Lucene search

K
nessusThis script is Copyright (C) 2013-2024 Tenable Network Security, Inc.CISCO-SA-20131030-ASR1000-IOSXE.NASL
HistoryNov 07, 2013 - 12:00 a.m.

Multiple Vulnerabilities in Cisco IOS XE Software for 1000 Series Aggregation Services Routers (cisco-sa-20131030-asr1000)

2013-11-0700:00:00
This script is Copyright (C) 2013-2024 Tenable Network Security, Inc.
www.tenable.com
13

7.8 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

6.8 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

49.5%

Cisco IOS XE Software for 1000 Series Aggregation Services Routers (ASR) contains the following denial of service (DoS) vulnerabilities :

  • Cisco IOS XE Software TCP Segment Reassembly Denial of Service Vulnerability (CVE-2013-5543)

  • Cisco IOS XE Software Malformed EoGRE Packet Denial of Service Vulnerability (CVE-2013-5545)

  • Cisco IOS XE Software Malformed ICMP Packet Denial of Service Vulnerability (CVE-2013-5546)

  • Cisco IOS XE Software PPTP Traffic Denial of Service Vulnerability (CVE-2013-5547)

These vulnerabilities are independent of each other. A release that is affected by one of the vulnerabilities may not be affected by the others.

Successful exploitation of any of these vulnerabilities allows an unauthenticated, remote attacker to trigger a reload of the Embedded Services Processors (ESP) card or the Route Processor (RP) card, which causes an interruption of services.

Repeated exploitation can result in a sustained DoS condition.

#TRUSTED 2dacf003ddef9a1c8e7bcd4eed5783c94d82ef948c907f6867bce60d0df699ca7aa8bb5965cf4cac12c3ccdc352f14a4a2c0879d5d4268d26548eacfc9978d1022d397e99a38c6565254a4deb96445db413eb9f012b6d606bc15afd3c63080ebabcc8d4326ebdd3a627899c459b93ee3a6699737f9f1aad9bafeb10682fb546772c8982a34a02617ed5407f76b58e1d99c14bf8b6ffce7978ed1b65bf84c790be9b6f6c19ee31790edc1a3d634c1a9bb3fb5f137c2443a77c62bd61f17af4c8b9fb9d466cb267a9799d5ae94654e35fe359d037ee7d2fe720d70b7a0eb73399c2cfb5917bdb495fb397d89cdb8935a4c87056b1f586355b62b0f9800acef64524ed97cbd69164edfd5d4aa7557e61f7826b160f5d9d73cf8d5faeca9b162002ce41aeb880b41b2d15cc86bcc0cff79828658d482fab758a2139d1dc576bd013ec7988c3b96fe7f82a9d58cff43d0d4e9630f5699e1dfdf937adfe53c23cff80da5d03013287611928caea89ea7e3fea712f9b28072662c4ca6e62ad8703cd20cfdadb6d8a5f8310127798a51e76940e102808c915fea55d47a93845914a30aca91e453b0b1a14e5ca3ee4b3f7b1e21d453dae29574717fc51da01b3d5d84097bc5eb044c3d53caa5ad542bac84fdcf3f9e1b1e766436e9d6d195c9587c60e2ad30c1c7a24ac5906a6a5ce3af2c42ec9928a102b248e170016d3187f8585c73e0
#TRUST-RSA-SHA256 85b6ace7ac30e9c83a355e879abc6932e55827cc0364b8475ae7d079e6c6b96664063d3924d01348e5dc06c73dfe078bac303d5ef8a24b265495c39c743f3fd32ff102d046f92b4244bd7f80d1a0910920a923c9ae03f66aabb1c0f6a3ca9974dd3d92a35d8e52111c2061bdf63aaae995cc5df0660b04a5ebc74c7d8bcb7a145711a32a3f0cabe6f48bed7c2e568a9240584e17c17b41a168d4d56c4f667e57b11e43acdd82f428015bd2b31ef6347953050a82e3289f8272929f516bd82b6b753cd39b6257be4d39a89761f6aef9b2b53da9267fc0115cd4868e6fe31f2055d3e276abbe415423e5cb9aebdb596093468f13a1f6bdb41a62bd313ade2976fbd7ac6b27c60074922de601f768b06ee3d181745e229a06ca40a7697433ca613271b44ee113a2331e97cd60255ff85dcdb6fb04b2d9feca04dadc906971783241cec3310010b3c9b970d119631be0d9da6b0adfb6bdc997c89246f36f0ffb430b6dac1cd031714e76c5de7d37a8fc9e43bd704654ef7177245669205965cba358aa4f1497fd098ce58a6c1f810343b1702a197d6be1475d5bc966493e678d47179d65e46d853995ed153c9b20b1fc8930aa59d5971fd9d69ef0972b2122a615c5980de9858645fa2cdaa2b6c9392ad1d7b7ed7ac4143b377f64fe4dd785b48b500ab29886ae520ec7d6069f1168aeb382160ad8d918d2319d772020f86e32ca0c
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(70784);
  script_version("1.12");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/03");

  script_cve_id(
    "CVE-2013-5543",
    "CVE-2013-5545",
    "CVE-2013-5546",
    "CVE-2013-5547"
  );
  script_bugtraq_id(63436, 63439, 63443, 63444);
  script_xref(name:"CISCO-BUG-ID", value:"CSCtt26470");
  script_xref(name:"CISCO-BUG-ID", value:"CSCud72509");
  script_xref(name:"CISCO-BUG-ID", value:"CSCuf08269");
  script_xref(name:"CISCO-BUG-ID", value:"CSCuh19936");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20131030-asr1000");

  script_name(english:"Multiple Vulnerabilities in Cisco IOS XE Software for 1000 Series Aggregation Services Routers (cisco-sa-20131030-asr1000)");
  script_summary(english:"Checks the IOS XE version.");

  script_set_attribute(attribute:"synopsis", value:"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"Cisco IOS XE Software for 1000 Series Aggregation Services Routers
(ASR) contains the following denial of service (DoS) vulnerabilities :

  - Cisco IOS XE Software TCP Segment Reassembly Denial of
    Service Vulnerability (CVE-2013-5543)

  - Cisco IOS XE Software Malformed EoGRE Packet Denial of
    Service Vulnerability (CVE-2013-5545)

  - Cisco IOS XE Software Malformed ICMP Packet Denial of
    Service Vulnerability (CVE-2013-5546)

  - Cisco IOS XE Software PPTP Traffic Denial of Service
    Vulnerability (CVE-2013-5547)

These vulnerabilities are independent of each other. A release that is
affected by one of the vulnerabilities may not be affected by the
others.

Successful exploitation of any of these vulnerabilities allows an
unauthenticated, remote attacker to trigger a reload of the Embedded
Services Processors (ESP) card or the Route Processor (RP) card, which
causes an interruption of services.

Repeated exploitation can result in a sustained DoS condition.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131030-asr1000
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?91b80ea8");
  script_set_attribute(attribute:"solution", value:
"Apply the relevant patch referenced in Cisco Security Advisory
cisco-sa-20131030-asr1000.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe");

  script_set_attribute(attribute:"vuln_publication_date", value:"2013/10/30");
  script_set_attribute(attribute:"patch_publication_date", value:"2013/10/30");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/11/07");

  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2013-2024 Tenable Network Security, Inc.");
  script_family(english:"CISCO");

  script_dependencies("cisco_ios_xe_version.nasl");
  script_require_keys("Host/Cisco/IOS-XE/Version");

  exit(0);
}

include("audit.inc");
include("cisco_func.inc");
include("cisco_kb_cmd_func.inc");

flag = 0;
report_extras = "";
override = 0;
model = "";

# check hardware
if (get_kb_item("Host/local_checks_enabled"))
{
  # this advisory only addresses CISCO ASR 1000 series
  buf = cisco_command_kb_item("Host/Cisco/Config/show_platform", "show platform");
  if (buf)
  {
    match = eregmatch(pattern:"Chassis type:\s+ASR([^ ]+)", string:buf);
    if (!isnull(match)) model = match[1];
  }
}
if (model !~ '^10[0-9][0-9]')
  audit(AUDIT_HOST_NOT, 'ASR 1000 Series');

version = get_kb_item_or_exit("Host/Cisco/IOS-XE/Version");

# for each cisco bug id, check version and then individual additional checks
cbi = "CSCtt26470";
fixed_ver = "";
temp_flag = 0;
if ((version =~ '^3\\.4[^0-9]') && (cisco_gen_ver_compare(a:version,b:'3.4.2S') == -1)) { fixed_ver = "3.4.2S"; temp_flag++; }
if ((version =~ '^3\\.5[^0-9]') && (cisco_gen_ver_compare(a:version,b:'3.5.1S') == -1)) { fixed_ver = "3.5.1S"; temp_flag++; }

if (get_kb_item("Host/local_checks_enabled"))
{
  if (temp_flag)
  {
    temp_flag = 0;
    buf = cisco_command_kb_item("Host/Cisco/Config/show_policy-map_type_inspect_zone-pair", "show policy-map type inspect zone-pair");
    if (check_cisco_result(buf))
    {
      if (
           (
             (preg(multiline:TRUE, pattern:"Match: protocol udp", string:buf)) ||
             (preg(multiline:TRUE, pattern:"Match: protocol tcp", string:buf))
            ) &&
           (preg(multiline:TRUE, pattern:"Inspect", string:buf))
         ) { temp_flag = 1; }
    } else if (cisco_needs_enable(buf)) { flag = 1; override = 1; }
  }
}

if (temp_flag)
{
  report +=
    '\n  Cisco bug ID      : ' + cbi +
    '\n  Installed release : ' + ver +
    '\n  Fixed release     : ' + fixed_ver + '\n';
  flag++;
}

# --------------------------------------------

cbi = "CSCuh19936";
fixed_ver = "";
temp_flag = 0;
if ((version =~ '^3\\.9[^0-9]') && (cisco_gen_ver_compare(a:version,b:'3.9.2S') == -1)) { fixed_ver = "3.9.2S"; temp_flag++; }

if (get_kb_item("Host/local_checks_enabled"))
{
  if (temp_flag)
  {
    temp_flag = 0;
    buf = cisco_command_kb_item("Host/Cisco/Config/show_running-config", "show running-config");
    if (check_cisco_result(buf))
    {
      if (
           (
             (preg(multiline:TRUE, pattern:"ip nat inside", string:buf)) ||
             (preg(multiline:TRUE, pattern:"ip nat outside", string:buf))
            ) &&
           (!preg(multiline:TRUE, pattern:"no ip nat service pptp", string:buf))
         ) { temp_flag = 1; }
    } else if (cisco_needs_enable(buf)) { flag = 1; override = 1; }
  }
}

if (temp_flag)
{
  report +=
    '\n  Cisco bug ID      : ' + cbi +
    '\n  Installed release : ' + ver +
    '\n  Fixed release     : ' + fixed_ver + '\n';
  flag++;
}

# --------------------------------------------

cbi = "CSCud72509";
fixed_ver = "";
temp_flag = 0;
if ((version =~ '^3\\.7[^0-9]') && (cisco_gen_ver_compare(a:version,b:'3.7.3S') == -1)) { fixed_ver = "3.7.3S"; temp_flag++; }
if ((version =~ '^3\\.8[^0-9]') && (cisco_gen_ver_compare(a:version,b:'3.8.1S') == -1)) { fixed_ver = "3.8.1S"; temp_flag++; }

if (get_kb_item("Host/local_checks_enabled"))
{
  if (temp_flag)
  {
    temp_flag = 0;
    buf = cisco_command_kb_item("Host/Cisco/Config/show_running-config", "show running-config");
    if (check_cisco_result(buf))
    {
      if (preg(multiline:TRUE, pattern:"ip nat (inside|outside)", string:buf))
      {
        buf = cisco_command_kb_item("Host/Cisco/Config/show_inventory", "show inventory");
        if (check_cisco_result(buf))
        {
          if (preg(multiline:TRUE, pattern:"ASR1000-ESP100", string:buf)) { temp_flag = 1; }
          if (preg(multiline:TRUE, pattern:"ASR1002-X", string:buf)) { temp_flag = 1; }
        } else if (cisco_needs_enable(buf)) { flag = 1; override = 1; }
      }
    } else if (cisco_needs_enable(buf)) { flag = 1; override = 1; }
  }
}

if (temp_flag)
{
  report +=
    '\n  Cisco bug ID      : ' + cbi +
    '\n  Installed release : ' + ver +
    '\n  Fixed release     : ' + fixed_ver + '\n';
  flag++;
}

# --------------------------------------------

cbi = "CSCuf08269";
fixed_ver = "";
temp_flag = 0;
if ((version =~ '^3\\.9[^0-9]') && (cisco_gen_ver_compare(a:version,b:'3.9.2S') == -1)) { fixed_ver = "3.9.2S"; temp_flag++; }

if (get_kb_item("Host/local_checks_enabled"))
{
  if (temp_flag)
  {
    temp_flag = 0;
    buf = cisco_command_kb_item("Host/Cisco/Config/show_running-config", "show running-config");
    if (check_cisco_result(buf))
    {
      if (preg(multiline:TRUE, pattern:"tunnel mode ethernet gre ipv4", string:buf)) { temp_flag = 1; }
      if (preg(multiline:TRUE, pattern:"tunnel mode ethernet gre ipv6", string:buf)) { temp_flag = 1; }
    } else if (cisco_needs_enable(buf)) { flag = 1; override = 1; }
  }
}

if (temp_flag)
{
  report +=
    '\n  Cisco bug ID      : ' + cbi +
    '\n  Installed release : ' + ver +
    '\n  Fixed release     : ' + fixed_ver + '\n';
  flag++;
}

# --------------------------------------------

if (flag)
{
  security_hole(port:0, extra:cisco_caveat());
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
VendorProductVersionCPE
ciscoios_xecpe:/o:cisco:ios_xe

7.8 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

6.8 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

49.5%

Related for CISCO-SA-20131030-ASR1000-IOSXE.NASL