CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
90.3%
The remote Cisco IOS XE device is missing vendor-supplied security patches, and it is configured to use the Cisco Unified Border Element (CUBE) or Session Border Controller (SBC) features. It is, therefore, affected by an integer underflow condition in the Secure Real-Time Transport Protocol (SRTP) library due to improper validation of certain fields of SRTP packets. An unauthenticated, remote attacker can exploit this, via specially crafted SRTP packets, to cause packet decryption to fail, resulting in a denial of service condition.
#TRUSTED 72175bdd7d4b90b905928d9e8101d505e084a1b99c5f290a942c48ce3d85e2bd2a98fe87a7adb1d7c05cc2f9d164c5f4562bdd01aef660828c75ef8e07d8d2a5df789719d7e5aa969262ed8d8a3b45fa72b3699ffe199b6be5f3814d3417b8e4fec7d468d77d87888de1f15e8bd0fa149711c45aa2b2fd5bf90abc9d6744e24b78e70623d74ad51bda4e68076a2f000b55e8bc389f827a9d48674a22dc2240aacd3c2de289d034d92eec518dd7ceb816e8aa95b954cf6eae350b016d5d95b57ad4ad8be3b74a4f78ec24c022bc15b826301194049f3cb802db484b387b238c82f09b0ffc0a3b39c9298eea9eb9d53d35281f8269d3ceef2df42c181edd9c61e2b025b1435fc9360fe967dd7067c0f97d8eaf95662143d0c910f2c7ca7428bdc3e439d6d5364eeecfc21276f024602aabc3d83b06a75f29f2490c1aca36d4149253cb95061517b8c5de5fd28210fdbb49014db882d2df2e25b0248fad40e8c3bccfb24be49825666999e57f48e27db6fdd51db43c50af18353595949c1663b17dc1e00da0dd3064ef7c5cf3f77d54f4e8206c9d8a1471a15b31331bdac20d75ff249f29efdcfbefb37352a7c8eed2119fc54f371a6a4a3b709f86ad2d503a0329526a0d618666ddc4d5879c1330eb3afb6a038e17d338ed1eca372bea0253188431c06e5a1701ccd8df5c68925de43f5652632dcc1197915ed9b57a1d062bbe3a
#TRUST-RSA-SHA256 456970b0fc9cda1230b1adc957e02ff8ce6f3a76ac5be42eb0316389a31ca21a54325f5f40e4f195a2f4e5a8394eb0ba2f51ab5c924b6785d75e9257cad35c25e54f78732415fadb6a530609e98d7de783e3408a477a870b60fb6281fbdb6124f9479a6cd8a4e82ac9ea8295eb89275edad7af211ccf4b6f1cc32fd485c98f13a7d871129fdc0dc66368ad910c4fcba62f617eaf44fcc9e07e9d09c8bbff441ae7b12e69da14c92bc2a0a93f720334548eb7f655109b943d2ce6218e7a0ea63430041e49afc65e64d5b535b2237685aa0b626f9afd56de8e2178d27d1a74e3dc0e24ebf118b86bb35289a432030d9d8ca4256b10d64242ac7a8e12d062b4a959784b5ba06945b919fe541be66d1595b6cfc160ed4472fb20a14f6885f09186a12d1d466da4bbb1d9913640d2936dde752acdf80be542ba10d5e2402500846d06e4120c42db988e69f45220df3ee8c44ee01ee64e6ec5a3697c40b072c1f93dfc051e042d596e73512cd73bbc0f67fc7b0bf1bb9d0acc06fed88bdd0e0cc1345d574d7ed6391461267bb9f0f6420619cd159d0c3667e14ea29e29eba97c525dfc6c8305f40241604c2ab38aad0b37ae63d13133393b2133e2176ca8cdfc86e28ce5f4b39a5ce4359936ddd3f4660c81ee7f871163ef66dd7303d8c59bbe991ddb51eef8a354ca2a41facc9778228ad6d89c617c3aefb915dba3f6f8898d5e4e22
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(91760);
script_version("1.11");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/03");
script_cve_id("CVE-2015-6360");
script_xref(name:"CISCO-BUG-ID", value:"CSCux04317");
script_xref(name:"CISCO-SA", value:"cisco-sa-20160420-libsrtp");
script_name(english:"Cisco IOS XE libsrtp DoS (CSCux04317)");
script_summary(english:"Checks the IOS XE version.");
script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
script_set_attribute(attribute:"description", value:
"The remote Cisco IOS XE device is missing vendor-supplied security
patches, and it is configured to use the Cisco Unified Border Element
(CUBE) or Session Border Controller (SBC) features. It is, therefore,
affected by an integer underflow condition in the Secure Real-Time
Transport Protocol (SRTP) library due to improper validation of
certain fields of SRTP packets. An unauthenticated, remote attacker
can exploit this, via specially crafted SRTP packets, to cause packet
decryption to fail, resulting in a denial of service condition.");
# https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160420-libsrtp
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2658d700");
script_set_attribute(attribute:"solution", value:
"Apply the relevant patch or workaround referenced in Cisco Security
Advisory cisco-sa-20160420-libsrtp.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-6360");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"vuln_publication_date", value:"2015/11/02");
script_set_attribute(attribute:"patch_publication_date", value:"2015/11/25");
script_set_attribute(attribute:"plugin_publication_date", value:"2016/06/22");
script_set_attribute(attribute:"plugin_type", value:"combined");
script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CISCO");
script_copyright(english:"This script is Copyright (C) 2016-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("cisco_ios_xe_version.nasl");
script_require_keys("Host/Cisco/IOS-XE/Version");
exit(0);
}
include("audit.inc");
include("cisco_func.inc");
include("cisco_kb_cmd_func.inc");
ver = get_kb_item_or_exit("Host/Cisco/IOS-XE/Version");
flag = FALSE;
override = FALSE;
# Fixed: 3.14.3S, 3.13.5S, 3.16.2S, 3.10.7S, 3.17.1S, 3.15.3S
# Check for vuln version
if ( ver == "3.10.01S" ) flag = TRUE;
if ( ver == "3.10.0S" ) flag = TRUE;
if ( ver == "3.10.0aS" ) flag = TRUE;
if ( ver == "3.10.1S" ) flag = TRUE;
if ( ver == "3.10.1xbS" ) flag = TRUE;
if ( ver == "3.10.2S" ) flag = TRUE;
if ( ver == "3.10.2aS" ) flag = TRUE;
if ( ver == "3.10.2tS" ) flag = TRUE;
if ( ver == "3.10.3S" ) flag = TRUE;
if ( ver == "3.10.4S" ) flag = TRUE;
if ( ver == "3.10.5S" ) flag = TRUE;
if ( ver == "3.10.6S" ) flag = TRUE;
if ( ver == "3.13.0S" ) flag = TRUE;
if ( ver == "3.13.0aS" ) flag = TRUE;
if ( ver == "3.13.1S" ) flag = TRUE;
if ( ver == "3.13.2S" ) flag = TRUE;
if ( ver == "3.13.2aS" ) flag = TRUE;
if ( ver == "3.13.3S" ) flag = TRUE;
if ( ver == "3.13.4S" ) flag = TRUE;
if ( ver == "3.14.0S" ) flag = TRUE;
if ( ver == "3.14.1S" ) flag = TRUE;
if ( ver == "3.14.2S" ) flag = TRUE;
if ( ver == "3.15.0S" ) flag = TRUE;
if ( ver == "3.15.1S" ) flag = TRUE;
if ( ver == "3.15.1cS" ) flag = TRUE;
if ( ver == "3.15.2S" ) flag = TRUE;
if ( ver == "3.16.0S" ) flag = TRUE;
if ( ver == "3.16.0aS" ) flag = TRUE;
if ( ver == "3.16.0bS" ) flag = TRUE;
if ( ver == "3.16.0cS" ) flag = TRUE;
if ( ver == "3.16.1S" ) flag = TRUE;
if ( ver == "3.16.1aS" ) flag = TRUE;
if ( ver == "3.17.0S" ) flag = TRUE;
# Check for Smart Install client feature or support of archive download-sw
if (flag && get_kb_item("Host/local_checks_enabled"))
{
flag = FALSE;
buf = cisco_command_kb_item("Host/Cisco/Config/show_running-config_include_sbc", "show running-config | include sbc");
if (check_cisco_result(buf))
{
if (preg(string:buf, pattern:"^\s*sbc [^\s]+", multiline:TRUE)) flag = TRUE;
}
else if (cisco_needs_enable(buf))
{
flag = TRUE;
override = TRUE;
}
if(!flag)
{
buf = cisco_command_kb_item("Host/Cisco/Config/show_running-config_include_srtp-auth", "show running-config | include srtp-auth");
if (check_cisco_result(buf))
{
if (preg(string:buf, pattern:"^\s*(|voice-class sip )srtp-auth( [^\s]+|$)", multiline:TRUE)) flag = TRUE;
}
else if (cisco_needs_enable(buf))
{
flag = TRUE;
override = TRUE;
}
}
}
if (flag)
{
if (report_verbosity > 0)
{
report =
'\n Cisco bug ID : CSCux04317' +
'\n Installed release : ' + ver +
'\n';
security_hole(port:0, extra:report + cisco_caveat(override));
exit(0);
}
else security_hole(port:0, extra:cisco_caveat(override));
}
else audit(AUDIT_HOST_NOT, "affected");
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
90.3%