Cisco ASA Software DNS Response Message Handling DoS (cisco-sa-20170419-asa-dns)

2017-04-25T00:00:00
ID CISCO-SA-20170419-ASA-DNS.NASL
Type nessus
Reporter Tenable
Modified 2018-08-09T00:00:00

Description

According to its self-reported version and configuration, the Cisco Adaptive Security Appliance (ASA) software running on the remote device is affected by a denial of service vulnerability in the DNS code due to improper handling of crafted DNS response messages. An unauthenticated, remote attacker can exploit this, via a specially crafted DNS response, to cause the device to reload or corrupt the local DNS cache information.

                                        
                                            #TRUSTED 256e7046baf9be29a9818d379f12db580a0c8b8ee7224ad5c2fd5e8371b2640697f5d3df3c771d969f9e555059f52d19cb201c65d88cff75deaed41a7a178f75d61eedcf60960f6c09d1e989cec610a13ee2c2c0e3453fb3fa1b109b77af23e20852dcfe4d324040cda6f4762dd8bcf9f6f192c68d60f52bca39852c84d0b55be2f83b0ce7422d34b4437b54bbc85d58f5e7150ba2c91373ae96c9334113dcdd5aab3c64ef3945eacb13a208b8ad427c5e92447f20474c8a8ecc59c86f9839552ef9d516de9020b34fbbdec5a295c963dad0b79cc2a2455dc7ec102f2d1302fc7fd40a4855e22916d120295ff47153f3c9892274eb5e5d219686c381aa6f8352482a8d29118d989b8de0f45780e82ec226a42197d910ef3ec58eec44e48fc50b6949b5901d4689ad144afb7a93c64499f7aa0cb372089d38d8feb81f63a0ef1a8bf83ffc105b69be4dabbf6b263fbaed53bbe40b9f379fd3d3b65695c9c305cdaeaa9916057b23ab7251875a31da1d9f48a80ff065a2a4ddc72ed7ca1675f11962b592ba0f8f3d299a229658f936b05b85cad843cce71e0d77fd2c3efb415187e64c4aac6707ab2ae233c996a764fd57f369b799a71a0b4a1249626b33d6c93749cd5347994f52565054e6cc4421216adc0fbf56ede627e7776f8d372911dc23a849235568b03166679efc4e67729eb137a982307b3ee2966365efaf4e4c966d
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(99665);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2018/08/09");

  script_cve_id("CVE-2017-6607");
  script_bugtraq_id(97933);
  script_xref(name:"CISCO-BUG-ID", value:"CSCvb40898");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20170419-asa-dns");

  script_name(english:"Cisco ASA Software DNS Response Message Handling DoS (cisco-sa-20170419-asa-dns)");
  script_summary(english:"Checks the ASA version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version and configuration, the Cisco
Adaptive Security Appliance (ASA) software running on the remote
device is affected by a denial of service vulnerability in the DNS
code due to improper handling of crafted DNS response messages. An
unauthenticated, remote attacker can exploit this, via a specially
crafted DNS response, to cause the device to reload or corrupt the
local DNS cache information.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170419-asa-dns
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?75ae1722");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb40898");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco security
advisory cisco-sa-20170419-asa-dns.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/04/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/04/19");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/25");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:adaptive_security_appliance_software");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.");

  script_dependencies("ssh_get_info.nasl", "os_fingerprint.nasl");
  script_require_keys("Host/Cisco/ASA", "Host/Cisco/ASA/model");

  exit(0);
}

include("audit.inc");
include("cisco_func.inc");
include("cisco_kb_cmd_func.inc");

asa = get_kb_item_or_exit('Host/Cisco/ASA');
model = get_kb_item_or_exit('Host/Cisco/ASA/model');

version = extract_asa_version(asa);
if (isnull(version)) audit(AUDIT_FN_FAIL, 'extract_asa_version');

if (
  model !~ '^1000V' && # 1000V
  model !~ '^55[0-9][0-9]($|[^0-9])' && # 5500 & 5500-X
  model !~ '^65[0-9][0-9]($|[^0-9])' && # 6500
  model !~ '^76[0-9][0-9]($|[^0-9])' && # 7600
  model !~ '^93[0-9][0-9]($|[^0-9])' && # Firepower 9300 ASA
  model !~ '^30[0-9][0-9]($|[^0-9])' && # ISA 3000
  model != 'v' # ASAv
) audit(AUDIT_HOST_NOT, "an affected Cisco ASA product");

cbi = 'CSCvb40898';

if (version =~ "^[0-8]\.")
  fixed_ver = "9.1(7.12)";
else if (version =~ "^9\.0[^0-9]")
  fixed_ver = "9.1(7.12)";
else if (version =~ "^9\.1[^0-9]" && check_asa_release(version:version, patched:"9.1(7.12)"))
  fixed_ver = "9.1(7.12)";
else if (version =~ "^9\.2[^0-9]" && check_asa_release(version:version, patched:"9.2(4.18)"))
  fixed_ver = "9.2(4.18)";
else if (version =~ "^9\.3[^0-9]")
  fixed_ver = "9.4(3.12)";
else if (version =~ "^9\.4[^0-9]" && check_asa_release(version:version, patched:"9.4(3.12)"))
  fixed_ver = "9.4(3.12)";
else if (version =~ "^9\.5[^0-9]" && check_asa_release(version:version, patched:"9.5(3.2)"))
  fixed_ver = "9.5(3.2)";
else if (version =~ "^9\.6[^0-9]" && check_asa_release(version:version, patched:"9.6(2.2)"))
  fixed_ver = "9.6(2.2)";
else audit(AUDIT_INST_VER_NOT_VULN, "Cisco ASA software", version);

override = FALSE;
flag = FALSE;

if (get_kb_item("Host/local_checks_enabled"))
{
  buf = cisco_command_kb_item("Host/Cisco/Config/show running-config dns server-group", "show running-config dns server-group");

  if (check_cisco_result(buf))
  {
    if (
      ("DNS server-group" >< buf) &&
      (preg(multiline:TRUE, pattern:"name-server [0-9\.]+", string:buf))
    ) flag = TRUE;
  }
  else if (cisco_needs_enable(buf)) override = TRUE;

  if (!flag && !override) audit(AUDIT_HOST_NOT, "affected because a DNS server IP address is not configured under a DNS server group");
}

if (flag || override)
{
  security_report_cisco(
    port     : 0,
    severity : SECURITY_HOLE,
    override : override,
    version  : version,
    bug_id   : cbi,
    fix      : fixed_ver,
    cmds     : make_list("show running-config dns server-group")
  );
}
else audit(AUDIT_INST_VER_NOT_VULN, "Cisco ASA software", version);