Cisco uBR10012 Series Devices SNMP Vulnerability - Cisco Systems

2010-09-01T00:00:00
ID CISCO-SA-20080924-UBRHTTP.NASL
Type nessus
Reporter Tenable
Modified 2018-11-15T00:00:00

Description

Cisco uBR10012 series devices automatically enable Simple Network Management Protocol (SNMP) read/write access to the device if configured for linecard redundancy. This can be exploited by an attacker to gain complete control of the device. Only Cisco uBR10012 series devices that are configured for linecard redundancy are affected.

Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available.

                                        
                                            #TRUSTED 15e988c94f19815078a22d430548ec52419a67d6ee8bb5341e34c87334a9ceae0fb02ff0e42864b64b563c6cb7f9330302009687f37a90d1882ce640f9e2ec4a0444ca37adf6383cbf4311db040bacac0be4eb7248cf47a96e00848d0d9e70438cf2c9fe2c68c91cb148d010e1876fadea85e5ac64466b8b0b948d9e662188d4b407a56fc21c2a73373a0ac7964e8f127b38a1000112cbac5320e4628f981369d95d455a2809f323e82ce9585ed2cd9202e71a6216f09d6e56b192dcb2f8479eca4317b9105a4d59aaec9f26c459d7845f8e9a23e81d01cce561ead68b6704d0a40c584839eab37d2e987e448d5c70e186208349b3f7281222526e9001fadc062dd8d043df1496f8c380e817fd60c3ee8cfaef72f5a98204b219acd37ef1dc27da362a8df9ef07da40c17b087f7b0159317bf647e0347a78d35d8b5a8e7063c1c34f1b4c3c200940ec536fca5d07f1ae61b23f0acde2196a595fd1f5bbd79ca6fc31ba66601d2c206003abf4adeeb7b828e28653d1d544031e4daedf9fb0f2f9eedb34680480d0a66a5de4c2d869df8c739aae6e8e7299ce3b974463e61139d95d890b3103e15405cfb63e33afa2c6a9b1194f1ab72c54c1bd22c317838cfca8cb02da08680701fc6715dc953a2938137995020d1384cfd2cb0415fe03363702f84f4799b53ddd4a253f59e3fc4a9e90351a40fc1c4ab53b44f4a8dbb3cbebb4
#
# (C) Tenable Network Security, Inc.
#
# Security advisory is (C) CISCO, Inc.
# See https://www.cisco.com/en/US/products/products_security_advisory09186a0080a014b1.shtml

if (NASL_LEVEL < 3000) exit(0);

include("compat.inc");

if (description)
{
 script_id(49027);
 script_version("1.20");
 script_set_attribute(attribute:"plugin_modification_date", value:"2018/11/15");
 script_cve_id("CVE-2008-3807");
 script_bugtraq_id(31355);
 script_xref(name:"CISCO-BUG-ID", value:"CSCek57932");
 script_xref(name:"CISCO-SA", value:"cisco-sa-20080924-ubr");
 script_xref(name:"IAVA", value:"2008-A-0067");
 script_name(english:"Cisco uBR10012 Series Devices SNMP Vulnerability - Cisco Systems");
 script_summary(english:"Checks the IOS version.");
 script_set_attribute(attribute:"synopsis", value:"The remote device is missing a vendor-supplied security patch.");
 script_set_attribute(attribute:"description", value:
'Cisco uBR10012 series devices automatically enable Simple Network
Management Protocol (SNMP) read/write access to the device if
configured for linecard redundancy. This can be exploited by an
attacker to gain complete control of the device. Only Cisco uBR10012
series devices that are configured for linecard redundancy are
affected.

 Cisco has released free software updates that address this
vulnerability. Workarounds that mitigate this vulnerability are
available.
');
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?24d1a74f");
 # https://www.cisco.com/en/US/products/products_security_advisory09186a0080a014b1.shtml
 script_set_attribute(attribute:"see_also", value: "http://www.nessus.org/u?7c05ab7f");
 script_set_attribute(attribute:"solution", value:
"Apply the relevant patch referenced in Cisco Security Advisory
cisco-sa-20080924-ubr.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_cwe_id(16);
 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios");

 script_set_attribute(attribute:"vuln_publication_date", value:"2008/09/24");
 script_set_attribute(attribute:"patch_publication_date", value:"2008/09/24");
 script_set_attribute(attribute:"plugin_publication_date", value:"2010/09/01");

 script_set_attribute(attribute:"stig_severity", value:"I");
 script_end_attributes();
 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is (C) 2010-2018 Tenable Network Security, Inc.");
 script_family(english:"CISCO");
 script_dependencie("cisco_ios_version.nasl");
 script_require_keys("Host/Cisco/IOS/Version");
 exit(0);
}

include("audit.inc");
include("cisco_func.inc");
include("cisco_kb_cmd_func.inc");

flag = 0;
override = 0;
version = get_kb_item_or_exit("Host/Cisco/IOS/Version");

if (version == '12.3(17b)BC7') flag++;
else if (version == '12.3(17b)BC6') flag++;
else if (version == '12.3(17b)BC5') flag++;
else if (version == '12.3(17b)BC4') flag++;
else if (version == '12.3(17b)BC3') flag++;
else if (version == '12.3(17a)BC2') flag++;
else if (version == '12.3(17a)BC1') flag++;
else if (version == '12.3(17a)BC') flag++;
else if (version == '12.3(13a)BC6') flag++;
else if (version == '12.3(13a)BC5') flag++;
else if (version == '12.3(13a)BC4') flag++;
else if (version == '12.3(13a)BC3') flag++;
else if (version == '12.3(13a)BC2') flag++;
else if (version == '12.3(13a)BC1') flag++;
else if (version == '12.3(13a)BC') flag++;
else if (version == '12.3(9a)BC9') flag++;
else if (version == '12.3(9a)BC8') flag++;
else if (version == '12.3(9a)BC7') flag++;
else if (version == '12.3(9a)BC6') flag++;
else if (version == '12.3(9a)BC5') flag++;
else if (version == '12.3(9a)BC4') flag++;
else if (version == '12.3(9a)BC3') flag++;
else if (version == '12.3(9a)BC2') flag++;
else if (version == '12.3(9a)BC1') flag++;
else if (version == '12.3(9a)BC') flag++;
else if (version == '12.2(4)XF1') flag++;
else if (version == '12.2(4)XF') flag++;
else if (version == '12.2(11)CY') flag++;
else if (version == '12.2(15)CX1') flag++;
else if (version == '12.2(15)CX') flag++;
else if (version == '12.2(11)CX') flag++;
else if (version == '12.2(15)BC2i') flag++;
else if (version == '12.2(15)BC2h') flag++;
else if (version == '12.2(15)BC2g') flag++;
else if (version == '12.2(15)BC2f') flag++;
else if (version == '12.2(15)BC2e') flag++;
else if (version == '12.2(15)BC2d') flag++;
else if (version == '12.2(15)BC2c') flag++;
else if (version == '12.2(15)BC2b') flag++;
else if (version == '12.2(15)BC2a') flag++;
else if (version == '12.2(15)BC2') flag++;
else if (version == '12.2(15)BC1g') flag++;
else if (version == '12.2(15)BC1f') flag++;
else if (version == '12.2(15)BC1e') flag++;
else if (version == '12.2(15)BC1d') flag++;
else if (version == '12.2(15)BC1c') flag++;
else if (version == '12.2(15)BC1b') flag++;
else if (version == '12.2(15)BC1a') flag++;
else if (version == '12.2(15)BC1') flag++;
else if (version == '12.2(11)BC3d') flag++;
else if (version == '12.2(11)BC3c') flag++;
else if (version == '12.2(11)BC3b') flag++;
else if (version == '12.2(11)BC3a') flag++;
else if (version == '12.2(11)BC3') flag++;
else if (version == '12.2(11)BC2a') flag++;
else if (version == '12.2(11)BC2') flag++;
else if (version == '12.2(11)BC1b') flag++;
else if (version == '12.2(11)BC1a') flag++;
else if (version == '12.2(11)BC1') flag++;
else if (version == '12.2(8)BC2a') flag++;
else if (version == '12.2(8)BC2') flag++;
else if (version == '12.2(8)BC1') flag++;
else if (version == '12.2(4)BC1b') flag++;
else if (version == '12.2(4)BC1a') flag++;
else if (version == '12.2(4)BC1') flag++;


if (get_kb_item("Host/local_checks_enabled"))
{
  if (flag)
  {
    flag = 0;
    buf = cisco_command_kb_item("Host/Cisco/Config/show_running-config", "show running-config");
    if (check_cisco_result(buf))
    {
      if (preg(pattern:"member subslot [^\r\n]+ working", multiline:TRUE, string:buf)) { flag = 1; }
      if (preg(pattern:"hccp [^\r\n]+ protect ", multiline:TRUE, string:buf)) { flag = 1; }
    } else if (cisco_needs_enable(buf)) { flag = 1; override = 1; }
  }
}

if (flag)
{
  security_hole(port:0, extra:cisco_caveat(override));
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");