Cisco IOS XR 5.1.x/5.2.x/5.3.x on ASR 9001 Route Processor Fragmented IP Packet resource management
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 7.2 | $0-$5k | 0.00 |
A vulnerability, which was classified as critical, has been found in Cisco IOS XR 5.1.x/5.2.x/5.3.x on ASR 9001 (Router Operating System). Affected by this issue is some unknown functionality of the component Route Processor. The manipulation as part of a Fragmented IP Packet leads to a resource management vulnerability. Using CWE to declare the problem leads to CWE-399. Impacted is availability. CVE summarizes:
Memory leak in Cisco IOS XR 5.1.x through 5.1.3, 5.2.x through 5.2.5, and 5.3.x through 5.3.2 on ASR 9001 devices allows remote attackers to cause a denial of service (control-plane protocol outage) via crafted fragmented packets, aka Bug ID CSCux26791.
The weakness was disclosed 08/10/2016 by Cisco with Cisco Systems as cisco-sa-20160810-iosxr as confirmed advisory (Website). The advisory is available at tools.cisco.com. This vulnerability is handled as CVE-2016-6355 since 07/26/2016. The exploitation is known to be easy. The attack may be launched remotely. No form of authentication is required for exploitation. The technical details are unknown and an exploit is not available. The advisory points out:
A vulnerability in the driver processing functions of Cisco IOS XR Software for Cisco ASR 9001 Aggregation Services Routers could allow an unauthenticated, remote attacker to cause a memory leak on the route processor (RP) of an affected device, which could cause the device to drop all control-plane protocols and lead to a denial of service condition (DoS) on a targeted system.
The vulnerability scanner Nessus provides a plugin with the ID 93048 (Cisco IOS XR 5.1.x < 5.1.3 / 5.2.x < 5.2.4 / 5.3.x < 5.3.2 Fragmented Packet DoS (cisco-sa-20160810-iosxr)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family CISCO and running in the context l. The advisory illustrates:
The vulnerability is due to improper handling of crafted, fragmented packets that are directed to an affected device. An attacker could exploit this vulnerability by sending crafted, fragmented packets to an affected device for processing and reassembly. A successful exploit could allow the attacker to cause a memory leak on the RP of the device, which could cause the device to drop all control-plane protocols and eventually lead to a DoS condition on the targeted system.
Upgrading to version 5.3.3 eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability. The advisory contains the following remark:
[A]dministrators can use an access control list (ACL) with the fragments keyword to configure an affected device to drop noninitial fragments.
The vulnerability is also documented in the vulnerability database at Tenable (93048).
Product
Type
Vendor
Name
Version
License
Support
- end of life (old version)
CPE 2.3
CPE 2.2
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 7.5VulDB Meta Temp Score: 7.3
VulDB Base Score: 7.5
VulDB Temp Score: 7.2
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 7.5
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Resource managementCWE: CWE-399 / CWE-404
CAPEC: 🔍
ATT&CK: 🔍
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | unlock | unlock | unlock | unlock |
|---|---|---|---|---|
| Today | unlock | unlock | unlock | unlock |
Nessus ID: 93048
Nessus Name: Cisco IOS XR 5.1.x < 5.1.3 / 5.2.x < 5.2.4 / 5.3.x < 5.3.2 Fragmented Packet DoS (cisco-sa-20160810-iosxr)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Context: 🔍
OpenVAS ID: 900948
OpenVAS Name: Cisco IOS XR Software for Cisco ASR 9001 Aggregation Services Routers Fragmented Packet Denial of Service Vulnerability
OpenVAS File: 🔍
OpenVAS Family: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Upgrade: IOS XR 5.3.3
Timeline
07/26/2016 🔍08/10/2016 🔍
08/10/2016 🔍
08/10/2016 🔍
08/10/2016 🔍
08/11/2016 🔍
08/19/2016 🔍
08/22/2016 🔍
03/25/2019 🔍
Sources
Vendor: cisco.comAdvisory: cisco-sa-20160810-iosxr
Researcher: Cisco
Organization: Cisco Systems
Status: Confirmed
CVE: CVE-2016-6355 (🔍)
SecurityTracker: 1036585
SecurityFocus: 92399 - Cisco IOS XR Software CVE-2016-6355 Denial of Service Vulnerability
scip Labs: https://www.scip.ch/en/?labs.20150108
Entry
Created: 08/11/2016 11:24Updated: 03/25/2019 07:40
Changes: 08/11/2016 11:24 (76), 03/25/2019 07:40 (12)
Complete: 🔍
No comments yet. Languages: en.
Please log in to comment.