Main Vulnerability Database Vulnerabilities #VU672

Memory leak in Cisco IOS XE - CVE-2016-6385

Published: September 29, 2016 / Updated: April 11, 2018

Vulnerability identifier: #VU672

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2016-6385

CWE-ID: CWE-401

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Cisco Systems, Inc

Affected software:
Cisco IOS XE

Detailed vulnerability description

The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.

The weakness exists in Smart Install packets processing due to incorrect handling of image list parameters. A remote attacker can send specially crafted data, trigger memory leak and cause the service to crash.

How to mitigate CVE-2016-6385

Update to versions 15.2(6.3.0i)E, 15.2(5b)E, 15.2(5a)E, 15.2(5.1.79i)E, 15.2(5)E, 15.2(4m)E2, 15.2(4.7.2)EC, 15.2(4.7.1)EC, 15.2(4.4.3)EA4, 15.2(4.3.90)EC, 15.2(4.1.27)EB, 15.2(4.0r)EB, 15.2(4)EA6, 15.2(4)EA5, 15.2(4)EA4, 15.2(4)E3, 15.2(4)E2, 15.2(3m)E8, 15.2(3m)E7, 15.2(3)E4, 15.2(2)EB2, 15.2(2)E5a, 15.2(2)E5, 15.1(2)SG8, 15.0(2)SG11, 15.0(2)SE10, 15.0(2)EX11, 12.2(60)EZ9, 12.2(55)SE11, 3.9(0)E or 3.7(4)E.

Sources

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-smi

Memory leak in Cisco IOS XE - CVE-2016-6385

Detailed vulnerability description

How to mitigate CVE-2016-6385

Sources

Please verify you're human