CVE-2018-15369

Cisco IOS and IOS XE Software TACACS+ Client Denial of Service Vulnerability

Severity Score

6.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A vulnerability in the TACACS+ client subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition. The vulnerability is due to improper handling of crafted TACACS+ response packets by the affected software. An attacker could exploit this vulnerability by injecting a crafted TACACS+ packet into an existing TACACS+ session between an affected device and a TACACS+ server or by impersonating a known, valid TACACS+ server and sending a crafted TACACS+ packet to an affected device when establishing a connection to the device. To exploit this vulnerability by using either method, the attacker must know the shared TACACS+ secret and the crafted packet must be sent in response to a TACACS+ request from a TACACS+ client. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition.

Una vulnerabilidad en el subsistema del cliente TACACS+ en Cisco IOS Software y Cisco IOS XE Software podría permitir que un atacante remoto sin autenticar haga que el dispositivo afectado se reinicie, provocando una denegación de servicio (DoS) en consecuencia. Esta vulnerabilidad se debe a la gestión inadecuada de paquetes de respuesta TACACS+ manipulados por parte del software afectado. Un atacante podría explotar esta vulnerabilidad inyectando un paquete TACACS+ manipulado en una sesión TACACS+ entre un dispositivo afectado y un servidor TACACS+ o suplantando un servidor TACACS+ válido y conocido y enviando un paquete TACACS+ manipulado a un dispositivo afectado al establecer una conexión al dispositivo. Para explotar esta vulnerabilidad al emplear cualquier método, el atacante debe conocer el secreto TACACS+ compartido. Además, el paquete manipulado debe enviarse en respuesta a una petición TACACS+ desde un cliente TACACS+. Si se explota con éxito, podría permitir que el atacante consiga que el dispositivo afectado se reinicie, provocando una denegación de servicio.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-08-17 CVE Reserved
2018-10-05 CVE Published
2024-08-05 EPSS Updated
2024-09-16 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation

CAPEC

References (2)

URL	Tag	Source
http://www.securityfocus.com/bid/105426	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-tacplus	2019-10-09

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Cisco Search vendor "Cisco"		Ios Search vendor "Cisco" for product "Ios"				15.6\(1.9\)t Search vendor "Cisco" for product "Ios" and version "15.6\(1.9\)t"		-		Affected
Cisco Search vendor "Cisco"		Ios Xe Search vendor "Cisco" for product "Ios Xe"				-		-		Affected