Cisco IOS XE Wireless Controller Manager DoS (cisco-sa-20170927-ios-xe)

2019-11-22T00:00:00
ID CISCO-SA-20170927-IOS-XE.NASL
Type nessus
Reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2019-11-22T00:00:00

Description

According to its self-reported version, Cisco IOS XE Software is affected by a denial of service (DoS) vulnerability due to insufficient input validation in the wireless controller manager. An unauthenticated, adjacent attacker can exploit this, by submitting a crated association request, to cause the switch to restart repeatedly and, consequently, stop responding.

Please see the included Cisco BIDs and Cisco Security Advisory for more information.

Note that Nessus has not tested for this issue but has instead relied only on the application

                                        
                                            #TRUSTED 4d3a31cd14139e8c9677962db299aab38c1183ae8f231f5fc937f8c9f5a029678eeaf1a698cb3bbd9913feaf90f7fc5a68f5fdea5a738d88e758046b791c9791bee51eeaea87809f17474f504e94263377aaea380152afa06d609e4654ce1a4bbfc1452bbdc7fa351c7aa23d1cc69163e6b2106d5f5e24c124c6b91b8baa52af69c3c46c8f6c7dff72983bfb283b214a05c16c40a280dbb785d7e61a51102059c7dc060d3bcbaa2a92bfcface9b14791a07bbb49f1a28a114401f6408a1ffb306b7b87ca5b6f743ab50bcf92452646d7212d358417c53443ec299c23d6ae39d351cc731016eb9a9144f8436713959737d78324f6babda0cb54f60ec6166b4f5bbc8195332f184430fdb3b2facf6c248e080f377dbad3da98645b80de6137a126a37eecec686d9dc54530be4d492a96a0d244e37a896758fc0b9c61f0382a7511055d9d107d8b53d7d28704cc4568e4778f6a6608a768818f988e51689b449629c9c06e1b309d9859d4289cea391dd2b01b5dbe12f1e57e47e201add17f674cecf4f4554b8cb7e2338ac91dfc88d17b5cec092229fb3b43f73e73f9daeb28d5459fd3517c35d4abacf0d1d95975e309603532cb566164505e259f1dec0bc65fdbef5e8d33f01cb9bf1d80c4051960868effb46550d0c0b1f1f8fdbd2f5550fb44d2b561c17c78023597e41f579b1ece398128d6878113ac8370350ac3623257a5
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(131192);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/29");

  script_cve_id("CVE-2017-12222");
  script_bugtraq_id(101035);
  script_xref(name:"CISCO-BUG-ID", value:"CSCvd45069");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20170927-ios-xe");

  script_name(english:"Cisco IOS XE Wireless Controller Manager DoS (cisco-sa-20170927-ios-xe)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco IOS XE Software is affected by a denial of service (DoS) vulnerability
due to insufficient input validation in the wireless controller manager. An unauthenticated, adjacent attacker can
exploit this, by submitting a crated association request, to cause the switch to restart repeatedly and, consequently,
stop responding.

Please see the included Cisco BIDs and Cisco Security Advisory for more information.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170927-ios-xe
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2904d654");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd45069");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID(s) CSCvd45069.");
  script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-12222");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/09/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/09/27");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/22");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_xe_version.nasl");
  script_require_keys("Host/Cisco/IOS-XE/Version");

  exit(0);
}

include('cisco_workarounds.inc');
include('ccf.inc');

product_info = cisco::get_product_info(name:'Cisco IOS XE Software');
model = get_kb_item('Host/Cisco/IOS-XE/Model');
device_model = get_kb_item_or_exit('Host/Cisco/device_model');

# Affected models:
# Cisco Catalyst 3650 and 3850 switches
# A previous advisory had the last two digits both 0 for Catalyst even though more precision was specified in the
# advisory, so do the same here. 
vuln = FALSE;
if (device_model =~ "cat" &&
    product_info.model =~ "3[68][0-9]{2}")
  vuln = TRUE;

# The 'show version' output from the advisory contains no model. In case we don't have a model match but paranoia is
# enabled, we'll continue to report.
if (!vuln && report_paranoia < 2)
  audit(AUDIT_HOST_NOT, "affected");

vuln_ranges = [{'min_ver' : '16.1',  'fix_ver' : '16.3.4'}];

workarounds = make_list(CISCO_WORKAROUNDS['wlc_interface']);
workaround_params = make_list();

reporting = make_array(
  'port'     , 0,
  'severity' , SECURITY_WARNING,
  'version'  , product_info.version,
  'bug_id'   , 'CSCvd45069',
  'cmds'     , make_list('show wireless interface summary')
);

cisco::check_and_report(
  product_info:product_info,
  reporting:reporting,
  vuln_ranges:vuln_ranges,
  workarounds:workarounds,
  workaround_params:workaround_params,
  switch_only:TRUE
);