Vulnerabilities > CVE-2020-3179 - Double Free vulnerability in Cisco products

047910
CVSS 7.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
COMPLETE
network
low complexity
cisco
CWE-415
nessus
NVD
Published: 2020-05-06
Updated: 2020-05-12

Summary

A vulnerability in the generic routing encapsulation (GRE) tunnel decapsulation feature of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to a memory handling error when GRE over IPv6 traffic is processed. An attacker could exploit this vulnerability by sending crafted GRE over IPv6 packets with either IPv4 or IPv6 payload through an affected device. A successful exploit could allow the attacker to cause the device to crash, resulting in a DoS condition.

Vulnerable Configurations

Part Description Count
Application
Cisco
11
OS
Cisco
24
Hardware
Cisco
12

Common Weakness Enumeration (CWE)

Nessus

NASL familyCISCO
NASL idCISCO-SA-FTD-DOS-2-SS2H7AWE.NASL
descriptionAccording to its version and configuration, the Cisco Firepower Threat Defense (FTD) Software running on the remote device is affected by a denial of service (DoS) vulnerability in the generic routing encapsulation (GRE) tunnel decapsulation feature. The vulnerability is due to a memory handling error when GRE over IPv6 traffic is processed. An unauthenticated attacker could exploit this vulnerability by sending crafted GRE over IPv6 packets with either IPv4 or IPv6 payload through an affected device. A successful exploit could allow the attacker to cause the device to crash, resulting in a DoS condition.
last seen2020-05-22
modified2020-05-14
plugin id136587
published2020-05-14
reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/136587
titleCisco Firepower Threat Defense Software Generic Routing Encapsulation Tunnel IPv6 Denial of Service Vulnerability (cisco-sa-ftd-dos-2-sS2h7aWe)
code
#TRUSTED 625ac0dc34a3d6d5e82f92124574acafe838d22ad31a4791ee669a9eed4e3310ee5e432bcc77ba6b36747a90fcbed18741055afb66131768dbb2d412d8ec82688e047597bd747038b77c1b4cf09b1894b1da9f5d8474ba4603bdadb4a9cc8100aeb88be759c7922006516bbd53da1c244b176beef960bbfcbb783ba3adf88816b25769cce1e41df9cd00dbcc69cf1a76df754404d12bac1492b2ae4689b9149d48260adc15cc1c05814ea9170b0036b048dbe0949b3f3f76105aae0ef20f9bde3d073fa3654d40080650dd20b430a39721392df2a1c57b08b18cbab792f46ec03a0e4979f0f15fe8f9488b09eada58273a3e46f176431065d83db755cecd485390bba0005ab8d71576b1df2a3643895c8da4514e0e6f3c86c7e69a8febc1ba2a63ac29d3bdf4fae0862abf1151b5722464940d4686dcf1bd7885694997f01061045050b07987302811d22036ad623eee7fdb6fbca52c60530b31e9f28aa55d66c7181195085f21b67cc5ec0206409fb77c4d97232bc4854becea5d2086d415e92dd9f9d07aff9b1c1f23cb90196488580055d033ec3e45c11427eaed84e3f5d1ac48fcd014258e0092232b41c41caa9b56079b7732bcfd022c1fda66ed11b1d61d18e2c9339abee50d73af9360c3b5d8f5c1bad5817d3d1740dbca3076da6a27173ee2b2b088d7bbbacab588ba2797dee1d16364e8a48deadbe0659baca1ca2f
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(136587);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/21");

  script_cve_id("CVE-2020-3179");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvq78828");
  script_xref(name:"CISCO-SA", value:"cisco-sa-ftd-dos-2-sS2h7aWe");
  script_xref(name:"IAVA", value:"2020-A-0205");

  script_name(english:"Cisco Firepower Threat Defense Software Generic Routing Encapsulation Tunnel IPv6 Denial of Service Vulnerability (cisco-sa-ftd-dos-2-sS2h7aWe)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
  script_set_attribute(attribute:"description", value:
"According to its version and configuration, the Cisco Firepower Threat Defense (FTD) Software
running on the remote device is affected by a denial of service (DoS) vulnerability in the 
generic routing encapsulation (GRE) tunnel decapsulation feature. The vulnerability is due to a memory 
handling error when GRE over IPv6 traffic is processed. An unauthenticated attacker could exploit this 
vulnerability by sending crafted GRE over IPv6 packets with either IPv4 or IPv6 payload through an affected device. 
A successful exploit could allow the attacker to cause the device to crash, resulting in a DoS condition.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-dos-2-sS2h7aWe
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a684b28c");
  script_set_attribute(attribute:"see_also", value:"http://tools.cisco.com/security/center/viewErp.x?alertId=ERP-73830");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq78828");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvq78828");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-3179");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_cwe_id(415);

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/05/06");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/05/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/14");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:firepower_threat_defense");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_asa_firepower_version.nasl", "cisco_enumerate_firepower.nbin");
  script_require_keys("installed_sw/Cisco Firepower Threat Defense");

  exit(0);
}

include('cisco_workarounds.inc');
include('ccf.inc');

product_info = cisco::get_product_info(name:'Cisco Firepower Threat Defense');

vuln_ranges = [
  {'min_ver' : '6.3.0', 'fix_ver' : '6.3.0.5'},
  {'min_ver' : '6.4.0', 'fix_ver' : '6.4.0.6'}
];
workarounds = make_list(CISCO_WORKAROUNDS['no_workaround']);
workaround_params = make_list();

reporting = make_array(
  'port'     , 0,
  'severity' , SECURITY_HOLE,
  'version'  , product_info['version'],
  'bug_id'   , 'CSCvq78828'
);

cisco::check_and_report(
  product_info:product_info,
  workarounds:workarounds,
  workaround_params:workaround_params,
  reporting:reporting,
  vuln_ranges:vuln_ranges
);

References