit this, by connecting to and passing traffic through a Layer 3 interface of an affected device, if the interface is configured for MACsec MKA using EAP-TLS and is running in
last seen2020-06-01
modified2020-06-02
plugin id132104
published2019-12-18
reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/132104
titleCisco IOS XE Software MACsec MKA Using EAP-TLS Authentication Bypass (cisco-sa-20180926-macsec)
code
#TRUSTED 0aef3e6db3c337b56ed57c2bfa97a9d6e56e3af4fa6f402fc7687d52cbbef51b55430d269463683e1f9788b74a80c651d351851faffb575f7857f14ea079b76a7523cbc87ea9cc1d63084ce899f26f8691c19c22079c4052325ab9dcfab91dcb7cff9f721c8a7b91ec38b6d642d703a135a98155dc50f0177b3c0f85b1427f91129abf86edde9b8afba077795f0b209d0bb53b18fac965fd9ae18789fa27e4258f94c86a733b96303379d5606231d715d43097ca6fda7422282936f8f6f84d291c08201e1569ae7d3af63118e68991030596b4a937976d617ca08232f3a7f23cc2b0973b1a65cc27d0f8c322538016fc400ff9dd494d4b9226fa4241925ecab9155e2e512418a4c38dfc5079eb196372ae3f8715c85d1b7c12330b2b5cd82329ac18922ada066b777ad3a53e78a3625b695b0deaca8103f77052f173e2d30f8af853aac9b348e379fa3e7d5a51d90a22596a410c4c9b01de42cfe5a13ae939faaff32947144112bdb3e85ac2106d1f28e1b8a720485a2a63eb8493595c95511b9dada82d8af9323a8b222c007c60e7f9f7b0cc6217476b51e79fee39c4052bd5b7c6aaeae285f1dd1b1432d6f48e4345cff0d63dcbf0995c737334f8d99feb123e560b99285431a7e516c3e4a0242189ec91ad2fdf5147c621f874b3b294ca9284e7c7c06a5733e28e1d05fefb91d3e0f815206d885b5e262c918e1e6e824b7e
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(132104);
  script_version("1.4");
  script_cvs_date("Date: 2020/01/16");

  script_cve_id("CVE-2018-15372");
  script_bugtraq_id(105416);
  script_xref(name:"CISCO-BUG-ID", value:"CSCvh09411");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20180926-macsec");

  script_name(english:"Cisco IOS XE Software MACsec MKA Using EAP-TLS Authentication Bypass (cisco-sa-20180926-macsec)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco IOS XE Software is affected by an authentication bypass vulnerability
in the MACsec Key Agreement (MKA) using Extensible Authentication Protocol-Transport Layer Security (EAP-TLS)
functionality due to a logic error. An unauthenticated, adjacent attacker can exploit this, by connecting to and
passing traffic through a Layer 3 interface of an affected device, if the interface is configured for MACsec MKA using
EAP-TLS and is running in 'access-session closed' mode. A successful exploit allows the attacker to bypass 802.1x
network access controls and gain access to the network.

Please see the included Cisco BIDs and Cisco Security Advisory for more information.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-macsec
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?52021652");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvh09411");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID(s) CSCvh09411.");
  script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-15372");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/09/26");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/09/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/18");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_xe_version.nasl");
  script_require_keys("Host/Cisco/IOS-XE/Version");

  exit(0); 
}

include('cisco_workarounds.inc');
include('ccf.inc');

product_info = cisco::get_product_info(name:'Cisco IOS XE Software');

version_list = make_list(
  '16.1.1',
  '16.1.2',
  '16.1.3',
  '16.2.1',
  '16.2.2',
  '16.3.1',
  '16.3.2',
  '16.3.3',
  '16.3.1a',
  '16.3.4',
  '16.3.5',
  '16.3.5b',
  '16.3.6',
  '16.4.1',
  '16.4.2',
  '16.4.3',
  '16.5.1',
  '16.5.1a',
  '16.5.1b',
  '16.5.2',
  '16.5.3',
  '3.18.3bSP',
  '16.6.1',
  '16.6.2',
  '16.6.3',
  '16.7.1',
  '16.7.1a',
  '16.7.1b',
  '16.7.2',
  '16.7.3',
  '16.8.1',
  '16.8.1a',
  '16.8.1b',
  '16.8.1c'
);

workarounds = make_list(CISCO_WORKAROUNDS['macsec_eap-tls']);
workaround_params = make_list();

reporting = make_array(
  'port'     , 0,
  'severity' , SECURITY_WARNING,
  'version'  , product_info['version'],
  'bug_id'   , 'CSCvh09411',
  'cmds'     , make_list('show running-config')
);

cisco::check_and_report(
  product_info:product_info,
  workarounds:workarounds,
  workaround_params:workaround_params,
  reporting:reporting,
  vuln_versions:version_list
);

References