Cisco IOS XE GNU GNU C Library (glibc) Buffer Overflow (CSCus69731) (GHOST)

#TRUSTED 70ddb6fe0d8dbc7ccaf382570f0f476d58fc99b615c444c83fb7bf51899e7714303756300409a77fbd8bd0ff36774383ecd3751628bc4ed03d7337a4e6d0034adbd1ae03e28a8eb5f737c813b05702889b5d7a64fffee4ad39c71e0a47c9354c2150ef6f089df7712e51f3b724a4bdd66332bdd7234e479a0dc98cffc3f74137a6b80be4cd00f5a4a3c0667691bd0185881b902d85912243bc9c4e7d48aeb6cf8b4fd79e7d087d2b16a1e1192b0ff922689021fb0431b1b33aefb452cd5555f424328105481ff422b0183ac870cbd8a5050ea3ce13749849d5d7d3adcd3be86e705182abf147b35679ee304a817dd50de295f4c5a375fbf7a47df6dffeb42debea8f7e74ac82e35b9fd000fa8d3a09f097afad89d1d457e665aa50bfc88be38faf61e78802427d610616dea79ab04b76a97a1e2759af0a0584ce16df3b073e87b3996645c1478ef9851ec17b739e2583d04afc4529eaf7dc48e095aa790b9c2833146f7ef1d4e95ba795944dce1ac9cb2b992063288dcc41c16889c66b8a5cf3ac9cc5572a3b9c66631f95bfc1eadb5dd5bfa92914cdc3fd0f2cb181bad342f7e83e758da4884dd5091309c77a56bd79f2d87d5936b5c703b241219394b4003b4873f8657c366f30ca5eda4b3faa75dbdea0d3be7667f0bd8139dd221fff4b8e7d90efbe30a433799c0c1fdcc687deab476fd1040626779547e72a98f337edff
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(81595);
  script_version("1.10");
  script_cvs_date("Date: 2019/11/22");

  script_cve_id("CVE-2015-0235");
  script_bugtraq_id(72325);
  script_xref(name:"CERT", value:"967332");
  script_xref(name:"CISCO-BUG-ID", value:"CSCus69731");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20150128-ghost");

  script_name(english:"Cisco IOS XE GNU GNU C Library (glibc) Buffer Overflow (CSCus69731) (GHOST)");
  script_summary(english:"Checks IOS XE version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"The remote Cisco device is running a version of Cisco IOS XE software
that is potentially affected by a heap-based buffer overflow
vulnerability in the GNU C Library (glibc) due to improperly
validated user-supplied input to the __nss_hostname_digits_dots(),
gethostbyname(), and gethostbyname2() functions. This allows a remote
attacker to cause a buffer overflow, resulting in a denial of service
condition or the execution of arbitrary code.

Note that this issue only affects those IOS XE instances that are
running as a 'Nova' device, and thus, if the remote IOS XE instance
is not running as a 'Nova' device, consider this a false positive.");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCus69731");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150128-ghost
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?fd2144f8");
  # https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c7a6ddbd");
  script_set_attribute(attribute:"solution", value:
"Apply the relevant patch referenced in Cisco bug ID CSCus69731.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-0235");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Exim GHOST (glibc gethostbyname) Buffer Overflow');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"in_the_news", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/01/27");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/02/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/02");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_xe_version.nasl");
  script_require_keys("Host/Cisco/IOS-XE/Version", "Settings/ParanoidReport");

  exit(0);
}

include("audit.inc");
include("cisco_func.inc");
include("cisco_kb_cmd_func.inc");

# Bug notes these are affected on 'Nova' devices
# only.
if (report_paranoia < 2) audit(AUDIT_PARANOID);

version = get_kb_item_or_exit("Host/Cisco/IOS-XE/Version");

# Per Bug CSCus69731 (converted from IOS vers)
# No model restrictions listed
# Further note that IOS version '15.0(2)EX'
# is not mapped and thus, omitted.
if (
  version == "3.1.0SG" ||
  version == "3.2.0SE" ||
  version == "3.2.0SG" ||
  version == "3.2.0XO" ||
  version == "3.3.0SE" ||
  version == "3.3.0XO" ||
  version == "3.4.0SG" ||
  version == "3.5.0E"  ||
  version == "3.6.0E"  ||
  version == "3.7.0E"
)
{
  if (report_verbosity > 0)
  {
    report =
    '\n  Cisco bug ID      : CSCus69731' +
    '\n  Installed release : ' + version +
    '\n';
    security_hole(port:0, extra:report);
  }
  else security_hole(port:0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");