Details of VAR-200005-0087

ID

VAR-200005-0087

CVE

CVE-2000-0486

TITLE

TACACS+ Denial of Service Vulnerability

Trust: 0.9

sources: BID: 1293 // CNNVD: CNNVD-200005-104

DESCRIPTION

Buffer overflow in Cisco TACACS+ tac_plus server allows remote attackers to cause a denial of service via a malformed packet with a long length field. A small buffer overrun exists in the free, unsupported implementation of the tacacs+ server, distributed by Cisco. This vulnerability, while a buffer overrun, appears to not be exploitable due to its short nature. While the analysis of the tacacs+ protocol posted to Bugtraq indicated that clients, including IOS, were vulnerable to the above problems, Cisco claims that IOS clients will reject the packets as invalid, and report an error, without any further problems. Attacking the client requires the ability to perform blind TCP sequencing, and as such is difficult to conduct. The first vulnerability, a buffer overflow, is due to the nature in which the tac_plus server allocates memory for the incoming packet. It will read only up to the length of the header in a primary read, allocate the amount of memory indicated in the header, copy the header into the allocated memory, and then read and copy the remaining buffer in. The buffer overrun is caused by it failing to check for an integer overflow in the length field of the header when added to the header length. This can result in an 11 byte overflow. The second vulnerability is due to a lack of sanity checking on the length field. An arbitrarily large number can be sent for the body length. The server or client will malloc whatever the length presented is, and as such may allocate an excessive amount of memory, resulting in the denial of service previously mentioned

Trust: 1.26

sources: NVD: CVE-2000-0486 // BID: 1293 // VULHUB: VHN-2065

AFFECTED PRODUCTS

vendor:	cisco	model:	tacacs\+	scope:	eq	version:	f4.0.3alpha	Trust: 1.0
vendor:	cisco	model:	ios	scope:	eq	version:	*	Trust: 1.0
vendor:	cisco	model:	tacacs\+	scope:	eq	version:	f4.0.2alpha	Trust: 1.0
vendor:	cisco	model:	ios	scope:	-	version:	-	Trust: 0.6
vendor:	cisco	model:	tac plus alpha	scope:	eq	version:	4.0.3	Trust: 0.3
vendor:	cisco	model:	tac plus alpha	scope:	eq	version:	4.0.2	Trust: 0.3

sources: BID: 1293 // CNNVD: CNNVD-200005-104 // NVD: CVE-2000-0486

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2000-0486
value:	MEDIUM
Trust: 1.0
CNNVD:	CNNVD-200005-104
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-2065
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2000-0486
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
VULHUB:	VHN-2065
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-2065 // CNNVD: CNNVD-200005-104 // NVD: CVE-2000-0486

PROBLEMTYPE DATA

problemtype:

NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2000-0486

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200005-104

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-200005-104

EXTERNAL IDS

db:	BID	id:	1293	Trust: 2.0
db:	NVD	id:	CVE-2000-0486	Trust: 1.7
db:	CNNVD	id:	CNNVD-200005-104	Trust: 0.7
db:	XF	id:	4985	Trust: 0.6
db:	BUGTRAQ	id:	20000530 AN ANALYSIS OF THE TACACS+ PROTOCOL AND ITS IMPLEMENTATIONS	Trust: 0.6
db:	VULHUB	id:	VHN-2065	Trust: 0.1

sources: VULHUB: VHN-2065 // BID: 1293 // CNNVD: CNNVD-200005-104 // NVD: CVE-2000-0486

REFERENCES

url:	http://www.securityfocus.com/bid/1293	Trust: 1.7
url:	http://archives.neohapsis.com/archives/bugtraq/2000-05/0369.html	Trust: 1.7
url:	http://archives.neohapsis.com/archives/bugtraq/2000-05/0370.html	Trust: 1.7
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/4985	Trust: 1.1
url:	http://xforce.iss.net/static/4985.php	Trust: 0.6
url:	http://www.openwall.com/advisories	Trust: 0.3

sources: VULHUB: VHN-2065 // BID: 1293 // CNNVD: CNNVD-200005-104 // NVD: CVE-2000-0486

CREDITS

This vulnerability was posted to the Bugtraq mailing list by Solar Designer <solar@false.com> on May 30, 2000.

Trust: 0.9

sources: BID: 1293 // CNNVD: CNNVD-200005-104

SOURCES

db:	VULHUB	id:	VHN-2065
db:	BID	id:	1293
db:	CNNVD	id:	CNNVD-200005-104
db:	NVD	id:	CVE-2000-0486

LAST UPDATE DATE

2024-08-14T14:48:21.382000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-2065	date:	2017-10-10T00:00:00
db:	BID	id:	1293	date:	2000-05-30T00:00:00
db:	CNNVD	id:	CNNVD-200005-104	date:	2005-05-02T00:00:00
db:	NVD	id:	CVE-2000-0486	date:	2017-10-10T01:29:08.950

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-2065	date:	2000-05-30T00:00:00
db:	BID	id:	1293	date:	2000-05-30T00:00:00
db:	CNNVD	id:	CNNVD-200005-104	date:	2000-05-30T00:00:00
db:	NVD	id:	CVE-2000-0486	date:	2000-05-30T04:00:00