Vulnerabilities > CVE-2018-15377 - Memory Leak vulnerability in Cisco IOS 15.7(3.1S)M/Denali16.3.6/Everest16.5.1

047910
CVSS 7.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
COMPLETE
network
low complexity
cisco
CWE-401
nessus
NVD
Published: 2018-10-05
Updated: 2020-08-31

Summary

A vulnerability in the Cisco Network Plug and Play agent, also referred to as the Cisco Open Plug-n-Play agent, of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a memory leak on an affected device. The vulnerability is due to insufficient input validation by the affected software. An attacker could exploit this vulnerability by sending invalid data to the Cisco Network Plug and Play agent on an affected device. A successful exploit could allow the attacker to cause a memory leak on the affected device, which could cause the device to reload.

Vulnerable Configurations

Part Description Count
OS
Cisco
3

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyCISCO
    NASL idCISCO-SA-20180926-PNP-MEMLEAK-IOS.NASL
    descriptionAccording to its self-reported version, Cisco IOS is affected by a memory leak vulnerability in the Cisco Network Plug and Play agent due to insufficient input validation. An unauthenticated, remote attacker can exploit this, by sending invalid data to the Cisco Network Plug and Play agent on an affected device, to cause a memory leak on an affected device, causing it to reload. Please see the included Cisco BIDs and Cisco Security Advisory for more information. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id132048
    published2019-12-13
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132048
    titleCisco IOS Software Software Plug and Play Agent Memory Leak(cisco-sa-20180926-pnp-memleak)
    code
    #TRUSTED a82ef7355e1f2acdc5c71e1b78cee2aaae90aa3d91e5047d222cf65bb8a2d1cb0f96bce0686c8239b16b8ab79237fea3e026a8054085a241b3d5507533907ada16fa49eb2073add61ab41795043edafe95e1bc5e1242265bdb9c9decfa15940cbaa4179da5399516a36a5b215c8a2c97f0fd6dd57ca69828ec1995925493320a81da1172a8882aff1bf9c6bcf3279eced5f108b8fcafa0d00414541e6576446f9dc70ce991b00f3999b91f991a90b9d8474284a7e1869de4bd08a4ecc00a2f51bcac0b66d9ecd3927b4800b1b74d6ad4f94296579d8b468cd048570ab21f6666616d84514999fc2a9a5cc0cce6583031fb23a98c0f1fa9326b0d2f748bbfa4d78534ae0cc5c893f8f976e0b0a557577b421cd4d97e56a9895cb9114189814a2c6bef76e67475f6c67bf7f91016b38c6c13234dbb45a80cdff8a14d303eb48d4f403c8c788b7da2a7d6ba39e8b5da93dda514ef832a94612f98850a02c914d7005f5834afb1522a400a8cde51b3007e8635275f6a97390b45b48c126cc6fbd8edb87db31090ec7eb545771f48907178c1148ce1b233b45a799de0f12437d6107e1534613ad21eaeb5a1642c868a4a037cf614c6d5ea4e6a9df337a371ac33d318f400f428f32062978e2ce3c471f714809d54c4f217d0773d7e861714d460e7f81801bf0f0996dfec599488a1c98b4fe56da4ce4714fc67ac82c68ac6bb3d8915
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(132048);
  script_version("1.4");
  script_cvs_date("Date: 2019/12/16");

  script_cve_id("CVE-2018-15377");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvi30136");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20180926-pnp-memleak");

  script_name(english:"Cisco IOS Software Software Plug and Play Agent Memory Leak(cisco-sa-20180926-pnp-memleak)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco IOS is affected by a memory leak vulnerability in the Cisco Network Plug
and Play agent due to insufficient input validation. An unauthenticated, remote attacker can exploit this, by sending
invalid data to the Cisco Network Plug and Play agent on an affected device, to cause a memory leak on an affected
device, causing it to reload.

Please see the included Cisco BIDs and Cisco Security Advisory for more information.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-pnp-memleak
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f91b535a");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi30136");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID(s) CSCvi30136.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-15377");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/09/26");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/09/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/13");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_version.nasl");
  script_require_keys("Host/Cisco/IOS/Version");

  exit(0);
}

include('cisco_workarounds.inc');
include('ccf.inc');

product_info = cisco::get_product_info(name:'Cisco IOS');

version_list = make_list(
  '15.2(4)E',
  '15.2(4)E1',
  '15.2(4)E2',
  '15.2(4m)E1',
  '15.2(5)E',
  '15.2(4)E3',
  '15.2(5a)E',
  '15.2(5)E1',
  '15.2(5b)E',
  '15.2(4m)E3',
  '15.2(5c)E',
  '15.2(4n)E2',
  '15.2(4o)E2',
  '15.2(5a)E1',
  '15.2(4)E4',
  '15.2(5)E2',
  '15.2(4p)E1',
  '15.2(6)E',
  '15.2(5)E2b',
  '15.2(4)E5',
  '15.2(5)E2c',
  '15.2(4m)E2',
  '15.2(4o)E3',
  '15.2(4q)E1',
  '15.2(6)E0a',
  '15.2(6)E1',
  '15.2(4)E5a',
  '15.2(6)E0c',
  '15.2(4)E6',
  '15.2(6)E1a',
  '15.2(6)E1s',
  '15.2(4s)E1',
  '15.2(4s)E2',
  '15.2(5)EX',
  '15.5(3)S',
  '15.5(3)S1',
  '15.5(3)S1a',
  '15.5(3)S2',
  '15.5(3)S0a',
  '15.5(3)S3',
  '15.5(3)S4',
  '15.5(3)S5',
  '15.5(3)S6',
  '15.5(3)S6a',
  '15.5(3)S7',
  '15.5(3)S6b',
  '15.2(4)EA',
  '15.2(4)EA1',
  '15.2(4)EA3',
  '15.2(5)EA',
  '15.2(4)EA4',
  '15.2(4)EA2',
  '15.2(4)EA5',
  '15.2(4)EA6',
  '15.5(3)M',
  '15.5(3)M1',
  '15.5(3)M0a',
  '15.5(3)M2',
  '15.5(3)M2a',
  '15.5(3)M3',
  '15.5(3)M4',
  '15.5(3)M4a',
  '15.5(3)M5',
  '15.5(3)M4b',
  '15.5(3)M4c',
  '15.5(3)M6',
  '15.5(3)M5a',
  '15.5(3)M7',
  '15.5(3)M6a',
  '15.5(3)SN0a',
  '15.5(3)SN',
  '15.6(1)S',
  '15.6(2)S',
  '15.6(2)S1',
  '15.6(1)S1',
  '15.6(1)S2',
  '15.6(2)S2',
  '15.6(1)S3',
  '15.6(2)S3',
  '15.6(1)S4',
  '15.6(2)S4',
  '15.6(1)T',
  '15.6(2)T',
  '15.6(1)T0a',
  '15.6(1)T1',
  '15.6(2)T1',
  '15.6(1)T2',
  '15.6(2)T0a',
  '15.6(2)T2',
  '15.6(1)T3',
  '15.6(2)T3',
  '15.3(3)JC6',
  '15.3(3)JC8',
  '15.3(3)JC9',
  '15.3(3)JC14',
  '15.3(1)SY',
  '15.3(0)SY',
  '15.3(1)SY1',
  '15.3(1)SY2',
  '15.6(2)SP',
  '15.6(2)SP1',
  '15.6(2)SP2',
  '15.6(2)SP3',
  '15.6(2)SP4',
  '15.6(2)SP3b',
  '15.6(1)SN',
  '15.6(1)SN1',
  '15.6(2)SN',
  '15.6(1)SN2',
  '15.6(1)SN3',
  '15.6(3)SN',
  '15.6(4)SN',
  '15.6(5)SN',
  '15.6(6)SN',
  '15.6(7)SN',
  '15.6(7)SN1',
  '15.3(3)JD3',
  '15.3(3)JD4',
  '15.3(3)JD5',
  '15.3(3)JD6',
  '15.3(3)JD7',
  '15.3(3)JD8',
  '15.3(3)JD9',
  '15.3(3)JD11',
  '15.3(3)JD12',
  '15.3(3)JD13',
  '15.3(3)JD14',
  '15.3(3)JD15',
  '15.6(3)M',
  '15.6(3)M1',
  '15.6(3)M0a',
  '15.6(3)M1a',
  '15.6(3)M1b',
  '15.6(3)M2',
  '15.6(3)M2a',
  '15.6(3)M3',
  '15.6(3)M3a',
  '15.6(3)M4',
  '15.2(4)EC1',
  '15.2(4)EC2',
  '15.4(1)SY',
  '15.4(1)SY1',
  '15.4(1)SY2',
  '15.4(1)SY3',
  '15.4(1)SY4',
  '15.3(3)JE',
  '15.3(3)JDA15',
  '15.5(1)SY',
  '15.5(1)SY1',
  '15.3(3)JF',
  '15.3(3)JF1',
  '15.3(3)JF2',
  '15.3(3)JF4',
  '15.3(3)JF5',
  '15.3(3)JF6',
  '15.3(3)JF7',
  '15.7(3)M',
  '15.7(3)M1',
  '15.7(3)M0a',
  '15.3(3)JG',
  '15.3(3)JG1',
  '15.3(3)JH',
  '15.3(3)JH1',
  '15.3(3)JI',
  '12.2(6)I1'
);

workarounds = make_list(CISCO_WORKAROUNDS['no_workaround']);
workaround_params = make_list();

reporting = make_array(
  'port'     , 0,
  'severity' , SECURITY_HOLE,
  'version'  , product_info['version'],
  'bug_id'   , 'CSCvi30136'
);

cisco::check_and_report(
  product_info:product_info,
  workarounds:workarounds,
  workaround_params:workaround_params,
  reporting:reporting,
  vuln_versions:version_list
);
  • NASL familyCISCO
    NASL idCISCO-SA-20180926-PNP-MEMLEAK-IOSXE.NASL
    descriptionAccording to its self-reported version, Cisco IOS XE Software is affected by a memory leak vulnerability in the Cisco Network Plug and Play agent due to insufficient input validation. An unauthenticated, remote attacker can exploit this, by sending invalid data to the Cisco Network Plug and Play agent on an affected device, to cause a memory leak on an affected device, causing it to reload. Please see the included Cisco BIDs and Cisco Security Advisory for more information. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id132049
    published2019-12-13
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132049
    titleCisco IOS XE Software Software Plug and Play Agent Memory Leak(cisco-sa-20180926-pnp-memleak)
    code
    #TRUSTED a80c9c8e169cc90cefbb02f99c3c7d382f2f269ce326f3013d602d8889a1a2da17ba40dc58cf9a3716d67e5939fb58f6658d21f59d471ee3beaccdd1d7afd9d51cee25c716c2e2b8e27ba70a499ecd68f582b2b85adb4f1d8eb4fdd6145c438e29c9ca5045580a6fb0f6d7662beac595acf9e17e562ccb69e742dccf475e8044055983309eee47c5d1ddb7cb48e2eb813b21ecd6b681ef6ea6039dd5fc5ce692e95eb7b00cc7a64965edeb78e318058137fc12a9fdf517e22ddb6e271e95b5b7a0f14fa04e9aad8c79099038e4a9d50c20b45c5e5d3f8e3380e450ce75d574d3b49d41847fb92b9fdbbdb6a7d253e6d69b5a290c9dd91d287b9f49a992c39988643ad003cd1b4cafa807ee21959787dadcb434978d9155c362b0936a0337f43358944fe0b8b7646d8aa328a7a43bebeac592ffb191f3acd59418b496860f32c04f764b33c56313ed81d25b3bac61bd4d01f33b94ddb8d2fa83b2ab2ba463eeda07b713a93582ef25aa66e5de50f61bd1d7482d33ff3df17be90a6dfa3fca48c4912ef11bb7a176da3ee62f754a0a908b450410bb31dc9383888817745730b9767877e73c1fbcb9861316b99d7c4af92b40fc1ee9fea5feab60b177063d2e62a1450b161b813f35f25d2bcc3675c3b0234caf546b150e326a0b512ab5b43c7c174723c177828cc34640e0eebcb3a98f76b908b4f09b6e535f119f617a39fe06ff
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(132049);
  script_version("1.4");
  script_cvs_date("Date: 2019/12/16");

  script_cve_id("CVE-2018-15377");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvi30136");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20180926-pnp-memleak");

  script_name(english:"Cisco IOS XE Software Software Plug and Play Agent Memory Leak(cisco-sa-20180926-pnp-memleak)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco IOS XE Software is affected by a memory leak vulnerability in the Cisco
Network Plug and Play agent due to insufficient input validation. An unauthenticated, remote attacker can exploit this,
by sending invalid data to the Cisco Network Plug and Play agent on an affected device, to cause a memory leak on an
affected device, causing it to reload.

Please see the included Cisco BIDs and Cisco Security Advisory for more information.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-pnp-memleak
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f91b535a");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi30136");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID(s) CSCvi30136.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-15377");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/09/26");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/09/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/13");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_xe_version.nasl");
  script_require_keys("Host/Cisco/IOS-XE/Version");

  exit(0);
}

include('cisco_workarounds.inc');
include('ccf.inc');

product_info = cisco::get_product_info(name:'Cisco IOS XE Software');

version_list = make_list(
  '3.16.0S',
  '3.16.1S',
  '3.16.0aS',
  '3.16.1aS',
  '3.16.2S',
  '3.16.2aS',
  '3.16.0bS',
  '3.16.0cS',
  '3.16.3S',
  '3.16.2bS',
  '3.16.3aS',
  '3.16.4S',
  '3.16.4aS',
  '3.16.4bS',
  '3.16.4gS',
  '3.16.5S',
  '3.16.4cS',
  '3.16.4dS',
  '3.16.4eS',
  '3.16.6S',
  '3.16.5aS',
  '3.16.5bS',
  '3.16.7S',
  '3.16.6bS',
  '3.16.7aS',
  '3.16.7bS',
  '3.17.0S',
  '3.17.1S',
  '3.17.2S',
  '3.17.1aS',
  '3.17.3S',
  '3.17.4S',
  '16.1.1',
  '16.1.2',
  '16.1.3',
  '16.2.1',
  '16.2.2',
  '3.8.0E',
  '3.8.1E',
  '3.8.2E',
  '3.8.3E',
  '3.8.4E',
  '3.8.5E',
  '3.8.5aE',
  '3.8.6E',
  '16.3.1',
  '16.3.2',
  '16.3.3',
  '16.3.1a',
  '16.3.4',
  '16.3.5',
  '16.3.5b',
  '16.3.6',
  '16.4.1',
  '16.4.2',
  '16.4.3',
  '16.5.1',
  '16.5.1a',
  '16.5.1b',
  '16.5.2',
  '16.5.3',
  '3.18.0aS',
  '3.18.0S',
  '3.18.1S',
  '3.18.2S',
  '3.18.3S',
  '3.18.4S',
  '3.18.0SP',
  '3.18.1SP',
  '3.18.1aSP',
  '3.18.1gSP',
  '3.18.1bSP',
  '3.18.1cSP',
  '3.18.2SP',
  '3.18.1hSP',
  '3.18.2aSP',
  '3.18.1iSP',
  '3.18.3SP',
  '3.18.4SP',
  '3.18.3aSP',
  '3.18.3bSP',
  '3.9.0E',
  '3.9.1E',
  '3.9.2E',
  '3.9.2bE',
  '16.6.1',
  '16.6.2',
  '16.6.3',
  '16.7.1',
  '16.7.1a',
  '16.7.1b',
  '16.8.1',
  '16.8.1a',
  '16.8.1b',
  '16.8.1s',
  '16.8.1c',
  '3.10.0E',
  '3.10.1E',
  '3.10.0cE',
  '3.10.1aE',
  '3.10.1sE'
);

workarounds = make_list(CISCO_WORKAROUNDS['no_workaround']);
workaround_params = make_list();

reporting = make_array(
  'port'     , 0,
  'severity' , SECURITY_HOLE,
  'version'  , product_info['version'],
  'bug_id'   , 'CSCvi30136'
);

cisco::check_and_report(
  product_info:product_info,
  workarounds:workarounds,
  workaround_params:workaround_params,
  reporting:reporting,
  vuln_versions:version_list
);

References