Lucene search

K
nessusThis script is Copyright (C) 2017-2018 Tenable Network Security, Inc.CISCO-SA-20170405-CFPW.NASL
HistoryMay 25, 2017 - 12:00 a.m.

Cisco Firepower Detection Engine SSL Multiple DoS (cisco-sa-20170405-cfpw) (cisco-sa-20170405-cfpw1)

2017-05-2500:00:00
This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.
www.tenable.com
19

CVSS2

7.1

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:N/A:C

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

48.1%

According to its version, the Cisco Firepower Threat Defense (FTD) software installed on the remote device is prior to 6.1.0.2 or else is 6.2.x prior to 6.2.0.1. It is, therefore, affected by multiple vulnerabilities :

  • A denial of service vulnerability exists in the detection engine reassembly of Secure Sockets Layer (SSL) packets due to improper handling of an SSL packet stream. An unauthenticated, remote attacker can exploit this, via a crafted SSL packet stream, to cause the Snort process to consume a high level of CPU resources.
    (CVE-2017-3885)

  • A denial of service vulnerability exists in the detection engine due to improper handling of an SSL packet in an established SSL connection. An unauthenticated, remote attacker can exploit this, via a crafted SSL packet stream, to cause the Snort process to restart, allowing traffic inspection to be bypassed or traffic to be dropped. (CVE-2017-3887)

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(100423);
  script_version("1.5");
  script_cvs_date("Date: 2018/07/06 11:26:06");

  script_cve_id("CVE-2017-3885", "CVE-2017-3887");
  script_bugtraq_id(97451, 97453);
  script_xref(name:"CISCO-BUG-ID", value:"CSCvc58563");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvb62292");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20170405-cfpw");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20170405-cfpw1");

  script_name(english:"Cisco Firepower Detection Engine SSL Multiple DoS (cisco-sa-20170405-cfpw) (cisco-sa-20170405-cfpw1)");
  script_summary(english:"Checks the version of Cisco Firepower System.");

  script_set_attribute(attribute:"synopsis", value:
"The packet inspection software installed on the remote host is
affected by a denial of service vulnerability.");
  script_set_attribute(attribute:"description", value:
"According to its version, the Cisco Firepower Threat Defense (FTD)
software installed on the remote device is prior to 6.1.0.2 or else is
6.2.x prior to 6.2.0.1. It is, therefore, affected by multiple
vulnerabilities :

  - A denial of service vulnerability exists in the
    detection engine reassembly of Secure Sockets Layer
    (SSL) packets due to improper handling of an SSL packet
    stream. An unauthenticated, remote attacker can exploit
    this, via a crafted SSL packet stream, to cause the
    Snort process to consume a high level of CPU resources.
    (CVE-2017-3885)

  - A denial of service vulnerability exists in the
    detection engine due to improper handling of an SSL
    packet in an established SSL connection. An
    unauthenticated, remote attacker can exploit this, via a
    crafted SSL packet stream, to cause the Snort process to
    restart, allowing traffic inspection to be bypassed or
    traffic to be dropped. (CVE-2017-3887)");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170405-cfpw
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6debfa41");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170405-cfpw1
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5bc33ad5");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvc58563");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvc58563");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID
CSCvc58563 and CSCvb62292.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/04/05");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/04/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/05/25");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type",value:"local");
  script_set_attribute(attribute:"cpe",value:"cpe:/a:cisco:firepower");
  script_set_attribute(attribute:"cpe",value:"cpe:/a:cisco:firepower_threat_defense");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.");

  script_dependencies("ssh_get_info.nasl", "os_fingerprint.nasl");
  script_require_keys("Host/Cisco/ASA", "Host/Cisco/ASA/model", "Settings/ParanoidReport");

  exit(0);
}

include("audit.inc");
include("misc_func.inc");
include("global_settings.inc");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

show_ver = get_kb_item_or_exit('Host/Cisco/show_ver');
model = get_kb_item_or_exit('Host/Cisco/ASA/model');

# Affected Models:
# 5500-X Series
if (
   model !~ '^55[0-9][0-9][WH]?-X'
) audit(AUDIT_HOST_NOT, "an affected Cisco ASA product model");

fix = NULL;
override = 0;

fdm_ver = pregmatch(string:show_ver, pattern:"\s*Model\s*:\s+Cisco.*Threat\s+Defense.*Version\s+([0-9.]+)");

if (isnull(fdm_ver)) audit(AUDIT_HOST_NOT, "affected");

else if (fdm_ver[1] =~ "^6\.2\.")
  fix = '6.2.0.1';
else
  fix = '6.1.0.2';

if (fix && (ver_compare(ver:fdm_ver[1], fix:fix, strict:FALSE) < 0))
{
  report =
    '\n  Bug               : CSCvc58563 and CSCvb62292' +
    '\n  Installed version : ' + fdm_ver[1] +
    '\n  Fixed version     : ' + fix;
  security_report_v4(port:0, extra:report, severity:SECURITY_HOLE);
} else audit(AUDIT_HOST_NOT, "affected");

CVSS2

7.1

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:N/A:C

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

48.1%

Related for CISCO-SA-20170405-CFPW.NASL