CVE-2018-0441

A vulnerability in the 802.11r Fast Transition feature set of Cisco IOS Access Points (APs) Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to a corruption of certain timer mechanisms triggered by specific roaming events. This corruption will eventually cause a timer crash. An attacker could exploit this vulnerability by sending malicious reassociation events multiple times to the same AP in a short period of time, causing a DoS condition on the affected AP.

CVSS v3 7.4 HIGH
CVSS v2.0 6.1 MEDIUM

7.4^/10

CVSS v3 : HIGH

Vector : AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Exploitability : 2.8 / Impact : 4.0

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope CHANGED

6.1^/10

CVSS v2.0 : MEDIUM

Vector : AV:A/AC:L/Au:N/C:N/I:N/A:C

Exploitability : 6.5 / Impact : 6.9

Access Vector ADJACENT_NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact COMPLETE

References

Link	Resource
http://www.securityfocus.com/bid/105680	Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1041918	Third Party Advisory VDB Entry
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-ap-ft-dos	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:cisco:access_points:8.0\(140.0\):::::::*
	cpe:2.3:o:cisco:access_points:8.2\(141.0\):::::::*
	cpe:2.3:o:cisco:access_points:8.2\(151.0\):::::::*
	cpe:2.3:o:cisco:access_points:8.3\(102.0\):::::::*
	cpe:2.3:o:cisco:access_points:8.3\(112.0\):::::::*
	cpe:2.3:o:cisco:access_points:8.3\(114.74\):::::::*
	cpe:2.3:o:cisco:access_points:15.3\(3\)jd:::::::*

Configuration 2 (hide)

OR	cpe:2.3:o:cisco:access_points::::::::
	cpe:2.3:o:cisco:access_points::::::::

History

No history.

Information

Published : 2018-10-17 22:29

Updated : 2024-02-04 20:03

NVD link : CVE-2018-0441

Mitre link : CVE-2018-0441

CVE.ORG link : CVE-2018-0441

JSON object : View

Products Affected

cisco

access_points

CWE

CWE-400

Uncontrolled Resource Consumption

{"id": "CVE-2018-0441", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.1, "accessVector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:C", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 6.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 6.5, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 7.4, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 4.0, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "ykramarz@cisco.com", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 7.4, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 4.0, "exploitabilityScore": 2.8}]}, "published": "2018-10-17T22:29:00.550", "references": [{"url": "http://www.securityfocus.com/bid/105680", "tags": ["Third Party Advisory", "VDB Entry"], "source": "ykramarz@cisco.com"}, {"url": "http://www.securitytracker.com/id/1041918", "tags": ["Third Party Advisory", "VDB Entry"], "source": "ykramarz@cisco.com"}, {"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-ap-ft-dos", "tags": ["Vendor Advisory"], "source": "ykramarz@cisco.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-400"}]}, {"type": "Secondary", "source": "ykramarz@cisco.com", "description": [{"lang": "en", "value": "CWE-400"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the 802.11r Fast Transition feature set of Cisco IOS Access Points (APs) Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to a corruption of certain timer mechanisms triggered by specific roaming events. This corruption will eventually cause a timer crash. An attacker could exploit this vulnerability by sending malicious reassociation events multiple times to the same AP in a short period of time, causing a DoS condition on the affected AP."}, {"lang": "es", "value": "Una vulnerabilidad en el conjunto de caracter\u00edsticas 802.11r Fast Transition en Cisco IOS Access Points (APs) Software podr\u00eda permitir que un atacante adyacente sin autenticar provoque una denegaci\u00f3n de servicio (DoS) en un dispositivo afectado. La vulnerabilidad se debe a la corrupci\u00f3n de ciertos mecanismos de temporizaci\u00f3n desencadenados por eventos concretos de roaming. Esta corrupci\u00f3n acabar\u00e1 provocando un cierre inesperado del temporizador. Un atacante podr\u00eda explotar esta vulnerabilidad enviando eventos maliciosos de reasociaci\u00f3n m\u00faltiples veces al mismo AP en un corto espacio de tiempo, lo que provoca una condici\u00f3n de denegaci\u00f3n de servicio (DoS) en el AP afectado."}], "lastModified": "2019-10-09T23:32:05.397", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:cisco:access_points:8.0\\(140.0\\):*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2A2819B0-F330-4842-A71E-B0BADF999FEF"}, {"criteria": "cpe:2.3:o:cisco:access_points:8.2\\(141.0\\):*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6E8217BA-0CEC-4E93-853E-EE86C2118954"}, {"criteria": "cpe:2.3:o:cisco:access_points:8.2\\(151.0\\):*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F92DE6E7-FFCA-4206-8C40-124A243778A9"}, {"criteria": "cpe:2.3:o:cisco:access_points:8.3\\(102.0\\):*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "67AA1EAD-5FD9-44F0-836E-16D93E7D8D02"}, {"criteria": "cpe:2.3:o:cisco:access_points:8.3\\(112.0\\):*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "32A6643B-AAB1-4D92-82CE-1F369FDFB796"}, {"criteria": "cpe:2.3:o:cisco:access_points:8.3\\(114.74\\):*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0D16FE04-C08A-44B8-9EB3-D6C1E2E117DB"}, {"criteria": "cpe:2.3:o:cisco:access_points:15.3\\(3\\)jd:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2AF5D480-A6E6-4933-BDA8-782C71D8EA67"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:cisco:access_points:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "27B3BAA1-C708-40E2-8C2F-42EA78825B8D", "versionEndExcluding": "8.3.140.0"}, {"criteria": "cpe:2.3:o:cisco:access_points:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "19F09BB9-D027-40C7-8D49-3AEC96C530EA", "versionEndExcluding": "8.5.110.0", "versionStartIncluding": "8.4"}], "operator": "OR"}]}], "sourceIdentifier": "ykramarz@cisco.com"}