CERT-In Vulnerability Note
CIVN-2015-0312
Multiple Vulnerabilities in Cisco
Original Issue Date:December 18, 2015
Severity Rating: MEDIUM
Systems Affected
- Cisco IOS XE software prior to 15.5(2)S2 (3.15.2S) and 15.5(3)S1 (3.16.1S)
- Cisco IMC prior to 2.0(9)
Overview
Multiple vulnerabilities have been reported in Cisco IOS XE Software and Cisco Integrated Management Controller (IMC) which could be exploited by an unauthenticated remote attacker to cause a Denial of Service (DoS) conditions.
Description
1. Cisco IOS XE Software IPv6 Neighbor Discovery Denial of Service Vulnerability
(
CVE-2015-6359
)
This vulnerability is due to insufficient bounds on internal tables which could be exploited by a remote attacker by flooding an adjacent IOS XE device with specific ND messages and deplete the available memory. Successful exploitation of these vulnerabilities could allow a remote attacker to cause a denial of service (DoS) condition.
2. Cisco Integrated Management Controller Denial of Service Vulnerability
(
CVE-2015-6399
)
This vulnerability is due to incomplete sanitization of input for certain parameters which could be exploited by a remote attackers by sending specially crafted HTTP request to the Integrated Management Controller (IMC) and cause the IMC to become inaccessible via the IP interface. Successful exploitation of this vulnerability could allow a remote attacker to cause a denial of service (DoS) condition.
Solution
Apply appropriate updates as mentioned in CISCO advisory
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151214-ios
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151211-imc
Vendor Information
CISCO
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151214-ios
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151211-imc
References
CISCO
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151214-ios
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151211-imc
CVE Name
CVE-2015-6359
CVE-2015-6399
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|