CVE-2017-12235 - Improper Input Validation

Severity

78%

Complexity

99%

Confidentiality

115%

A vulnerability in the implementation of the PROFINET Discovery and Configuration Protocol (PN-DCP) for Cisco IOS 12.2 through 15.6 could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition. The vulnerability is due to the improper parsing of ingress PN-DCP Identify Request packets destined to an affected device. An attacker could exploit this vulnerability by sending a crafted PN-DCP Identify Request packet to an affected device and then continuing to send normal PN-DCP Identify Request packets to the device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition. This vulnerability affects Cisco devices that are configured to process PROFINET messages. Beginning with Cisco IOS Software Release 12.2(52)SE, PROFINET is enabled by default on all the base switch module and expansion-unit Ethernet ports. Cisco Bug IDs: CSCuz47179.

A vulnerability in the implementation of the PROFINET Discovery and Configuration Protocol (PN-DCP) for Cisco IOS 12.2 through 15.6 could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition. The vulnerability is due to the improper parsing of ingress PN-DCP Identify Request packets destined to an affected device. An attacker could exploit this vulnerability by sending a crafted PN-DCP Identify Request packet to an affected device and then continuing to send normal PN-DCP Identify Request packets to the device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition. This vulnerability affects Cisco devices that are configured to process PROFINET messages. Beginning with Cisco IOS Software Release 12.2(52)SE, PROFINET is enabled by default on all the base switch module and expansion-unit Ethernet ports. Cisco Bug IDs: CSCuz47179.

CVSS 3.0 Base Score 7.5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0 Base Score 7.8. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C).

Demo Examples

Improper Input Validation

CWE-20

This example demonstrates a shopping interaction in which the user is free to specify the quantity of items to be purchased and a total is calculated.


               
...

The user has no control over the price variable, however the code does not prevent a negative value from being specified for quantity. If an attacker were to provide a negative value, then the user would have their account credited instead of debited.

Improper Input Validation

CWE-20

This example asks the user for a height and width of an m X n game board with a maximum dimension of 100 squares.


               
.../* board dimensions */
die("No integer passed: Die evil hacker!\n");
die("No integer passed: Die evil hacker!\n");
die("Value too large: Die evil hacker!\n");

While this code checks to make sure the user cannot specify large, positive integers and consume too much memory, it does not check for negative values supplied by the user. As a result, an attacker can perform a resource consumption (CWE-400) attack against this program by specifying two, large negative values that will not overflow, resulting in a very large memory allocation (CWE-789) and possibly a system crash. Alternatively, an attacker can provide very large negative values which will cause an integer overflow (CWE-190) and unexpected behavior will follow depending on how the values are treated in the remainder of the program.

Improper Input Validation

CWE-20

The following example shows a PHP application in which the programmer attempts to display a user's birthday and homepage.


               
echo "Birthday: $birthday<br>Homepage: <a href=$homepage>click here</a>"

The programmer intended for $birthday to be in a date format and $homepage to be a valid URL. However, since the values are derived from an HTTP request, if an attacker can trick a victim into clicking a crafted URL with <script> tags providing the values for birthday and / or homepage, then the script will run on the client's browser when the web server echoes the content. Notice that even if the programmer were to defend the $birthday variable by restricting input to integers and dashes, it would still be possible for an attacker to provide a string of the form:


               
2009-01-09--

If this data were used in a SQL statement, it would treat the remainder of the statement as a comment. The comment could disable other security-related logic in the statement. In this case, encoding combined with input validation would be a more useful protection mechanism.

Furthermore, an XSS (CWE-79) attack or SQL injection (CWE-89) are just a few of the potential consequences when input validation is not used. Depending on the context of the code, CRLF Injection (CWE-93), Argument Injection (CWE-88), or Command Injection (CWE-77) may also be possible.

Improper Input Validation

CWE-20

This function attempts to extract a pair of numbers from a user-supplied string.


               
}

                     

                           
die("Did not specify integer value. Die evil hacker!\n");
/* proceed assuming n and m are initialized correctly */

This code attempts to extract two integer values out of a formatted, user-supplied input. However, if an attacker were to provide an input of the form:


               
123:

then only the m variable will be initialized. Subsequent use of n may result in the use of an uninitialized variable (CWE-457).

Improper Input Validation

CWE-20

The following example takes a user-supplied value to allocate an array of objects and then operates on the array.


               
}
list[0] = new Widget();
die("Negative value supplied for list size, die evil hacker!");

This example attempts to build a list from a user-specified value, and even checks to ensure a non-negative value is supplied. If, however, a 0 value is provided, the code will build an array of size 0 and then try to store a new Widget in the first location, causing an exception to be thrown.

Improper Input Validation

CWE-20

This application has registered to handle a URL when sent an intent:


               
}......

                     
}

                           
}
int length = URL.length();
...

The application assumes the URL will always be included in the intent. When the URL is not present, the call to getStringExtra() will return null, thus causing a null pointer exception when length() is called.

Overview

Type

Cisco IOS

First reported 7 years ago

2017-09-29 01:34:00

Last updated 5 years ago

2019-10-09 23:22:00

Affected Software

Cisco IOS 12.2 (52)SE

12.2\(52\)se

Cisco IOS 12.2 (52)SE1

12.2\(52\)se1

Cisco IOS 12.2(55)SE

12.2\(55\)se

Cisco IOS 12.2(55)SE3

12.2\(55\)se3

Cisco IOS 12.2(55)SE4

12.2\(55\)se4

Cisco IOS 12.2(55)SE5

12.2\(55\)se5

Cisco IOS 12.2(55)SE6

12.2\(55\)se6

Cisco IOS 12.2(55)SE7

12.2\(55\)se7

Cisco IOS 12.2(55)SE9

12.2\(55\)se9

Cisco IOS 12.2(55)SE10

12.2\(55\)se10

Cisco IOS 12.2(55)SE11

12.2\(55\)se11

Cisco IOS 12.2(58)SE

12.2\(58\)se

Cisco IOS 12.2(58)SE1

12.2\(58\)se1

Cisco IOS 12.2(58)SE2

12.2\(58\)se2

Cisco IOS 12.4(25E)JAO3A

12.4\(25e\)jao3a

Cisco IOS 12.4(25E)JAO20S

12.4\(25e\)jao20s

Cisco IOS 12.4(25E)JAP1N

12.4\(25e\)jap1n

Cisco IOS 12.4(25E)JAP9

12.4\(25e\)jap9

Cisco IOS 15.0(1)EY

15.0\(1\)ey

Cisco IOS 15.0(1)EY1

15.0\(1\)ey1

Cisco IOS 15.0(1)EY2

15.0\(1\)ey2

Cisco IOS 15.0(2)EB

15.0\(2\)eb

Cisco IOS 15.0(2)EC

15.0\(2\)ec

Cisco IOS 15.0(2)EY

15.0\(2\)ey

Cisco IOS 15.0(2)EY1

15.0\(2\)ey1

Cisco IOS 15.0(2)EY2

15.0\(2\)ey2

Cisco IOS 15.0(2)EY3

15.0\(2\)ey3

Cisco IOS 15.0(2)SE

15.0\(2\)se

Cisco IOS 15.0(2)SE1

15.0\(2\)se1

Cisco IOS 15.0(2)SE2

15.0\(2\)se2

Cisco IOS 15.0(2)SE3

15.0\(2\)se3

Cisco IOS 15.0(2)SE4

15.0\(2\)se4

Cisco IOS 15.0(2)SE5

15.0\(2\)se5

Cisco IOS 15.0(2)SE6

15.0\(2\)se6

Cisco IOS 15.0(2)SE7

15.0\(2\)se7

Cisco IOS 15.0(2)SE8

15.0\(2\)se8

Cisco IOS 15.0(2)SE9

15.0\(2\)se9

Cisco IOS 15.0(2)SE10

15.0\(2\)se10

Cisco IOS 15.0(2)SE10A

15.0\(2\)se10a

Cisco IOS 15.1(2)SG7A

15.1\(2\)sg7a

Cisco IOS 15.1(2)SG9

15.1\(2\)sg9

Cisco IOS 15.2(1)EY

15.2\(1\)ey

Cisco IOS 15.2(2)E

15.2\(2\)e

Cisco IOS 15.2(2)E1

15.2\(2\)e1

Cisco IOS 15.2(2)E2

15.2\(2\)e2

Cisco IOS 15.2(2)E3

15.2\(2\)e3

Cisco IOS 15.2(2)E4

15.2\(2\)e4

Cisco IOS 15.2(2)E5

15.2\(2\)e5

Cisco IOS 15.2(2)E5A

15.2\(2\)e5a

Cisco IOS 15.2(2)E5B

15.2\(2\)e5b

Cisco IOS 15.2(2)E6

15.2\(2\)e6

Cisco IOS 15.2(2)EB2

15.2\(2\)eb2

Cisco IOS 15.2(2a)E2

15.2\(2a\)e2

Cisco IOS 15.2(3)E1

15.2\(3\)e1

Cisco IOS 15.2(3)E3

15.2\(3\)e3

Cisco IOS 15.2(3)E5

15.2\(3\)e5

Cisco IOS 15.2(3)EX

15.2\(3\)ex

Cisco IOS 15.2(4)EC

15.2\(4\)ec

Cisco IOS 15.2(5)E2A

15.2\(5\)e2a

Cisco IOS 15.2(5A)E1

15.2\(5a\)e1

Cisco IOS 15.3(3)JBB6A

15.3\(3\)jbb6a

Cisco IOS 15.3(3)JNP2

15.3\(3\)jnp2

Cisco IOS 15.3(3)JPB2

15.3\(3\)jpb2

References

101043

Third Party Advisory, VDB Entry

1039451

Third Party Advisory, VDB Entry

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170927-profinet

Vendor Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.