Cisco ASA Software SSL / TLS Packet Handling DoS (cisco-sa-20170419-asa-tls)

2017-04-25T00:00:00
ID CISCO-SA-20170419-ASA-TLS.NASL
Type nessus
Reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2020-02-02T00:00:00

Description

According to its self-reported version and configuration, the Cisco Adaptive Security Appliance (ASA) software running on the remote device is affected by a denial of service vulnerability in the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) code due to improper parsing of crafted SSL or TLS packets. An unauthenticated, remote attacker can exploit this, via specially crafted packets, to cause the device to reload.

                                        
                                            #TRUSTED 75b885debbec8cfaad3e447686cd2d7eba7676e3d142eea672d0ff12cf7dc27fca7c7d02cc4c3b4f8e31dd65bdf2a198249a152347684783264d42d061c2f3f0a8e28c7983cf050d43523b89afa83ea07981f5a20228b01e0ee8bcb559fd3125fa5276ae763489d1c163a6dfa051885ec911fb9fc9eb1396a25f23c4c5cfa67863c143637cf3c2ed92594a48e9e52330960b20fe6c580437b35f3218e097220c2d137220c4c6126678b292dec1e5f4645ae2e8ff1c0071a687035acfbd15d14aaee47d8cbb242b9efabf1366ed7bf1c66148bd9318cca9049182cb131ec8fd1a9d892e1d2b04c8dbcf3be0616fa5f1b014645c42961be80fb5365b4dcb53b1fa93fe7e7e00bd11a861a0b4ba84d82384a5f288074eb579a34125aeebab9299ae9cd5524e159057a62c46df41f56f14244bc1e2b76a6d0cc78c5d7058ee8fff0759ff4e0493dc03d5ebaf4de81021ac06dccd1693e8f42f4f6bd3dad5638f8d07422c0dc7ed0d966196074c3f0cedff9d77155a3eb77e7a857b5ecb1dde45bfc9318de25458b8c05d28d1f4e9caab68ea4bd45073a28e9c104b6c13cb125e5d7cb6122af7f46a771596b46e1f05b7dd4f507a08ff302561205ba7327cd30727455eb70fbef6316c1ed4d5a02f75021ac65487e2450f64c33db86ab66c0ee2f33a383b17cff2c1cd49d9cd6f8ee3b26b8888aaf274b9bd75363dd5555314f9c996
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(99667);
  script_version("1.6");
  script_cvs_date("Date: 2019/11/13");

  script_cve_id("CVE-2017-6608");
  script_bugtraq_id(97937);
  script_xref(name:"CISCO-BUG-ID", value:"CSCuv48243");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20170419-asa-tls");

  script_name(english:"Cisco ASA Software SSL / TLS Packet Handling DoS (cisco-sa-20170419-asa-tls)");
  script_summary(english:"Checks the ASA version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version and configuration, the Cisco
Adaptive Security Appliance (ASA) software running on the remote
device is affected by a denial of service vulnerability in the Secure
Sockets Layer (SSL) and Transport Layer Security (TLS) code due to
improper parsing of crafted SSL or TLS packets. An unauthenticated,
remote attacker can exploit this, via specially crafted packets, to
cause the device to reload.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170419-asa-tls
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?262b831a");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuv48243");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco security
advisory cisco-sa-20170419-asa-tls.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-6608");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/04/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/04/19");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/25");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:adaptive_security_appliance_software");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "os_fingerprint.nasl");
  script_require_keys("Host/Cisco/ASA", "Host/Cisco/ASA/model");

  exit(0);
}

include("audit.inc");
include("cisco_func.inc");
include("cisco_kb_cmd_func.inc");

asa = get_kb_item_or_exit('Host/Cisco/ASA');
model = get_kb_item_or_exit('Host/Cisco/ASA/model');

version = extract_asa_version(asa);
if (isnull(version)) audit(AUDIT_FN_FAIL, 'extract_asa_version');

if (
  model !~ '^1000V' && # 1000V
  model !~ '^55[0-9][0-9]($|[^0-9])' && # 5500 & 5500-X
  model !~ '^65[0-9][0-9]($|[^0-9])' && # 6500
  model !~ '^76[0-9][0-9]($|[^0-9])' && # 7600
  model !~ '^93[0-9][0-9]($|[^0-9])' && # Firepower 9300 ASA
  model !~ '^30[0-9][0-9]($|[^0-9])' && # ISA 3000
  model != 'v' # ASAv
) audit(AUDIT_HOST_NOT, "an affected Cisco ASA product");

cbi = 'CSCuv48243';

if (version =~ "^8\.4[^0-9]" && check_asa_release(version:version, patched:"8.4(7.31)"))
  fixed_ver = "8.4(7.31)";
else if (version =~ "^[0-8]\.")
  fixed_ver = "9.1(7)";
else if (version =~ "^9\.0[^0-9]" && check_asa_release(version:version, patched:"9.0(4.39)"))
  fixed_ver = "9.0(4.39)";
else if (version =~ "^9\.1[^0-9]" && check_asa_release(version:version, patched:"9.1(7)"))
  fixed_ver = "9.1(7)";
else if (version =~ "^9\.2[^0-9]" && check_asa_release(version:version, patched:"9.2(4.6)"))
  fixed_ver = "9.2(4.6)";
else if (version =~ "^9\.3[^0-9]" && check_asa_release(version:version, patched:"9.3(3.8)"))
  fixed_ver = "9.3(3.8)";
else if (version =~ "^9\.4[^0-9]" && check_asa_release(version:version, patched:"9.4(2)"))
  fixed_ver = "9.4(2)";
else if (version =~ "^9\.5[^0-9]" && check_asa_release(version:version, patched:"9.5(2)"))
  fixed_ver = "9.5(2)";
else audit(AUDIT_INST_VER_NOT_VULN, "Cisco ASA software", version);

override = FALSE;
flag = FALSE;

if (get_kb_item("Host/local_checks_enabled"))
{
  buf = cisco_command_kb_item("Host/Cisco/Config/show asp table socket | include SSL", "show asp table socket | include SSL");

  if (check_cisco_result(buf))
  {
    if (
      ("SSL" >< buf)
    ) flag = TRUE;
  }
  else if (cisco_needs_enable(buf)) override = TRUE;

  if (!flag && !override) audit(AUDIT_HOST_NOT, "affected because it is not configured to process SSL or TLS packets");
}

if (flag || override)
{
  security_report_cisco(
    port     : 0,
    severity : SECURITY_HOLE,
    override : override,
    version  : version,
    bug_id   : cbi,
    fix      : fixed_ver,
    cmds     : make_list("show asp table socket | include SSL")
  );
}
else audit(AUDIT_INST_VER_NOT_VULN, "Cisco ASA software", version);