Executive Summary
Summary | |
---|---|
Title | Cisco IOS Virtual Private Dial-up Network Denial of Service Vulnerability |
Informations | |||
---|---|---|---|
Name | cisco-sa-20080326-pptp | First vendor Publication | 2007-07-04 |
Vendor | Cisco | Last vendor Modification | 2008-03-26 |
Severity (Vendor) | N/A | Revision | 1.0 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:N/I:N/A:C) | |||
---|---|---|---|
Cvss Base Score | 7.1 | Attack Range | Network |
Cvss Impact Score | 6.9 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Two vulnerabilities exist in the virtual private dial-up network (VPDN) solution when Point-to-Point Tunneling Protocol (PPTP) is used in certain Cisco IOS releases prior to 12.3. PPTP is only one of the supported tunneling protocols used to tunnel PPP frames within the VPDN solution. The first vulnerability is a memory leak that occurs as a result of PPTP session termination. The second vulnerability may consume all interface descriptor blocks on the affected device because those devices will not reuse virtual access interfaces. If these vulnerabilities are repeatedly exploited, the memory and/or interface resources of the attacked device may be depleted. Cisco has made free software available to address these vulnerabilities for affected customers. There are no workarounds available to mitigate the effects of these vulnerabilities. |
Original Source
Url : http://www.cisco.com/en/US/products/products_security_advisory09186a008096 (...) |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-399 | Resource Management Errors |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:5287 | |||
Oval ID: | oval:org.mitre.oval:def:5287 | ||
Title: | Cisco IOS Virtual Private Dial-up Network (VPDN) PPTP Session Termination Memory Leak Vulnerability | ||
Description: | Memory leak in the virtual private dial-up network (VPDN) component in Cisco IOS before 12.3 allows remote attackers to cause a denial of service (memory consumption) via a series of PPTP sessions, related to "dead memory" that remains allocated after process termination, aka bug ID CSCsj58566. | ||
Family: | ios | Class: | vulnerability |
Reference(s): | CVE-2008-1151 | Version: | 1 |
Platform(s): | Cisco IOS | Product(s): | |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:5598 | |||
Oval ID: | oval:org.mitre.oval:def:5598 | ||
Title: | Cisco IOS Virtual Private Dial-up Network (VPDN) Denial of Service (DoS) Vulnerability | ||
Description: | The virtual private dial-up network (VPDN) component in Cisco IOS before 12.3 allows remote attackers to cause a denial of service (resource exhaustion) via a series of PPTP sessions, related to the persistence of interface descriptor block (IDB) data structures after process termination, aka bug ID CSCdv59309. | ||
Family: | ios | Class: | vulnerability |
Reference(s): | CVE-2008-1150 | Version: | 1 |
Platform(s): | Cisco IOS | Product(s): | |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
43795 | Cisco IOS PPTP Session Termination Memory Exhaustion DoS |
43794 | Cisco IOS PPTP Session Termination Virtual Access Interface (IDB) Exhaustion DoS |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2010-09-01 | Name : The remote device is missing a vendor-supplied security patch. File : cisco-sa-20080326-pptphttp.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 10:21:52 |
|
2013-05-11 00:42:30 |
|