Executive Summary

Summary
Title Cisco IOS Virtual Private Dial-up Network Denial of Service Vulnerability
Informations
Name cisco-sa-20080326-pptp First vendor Publication 2007-07-04
Vendor Cisco Last vendor Modification 2008-03-26
Severity (Vendor) N/A Revision 1.0

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:N/I:N/A:C)
Cvss Base Score 7.1 Attack Range Network
Cvss Impact Score 6.9 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Two vulnerabilities exist in the virtual private dial-up network (VPDN) solution when Point-to-Point Tunneling Protocol (PPTP) is used in certain Cisco IOS releases prior to 12.3. PPTP is only one of the supported tunneling protocols used to tunnel PPP frames within the VPDN solution.

The first vulnerability is a memory leak that occurs as a result of PPTP session termination. The second vulnerability may consume all interface descriptor blocks on the affected device because those devices will not reuse virtual access interfaces. If these vulnerabilities are repeatedly exploited, the memory and/or interface resources of the attacked device may be depleted.

Cisco has made free software available to address these vulnerabilities for affected customers.

There are no workarounds available to mitigate the effects of these vulnerabilities.

Original Source

Url : http://www.cisco.com/en/US/products/products_security_advisory09186a008096 (...)

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-399 Resource Management Errors

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:5287
 
Oval ID: oval:org.mitre.oval:def:5287
Title: Cisco IOS Virtual Private Dial-up Network (VPDN) PPTP Session Termination Memory Leak Vulnerability
Description: Memory leak in the virtual private dial-up network (VPDN) component in Cisco IOS before 12.3 allows remote attackers to cause a denial of service (memory consumption) via a series of PPTP sessions, related to "dead memory" that remains allocated after process termination, aka bug ID CSCsj58566.
Family: ios Class: vulnerability
Reference(s): CVE-2008-1151
 Version: 1
Platform(s): Cisco IOS
 Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:5598
 
Oval ID: oval:org.mitre.oval:def:5598
Title: Cisco IOS Virtual Private Dial-up Network (VPDN) Denial of Service (DoS) Vulnerability
Description: The virtual private dial-up network (VPDN) component in Cisco IOS before 12.3 allows remote attackers to cause a denial of service (resource exhaustion) via a series of PPTP sessions, related to the persistence of interface descriptor block (IDB) data structures after process termination, aka bug ID CSCdv59309.
Family: ios Class: vulnerability
Reference(s): CVE-2008-1150
 Version: 1
Platform(s): Cisco IOS
 Product(s):
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1
Hardware 219
Os 3878

Open Source Vulnerability Database (OSVDB)

Id Description
43795 Cisco IOS PPTP Session Termination Memory Exhaustion DoS
43794 Cisco IOS PPTP Session Termination Virtual Access Interface (IDB) Exhaustion DoS

Nessus® Vulnerability Scanner

Date Description
2010-09-01 Name : The remote device is missing a vendor-supplied security patch.
File : cisco-sa-20080326-pptphttp.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
Date Informations
2014-02-17 10:21:52
  • Multiple Updates
2013-05-11 00:42:30
  • Multiple Updates