OSPF LSA Manipulation Vulnerability in Cisco ASA (cisco-sa-20130801-lsaospf)

2013-08-16T00:00:00
ID CISCO-SA-20130801-LSAOSPF-ASA.NASL
Type nessus
Reporter Tenable
Modified 2018-07-06T00:00:00

Description

The remote Cisco ASA device is affected by a vulnerability involving the Open Shortest Path First (OSPF) Routing Protocol Link State Advertisement (LSA) database. This vulnerability could be exploited by injecting specially crafted OSPF packets. Successful exploitation could allow an unauthenticated attacker to manipulate or disrupt the flow of network traffic through the device.

                                        
                                            #TRUSTED ad6ab00a302d34ff2b16c29b41b31820913562341cc787dccddd08570cb547ee843483fa00092311471607398ec853e365a26a8620211a60d68956dbbee28abf304b8514b918e77d47a96c34650f2444169898b8bd4fd5fa08a053bb65266c6f38b14d9677e9a666a6fc8259e53f675efaac06d2de41e6722d276e8fdf9beea6294d483aa4fc2e1bb3344b37660263a654fd1b2d685320478040cae4c584843093c0caf5f5c6152514600451043c60dd7536ac34a86acd0cf67fe6670ab97fe71db8950334fb922fae0d327ca20d78fc391b4974343b937aab178929fb7b8f4ada52ca5f91c731690bc96f1f804693b46542e7a16ee753e0a84f3f3b478bf06e2ebb8bdbd360108d89be8b0bb40a6a3cd81c951e91c1822a786364d634fe529db83aa6cc4082df760332d67926c1d68df24c06c5d040e2cb3888e7c71274657997854147fe2235284d41f9c4e31c8d1340833c1e5170077a09e9aaca59d78d06b897fa46876fe4abb5f831e7de0b2b9768c547c66f79536f62e8c8e889824fef5fe6c3a8921c130c2547d68feb72687392379a2640a5a8d6189a4e3921cebef57424c71ec07a3cb55b6a01cfcf251ac65cf486d87fdc4bd04fb914e0d730465aa3a99f5c1152e4aa2620e2c0f1e919c11ba189594640bd4b985abf0a9a852dc0f47fbec09a89f56c8d3500405e90fe9ee6943964a01eca48286746e9f4c7f90b
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(69376);
  script_version("1.9");
  script_set_attribute(attribute:"plugin_modification_date", value:"2018/07/06");

  script_cve_id("CVE-2013-0149");
  script_bugtraq_id(61566);
  script_xref(name:"CISCO-BUG-ID", value:"CSCug34469");
  script_xref(name:"IAVA", value:"2013-A-0157");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20130801-lsaospf");

  script_name(english:"OSPF LSA Manipulation Vulnerability in Cisco ASA (cisco-sa-20130801-lsaospf)");
  script_summary(english:"Checks the ASA version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"The remote Cisco ASA device is affected by a vulnerability
involving the Open Shortest Path First (OSPF) Routing Protocol Link
State Advertisement (LSA) database.  This vulnerability could be
exploited by injecting specially crafted OSPF packets.  Successful
exploitation could allow an unauthenticated attacker to manipulate
or disrupt the flow of network traffic through the device.");
  # http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130801-lsaospf
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?58c1354a");
  script_set_attribute(attribute:"solution", value:
"Apply the relevant patch referenced in Cisco Security Advisory
cisco-sa-20130801-lsaospf.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:cisco:asa_5500");

  script_set_attribute(attribute:"vuln_publication_date", value:"2013/08/01");
  script_set_attribute(attribute:"patch_publication_date", value:"2013/08/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/08/16");

  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.");
  script_family(english:"CISCO");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/Cisco/ASA");

  exit(0);
}

include("audit.inc");
include("cisco_func.inc");
include("cisco_kb_cmd_func.inc");

flag = 0;
override = 0;
report_extras = "";

asa = get_kb_item_or_exit('Host/Cisco/ASA');
ver = extract_asa_version(asa);
if (isnull(ver))
  audit(AUDIT_FN_FAIL, 'extract_asa_version');

fixed_ver = "";

if (
  ver =~ "^7\." ||
  ver =~ "^8\.0[^0-9]" ||
  ver =~ "^8\.1[^0-9]" ||
  ver =~ "^8\.2[^0-9]" ||
  ver =~ "^8\.3[^0-9]")
{
  flag++;
  fixed_ver = "8.4(6)5";
}

if (
  ver =~ "^8\.4[^0-9]" &&
  check_asa_release(version:ver, patched:"8.4(6)5"))
{
  flag++;
  fixed_ver = "8.4(6)5";
}

if (
  ver =~ "^8\.5[^0-9]" ||
  ver =~ "^8\.6[^0-9]")
{
  flag++;
  fixed_ver = "9.0(3)";
}

if (
  ver =~ "^9\.0[^0-9]" &&
  check_asa_release(version:ver, patched:"9.0(3)"))
{
  flag++;
  fixed_ver = "9.0(3)";
}

if (
  ver =~ "^9\.1[^0-9]" &&
  check_asa_release(version:ver, patched:"9.1(2)5"))
{
  flag++;
  fixed_ver = "9.1(2)5";
}

if (get_kb_item("Host/local_checks_enabled"))
{
  if (flag)
  {
    flag = 0;
    buf = cisco_command_kb_item("Host/Cisco/Config/show_ospf_interface", "show ospf interface");
    if (check_cisco_result(buf))
    {
      if (preg(pattern:"line protocol is up", multiline:TRUE, string:buf)) { flag = 1; }
    } else if (cisco_needs_enable(buf)) { flag = 1; override = 1; }
  }
}

if (flag)
{
  report =
    '\n  Installed release : ' + ver +
    '\n  Fixed release     : ' + fixed_ver + '\n';
  security_warning(port:0, extra:cisco_caveat(override));
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");