Network vulnerabilities

Network vulnerabilities are the most exploited type of vulnerability due to the large population of devices connected to the Internet. Network vulnerabilities affect endpoint devices, such as web servers, and core devices, such as routers and switches.

Network vulnerabilities across many vendors currently exist. Here are two example vulnerabilities from Cisco. Both represent bugs in the switch-level OS. This vulnerability is listed in the National Vulnerability Database (http://nvd.nist.gov) as follows:

Note

National Cyber Awareness System

Vulnerability summary for CVE-2013-5566

Original release date: 11/08/2013

Last revised: 11/08/2013

Source: US-CERT/NIST

Overview

Cisco NX-OS 5.0 and earlier-on MDS 9000 devices allows remote attackers to cause a denial of service (supervisor CPU consumption) via the Authentication Header (AH) authentication in a Virtual Router Redundancy Protocol (VRRP) frame, also know as Bug ID CSCte27874.

Impact

CVSS severity (Version 2.0):

CVSS v2 sase score: 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:N/I:N/A:P) (legend)

Impact subscore: 2.9

Exploitability subscore: 10.0

CVSS Version 2 metrics:

Access vector: Network exploitable

Access complexity: Low

Authentication: Not required to exploit

Impact type: This allows the disruption of serviceUnknown

The next vulnerability allows an attacker to cause a denial of service using a modified packet sent to the device. This example is listed in the National Vulnerability Database (http://nvd.nist.gov) as follows:

Note

National Cyber Awareness System

Vulnerability summary for CVE-2013-5565

Original release date: 11/08/2013

Last revised: 11/08/2013

Source: US-CERT/NIST

Overview

The OSPFv3 functionality in Cisco IOS XR 5.1 allows remote attackers to cause a denial of service (a process crash) via a malformed LSA Type-1 packet, also known as Bug ID CSCuj82176.

Impact

CVSS severity (Version 2.0):

CVSS v2 base score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P) (legend)

Impact subscore: 2.9

Exploitability subscore: 8.6

CVSS Version 2 metrics:

Access vector: Network exploitable

Access complexity: Medium

Authentication: Not required to exploit

Impact type: This allows the disruption of serviceUnknown

The two examples are very specific, but both reinforce the common threat of denial of service and why frameworks such as defense-in-depth are important. If an attacker is able to cause a denial of service in the network device, a sensor somewhere on the network should be in place to send the proper alert.