Lucene search

K
nessusThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.CISCO-CSCUY36553-NXOS.NASL
HistorySep 14, 2016 - 12:00 a.m.

Cisco Nexus 3000 / 9000 Series GNU C Library (glibc) getaddrinfo() RCE (cisco-sa-20160218-glibc)

2016-09-1400:00:00
This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
42

The version of Cisco NX-OS software running on the remote device is affected by a remote code execution vulnerability in the bundled version of the GNU C Library (glibc) due to a stack-based buffer overflow condition in the DNS resolver. An unauthenticated, remote attacker can exploit this, via a crafted DNS response that triggers a call to the getaddrinfo() function, to cause a denial of service condition or the execution of arbitrary code.

#TRUSTED 50ce4eb53ff5f515ec275c08486326604ef7358f4f4a34abeaaf978df8e1fd980cb11f777e031d0e656f2d476490e1e21d822ab12a798462571a1918efeb4872c7ccc4d55173ced5fcd0c6d19f5cdeac551a5af1d5a70f3ce4781cb7985a8df78ac7ff6916fd258deca5a75f8a0795b8bf507a92cc326d65680f744fef2a5da574b7d3c8081d0213d795a2bc84d63b2c7b24bc006a9ea886ead8687e35105b3439577b658aea11378f6b797835f0b72667d36eafbe9147e2b060963e841713775e940d09ebb459738834017289d915b16e850983fd36f3bef6a98ebc8f6bc556a24c197d0a58bc2ed57ded0886221f18075fec2aeefe5425e754da12272c50d9df9c92185b3349c95fc6dbf15972ed67004c08eeac738fe72b14bd280692a86c7000f38e7fb5afbbc3c8b5c8770530ce26049cb4a111ea3661fc262e057255737170863491a272fde85ca2686de2883f9cf93be8c2d0061ac4beb69342af874badb5883089628b394da2d00ed413dc479aa71bfe8ea66e543d85b6f96c276349710799e235f1c1f5ee633257933d2b564e35cda22ef99a93510a47217996dacd7ae61512ec574c03232ef400e2aacfb04e122844df4701190ff680eb663d98498eb804d58cd12ebb6bed63e84cc47ddcf28b24def28a5ed1fe69552ede9ae2b2822fc6a66c79210eff5efc66992570c6a28b328495f796f8ed334c01e5be7c24
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(93480);
  script_version("1.12");
  script_cvs_date("Date: 2019/11/14");

  script_cve_id("CVE-2015-7547");
  script_bugtraq_id(83265);
  script_xref(name:"CISCO-SA", value:"cisco-sa-20160218-glibc");
  script_xref(name:"CISCO-BUG-ID", value:"CSCuy36553");
  script_xref(name:"CISCO-BUG-ID", value:"CSCuy38921");
  script_xref(name:"EDB-ID", value:"39454");
  script_xref(name:"EDB-ID", value:"40339");
  script_xref(name:"CERT", value:"457759");

  script_name(english:"Cisco Nexus 3000 / 9000 Series GNU C Library (glibc) getaddrinfo() RCE (cisco-sa-20160218-glibc)");
  script_summary(english:"Checks the NX-OS version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"The version of Cisco NX-OS software running on the remote device is
affected by a remote code execution vulnerability in the bundled
version of the GNU C Library (glibc) due to a stack-based buffer
overflow condition in the DNS resolver. An unauthenticated, remote
attacker can exploit this, via a crafted DNS response that triggers a
call to the getaddrinfo() function, to cause a denial of service
condition or the execution of arbitrary code.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160218-glibc
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ae76a668");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy36553");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy38921");
  # https://security.googleblog.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?94dd3376");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version or install the relevant 
SMU patches referenced in Cisco bug ID CSCuy36553 / CSCuy38921.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-7547");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/02/16");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/03/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/09/14");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:nx-os");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_nxos_version.nasl");
  script_require_keys("Host/Cisco/NX-OS/Version", "Host/Cisco/NX-OS/Device", "Host/Cisco/NX-OS/Model");

  exit(0);
}

include("audit.inc");
include("cisco_func.inc");
include("cisco_kb_cmd_func.inc");

device  = get_kb_item_or_exit("Host/Cisco/NX-OS/Device");
model   = get_kb_item_or_exit("Host/Cisco/NX-OS/Model");

# only affects nexus 9000 series systems
# and the 3000 series systems listed in the advisory/bugs
if (
  device != 'Nexus' || 
  model !~ '^(3016|3048|3064|3132|3164|3172|3232|3264|31128|[9][0-9][0-9][0-9][0-9]?)([^0-9]|$)'
  ) audit(AUDIT_HOST_NOT, "affected");

version = get_kb_item_or_exit("Host/Cisco/NX-OS/Version");

override = 0;
check_patch = 0;
vuln = 0;

if ((
  # Only CSCuy36553
  version =~ "^6\.1" ||
  version =~ "^7\.0\(3\)I1"
  ) && model =~ '^(3164|3232|3264|31128|9[0-9][0-9][0-9][0-9]?)([^0-9]|$)'
) vuln ++;
# CSCuy36553 & CSCuy38921
else if (
  version =~ "^7\.0\(3\)I2\(1[a-z]?\)" ||
  version == "7.0(3)I2(2)" ||
  version == "7.0(3)I3(1)"
) vuln ++;
else if ( version == "7.0(3)I2(2a)" || version == "7.0(3)I2(2b)" ) 
{
  # flag vuln in case we can't check for the patch.
  vuln ++;
  check_patch ++;
}
else audit(AUDIT_HOST_NOT, "affected");

# check for the patch on 7.0(3)I2(2[ab])
# audit if patched, assume vuln otherwise
if (check_patch && get_kb_item("Host/local_checks_enabled"))
{
  buf = cisco_command_kb_item("Host/Cisco/Config/show_install_active", "show install active");
  if (check_cisco_result(buf))
  {
    # Modular products 2a - 2 patches
    # nxos.CSCuy36553_modular_sup-1.0.0-7.0.3.I2.2a.lib32_n9000
    # nxos.CSCuy36553_modular_lc-1.0.0-7.0.3.I2.2a.lib32_n9000
    if ( version == "7.0(3)I2(2a)" && model =~ "^(9504|9508|9516)")
    {
      if 
      ( 
        "CSCuy36553_modular_sup" >< buf && 
        "CSCuy36553_modular_lc" >< buf
      ) 
      audit(AUDIT_HOST_NOT, "affected because CSCuy36553 patches are installed");
    }
    # ToR products 2a - 1 patch
    # nxos.CSCuy36553_TOR-1.0.0-7.0.3.I2.2a.lib32_n9000
    else if (version == "7.0(3)I2(2a)")
    {
      if ("CSCuy36553_TOR" >< buf) audit(AUDIT_HOST_NOT, "affected because CSCuy36553 patch is installed");
    }
    # All products 2b - 2 patches
    # nxos.CSCpatch01-1.0.0-7.0.3.I2.2b.lib32_n9000
    # nxos.CSCuy36553-1.0.0-7.0.3.I2.2b.lib32_n9000
    else if ( version == "7.0(3)I2(2b)")
    {
      if 
      ( 
        "CSCpatch01" >< buf && 
        "CSCuy36553" >< buf
      ) 
      audit(AUDIT_HOST_NOT, "affected because CSCuy36553 patches are installed");
    }
    
  }
  else if (cisco_needs_enable(buf)) override = TRUE;
}

if (vuln)
{
  if (report_verbosity > 0)
  {
    report =
      '\n  Model             : ' + device + ' ' + model +
      '\n  Installed version : ' + version +
      '\n  Fix               : see solution.' +
      '\n';
    security_warning(port:0, extra:report + cisco_caveat(override));
  }
  else security_warning(port:0, extra:cisco_caveat(override));
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
VendorProductVersion
cisconx-os
Related for CISCO-CSCUY36553-NXOS.NASL