Vulnerabilities > CVE-2019-12646 - Improper Initialization vulnerability in Cisco IOS XE

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

HIGH

network

low complexity

cisco

CWE-665

nessus

NVD

Published: 2019-09-25

Updated: 2023-05-22

Summary

A vulnerability in the Network Address Translation (NAT) Session Initiation Protocol (SIP) Application Layer Gateway (ALG) of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload. The vulnerability is due to improper processing of transient SIP packets on which NAT is performed on an affected device. An attacker could exploit this vulnerability by using UDP port 5060 to send crafted SIP packets through an affected device that is performing NAT for SIP packets. A successful exploit could allow an attacker to cause the device to reload, resulting in a denial of service (DoS) condition.

Vulnerable Configurations

Part	Description	Count
OS	Cisco Cisco IOS XE 15.4$3$S Cisco IOS XE 15.5$3$S Cisco IOS XE 15.6$1$S Cisco IOS XE 16.3.1 Cisco IOS XE 16.4.1 Cisco IOS XE 16.5.1 Cisco IOS XE 16.6.1 Cisco IOS XE 16.7.1 Cisco IOS XE 16.8.1 Cisco IOS XE 16.9.1 Cisco IOS XE 16.10.1 Cisco IOS XE 16.11.1 Cisco IOS XE 16.12.1	13
Hardware	Cisco Cisco 1100 4P - Cisco 1100 8P - Cisco 1101 4P - Cisco 1109 2P - Cisco 1109 4P - Cisco 1111X 8P - Cisco 4221 Integrated Services Router - Cisco 4331 Integrated Services Router - Cisco CSR 1000V - Cisco Encs 5100 - Cisco Encs 5400 - Cisco Isrv -	12

Common Weakness Enumeration (CWE)

CWE-665 - Improper Initialization

Common Attack Pattern Enumeration and Classification (CAPEC)

Leveraging Race Conditions
This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.

Nessus

NASL family	CISCO
NASL id	CISCO-SA-20190925-SIP-ALG.NASL
description	According to its self-reported version, Cisco IOS XE Software is affected by a denial of service (DoS) vulnerability in the Network Address Translation (NAT) Session Initiation Protocl (SIP) Application Layer Gateway (ALG). This allows an unauthenticated, remote attacker to cause an affected device to reload. The vulnerability is due to improper processing of transient SIP packets on which NAT is performed on an affected device. An attacker can exploit this vulnerability by using UDP port 5060 to send crafted SIP packets through an affected device that is performing NAT for SIP packets. A successful exploit could allow an attacker to cause the device to reload, resulting in a DoS condition. Please see the included Cisco BIDs and Cisco Security Advisory for more information. Note that Nessus has not tested for this issue but has instead relied only on the application
last seen	2020-05-09
modified	2019-10-10
plugin id	129780
published	2019-10-10
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/129780
title	Cisco IOS XE Software NAT Session Initiation Protocol Application Layer Gateway DoS (cisco-sa-20190925-sip-alg)
code	#TRUSTED 12ec42c18ebfd362850b1a01c5334916b1a04e6468308bac825cbc5cc5c3d0d30a12b69f8429e3651abc8289632c3029e16e8b1fdcccec079cf182c34f515ae26e3779f3d022de05c672529069879807b5c1601182e9efb3141bfb76574ceabb0930227f187e192f456dd108cfe8ed1072f04da63f36a07cf4248d14d998f576794f200c4f77a37cdb63a4ca29cfe5974f63852f1ca9fa2f1fd8f8841f96c45656f8a78ab204b5f790df32593ae68a516f2aa03d9968004a5693d3808e3bb18865f5e2ce053b6accf888eeca9f61b3ca2dae5c8c454f275932879afab6cd32eb701359256e327a4cbbffef2ec8ef2acb7453ef99df8d09f4ee20a4250ebb7104e828d2837ad07916957c044ccdf5818d5fe9cb02bc17cc1a03d5471b50b8c577131618162c1a3373b3160110cbf51685cf242930159619855996b0391568d098de5988bfa9993b8638e606472d5c4c77cc34da0af231f183db5f411cb751242cf66038ff3a11cdb8c8cda28aba9ca9d82f4e290c2c4d7193c22ad3701b2eb12eec60738ad8ec32b5bbb154a1e5aae3716cc8fd2d652ca041d97bb73e10d04655f33c5d2f72bfdf59790a9d69788db6f77e3721cb675ee76ac8c40f87c9971e2433eb5a8469deac0c85da4548e7d8e55047358bbb36c53c5f1e89cd31b4b1d10db7425b8bd540a4761f87ffa322e57cba5dae6dc817e650c43f7e4a076b32f1e3 # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(129780); script_version("1.7"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/08"); script_cve_id("CVE-2019-12646"); script_xref(name:"CISCO-BUG-ID", value:"CSCvn65912"); script_xref(name:"CISCO-SA", value:"cisco-sa-20190925-sip-alg"); script_xref(name:"IAVA", value:"2019-A-0352-S"); script_name(english:"Cisco IOS XE Software NAT Session Initiation Protocol Application Layer Gateway DoS (cisco-sa-20190925-sip-alg)"); script_set_attribute(attribute:"synopsis", value: "The remote device is missing a vendor-supplied security patch"); script_set_attribute(attribute:"description", value: "According to its self-reported version, Cisco IOS XE Software is affected by a denial of service (DoS) vulnerability in the Network Address Translation (NAT) Session Initiation Protocl (SIP) Application Layer Gateway (ALG). This allows an unauthenticated, remote attacker to cause an affected device to reload. The vulnerability is due to improper processing of transient SIP packets on which NAT is performed on an affected device. An attacker can exploit this vulnerability by using UDP port 5060 to send crafted SIP packets through an affected device that is performing NAT for SIP packets. A successful exploit could allow an attacker to cause the device to reload, resulting in a DoS condition. Please see the included Cisco BIDs and Cisco Security Advisory for more information. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-sip-alg script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?82cd252a"); script_set_attribute(attribute:"see_also", value:"http://tools.cisco.com/security/center/viewErp.x?alertId=ERP-72547"); script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvn65912"); script_set_attribute(attribute:"solution", value: "Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvn65912"); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-12646"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_cwe_id(399); script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/25"); script_set_attribute(attribute:"patch_publication_date", value:"2019/09/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/10"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CISCO"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("cisco_ios_xe_version.nasl"); script_require_keys("Host/Cisco/IOS-XE/Version"); exit(0); } include('audit.inc'); include('cisco_workarounds.inc'); include('ccf.inc'); product_info = cisco::get_product_info(name:'Cisco IOS XE Software'); model = product_info.model; if (model !~ "^ISR11\d{2}([^0-9]\|$)" && model !~ "^ISR4(3\|2)\d{2}([^0-9]\|$)" && model !~ "^CSR10\d{2}([^0-9]\|$)" && model !~ "^ENCS" ) audit(AUDIT_HOST_NOT, 'affected'); version_list=make_list( '3.9.2S', '3.9.1aS', '3.9.1S', '3.9.0aS', '3.9.0S', '3.8.2S', '3.8.1S', '3.8.0S', '3.7.8S', '3.7.7S', '3.7.6S', '3.7.5S', '3.7.4aS', '3.7.4S', '3.7.3S', '3.7.2tS', '3.7.2S', '3.7.1aS', '3.7.1S', '3.7.0bS', '3.7.0S', '3.2.0JA', '3.18.4S', '3.18.3S', '3.18.2S', '3.18.1S', '3.18.0aS', '3.18.0S', '3.17.4S', '3.17.3S', '3.17.2S', '3.17.1aS', '3.17.1S', '3.17.0S', '3.16.8S', '3.16.7bS', '3.16.7aS', '3.16.7S', '3.16.6bS', '3.16.6S', '3.16.5bS', '3.16.5aS', '3.16.5S', '3.16.4gS', '3.16.4eS', '3.16.4dS', '3.16.4cS', '3.16.4bS', '3.16.4aS', '3.16.4S', '3.16.3aS', '3.16.3S', '3.16.2bS', '3.16.2aS', '3.16.2S', '3.16.1aS', '3.16.1S', '3.16.0cS', '3.16.0bS', '3.16.0aS', '3.16.0S', '3.15.4S', '3.15.3S', '3.15.2S', '3.15.1cS', '3.15.1S', '3.15.0S', '3.14.4S', '3.14.3S', '3.14.2S', '3.14.1S', '3.14.0S', '3.13.9S', '3.13.8S', '3.13.7aS', '3.13.7S', '3.13.6bS', '3.13.6aS', '3.13.6S', '3.13.5aS', '3.13.5S', '3.13.4S', '3.13.3S', '3.13.2aS', '3.13.2S', '3.13.1S', '3.13.10S', '3.13.0aS', '3.13.0S', '3.12.4S', '3.12.3S', '3.12.2S', '3.12.1S', '3.12.0aS', '3.12.0S', '3.11.4S', '3.11.3S', '3.11.2S', '3.11.1S', '3.11.0S', '3.10.9S', '3.10.8aS', '3.10.8S', '3.10.7S', '3.10.6S', '3.10.5S', '3.10.4S', '3.10.3S', '3.10.2tS', '3.10.2aS', '3.10.2S', '3.10.1S', '3.10.10S', '3.10.0S', '17.6.1', '17.5.1', '17.4.1', '17.3.1', '17.2.1', '16.9.2s', '16.9.2a', '16.9.2', '16.9.1s', '16.9.1d', '16.9.1c', '16.9.1b', '16.9.1a', '16.9.1', '16.8.2', '16.8.1s', '16.8.1e', '16.8.1d', '16.8.1c', '16.8.1b', '16.8.1a', '16.8.1', '16.7.4', '16.7.3', '16.7.2', '16.7.1b', '16.7.1a', '16.7.1', '16.6.5b', '16.6.5a', '16.6.5', '16.6.4s', '16.6.4a', '16.6.4', '16.6.3', '16.6.2', '16.6.1', '16.5.3', '16.5.2', '16.5.1b', '16.5.1a', '16.5.1', '16.4.3', '16.4.2', '16.4.1', '16.3.7', '16.3.6', '16.3.5b', '16.3.5', '16.3.4', '16.3.3', '16.3.2', '16.3.1a', '16.3.1', '16.2.2', '16.2.1', '16.10.1s', '16.10.1g', '16.10.1f', '16.10.1e', '16.10.1d', '16.10.1c', '16.10.1b', '16.10.1a', '16.10.1', '16.1.3', '16.1.2', '16.1.1' ); workarounds = make_list(CISCO_WORKAROUNDS['nat']); workaround_params = {'sip_agl_disabled' : 1}; reporting = make_array( 'port' , 0, 'severity' , SECURITY_HOLE, 'version' , product_info['version'], 'bug_id' , 'CSCvn65912', 'cmds' , make_list("show running-config") ); cisco::check_and_report(product_info:product_info, workarounds:workarounds, workaround_params:workaround_params, reporting:reporting, vuln_versions:version_list);

References

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-sip-alg

Part	Description	Count
OS	Cisco Cisco IOS XE 15.4\(3\)S Cisco IOS XE 15.5\(3\)S Cisco IOS XE 15.6\(1\)S Cisco IOS XE 16.3.1 Cisco IOS XE 16.4.1 Cisco IOS XE 16.5.1 Cisco IOS XE 16.6.1 Cisco IOS XE 16.7.1 Cisco IOS XE 16.8.1 Cisco IOS XE 16.9.1 Cisco IOS XE 16.10.1 Cisco IOS XE 16.11.1 Cisco IOS XE 16.12.1	13
Hardware	Cisco Cisco 1100 4P - Cisco 1100 8P - Cisco 1101 4P - Cisco 1109 2P - Cisco 1109 4P - Cisco 1111X 8P - Cisco 4221 Integrated Services Router - Cisco 4331 Integrated Services Router - Cisco CSR 1000V - Cisco Encs 5100 - Cisco Encs 5400 - Cisco Isrv -	12