Cisco IOS Software PROFINET denial of service (cisco-sa-20170927-profinet)

2017-10-05T00:00:00
ID CISCO-SA-20170927-PROFINET.NASL
Type nessus
Reporter Tenable
Modified 2018-04-05T00:00:00

Description

According to its self-reported version and configuration, the Cisco IOS software running on the remote device is affected by a denial of service vulnerability in the PROFINET Discovery and Configuration Protocol (PN-DCP) feature. An unauthenticated, remote attacker can exploit this, via specially crafted PN-DCP requests, to cause the switch to stop processing traffic, requiring a device restart to regain functionality.

                                        
                                            #TRUSTED 42571fc8b7ef1804ceb23184ec466271d21e4ff92070fd7d3499816eea52b4adc09e7dd446a60ba2253f65be0fe3160bdf31fdea0e69ecdf8401b6cb304b6104f0ea44582fe3a27c262e85e4e750f1c927d316927eba9ec459dfc01bd0320f2b2be06b8b105aff90f9013c1becd521adfccc869d301e045f3ec2537966edbb640230fb0abdae4fa11e7dad4379b9796260decc9cf64d8135310c2f3d32bf25159a452e1b2d42b882f0e3e9b6ddfe28643a1a10f82879d390575a1fe30aebf1bdbbb3eb62bd85d5c397abcba4f68d68618e2d7f7e7afe006841783cd20be73c3cf6987955c2c7e0918f17a249b1386c6ae9805c83414380fee10a38abbb1b2a552798a79cdcab7760e5bce6f51a744ba7a65b4796877e5b1f18158741dbb25f01c06dd33668a95f9fdfde8e5c8e8ad07a1889d54e2bbca96c3ee394a40a83275ba93478c8649dfd0b74e461e96d663ba13746719e1731badc8dd99932abd99c75c8c825b19d71f9baea0ca4c1215e87571fa3af89d3f3ccf71d2abc57cf9815f811a943f5af1c04abea272224db137fa0d1efb5a80ed54d9e6e3c59010654af58e2779925fb1ba567774b0a06273de81a5d9a7421911c1d361c2c4645d086480212c340498d071e410fa1fe0bc8e4fbb4cfaaef5d6503d3c064b4de4baf4fe13235c3202676fd68fce50855e92921adc56bbc36b31e28db21d251c3d22c237118
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(103670);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2018/04/05");

  script_cve_id("CVE-2017-12235");
  script_bugtraq_id(101043);
  script_osvdb_id(166259);
  script_xref(name:"CISCO-BUG-ID", value:"CSCuz47179");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20170927-profinet");

  script_name(english:"Cisco IOS Software PROFINET denial of service (cisco-sa-20170927-profinet)");
  script_summary(english:"Checks the IOS version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version and configuration, the Cisco
IOS software running on the remote device is affected by a denial of
service vulnerability in the PROFINET Discovery and Configuration
Protocol (PN-DCP) feature. An unauthenticated, remote attacker can
exploit this, via specially crafted PN-DCP requests, to cause the
switch to stop processing traffic, requiring a device restart to
regain functionality.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170927-profinet
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9b66383b");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID
CSCuz47179.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/09/27");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/09/27");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/10/05");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.");

  script_dependencies("cisco_ios_version.nasl");
  script_require_keys("Host/Cisco/IOS/Version");

  exit(0);
}

include("audit.inc");
include("cisco_func.inc");
include("cisco_kb_cmd_func.inc");

flag = 0;
override = 0;

ver = get_kb_item_or_exit("Host/Cisco/IOS/Version");

vuln_versions = make_list(
  '12.2(55)SE',
  '15.0(1)EY',
  '12.2(55)SE3',
  '12.2(52)SE',
  '12.2(58)SE',
  '12.2(52)SE1',
  '15.0(2)SE',
  '12.2(58)SE1',
  '12.2(55)SE4',
  '12.2(58)SE2',
  '12.2(55)SE5',
  '12.2(55)SE6',
  '15.0(2)SE1',
  '15.0(1)EY1',
  '15.0(2)SE2',
  '15.0(2)EC',
  '15.0(2)EB',
  '12.2(55)SE7',
  '15.2(2)E',
  '15.0(1)EY2',
  '15.0(2)EY',
  '15.0(2)SE3',
  '15.0(2)EY1',
  '15.0(2)SE4',
  '15.2(1)EY',
  '15.0(2)SE5',
  '15.0(2)EY2',
  '12.2(55)SE9',
  '15.0(2)EA1',
  '15.0(2)EY3',
  '15.0(2)SE6',
  '15.2(2)EB',
  '15.2(1)EY1',
  '12.4(25e)JAO3a',
  '12.4(25e)JAO20s',
  '12.2(55)SE10',
  '15.3(3)JN',
  '15.2(2)E1',
  '15.1(4)M11',
  '15.0(2)SE7',
  '15.2(2b)E',
  '15.2(3)E1',
  '15.2(2)E2',
  '15.3(3)SA',
  '15.2(2)E3',
  '12.4(25e)JAP3',
  '12.4(25e)JAO5m',
  '15.0(2)SE8',
  '15.0(2)SE9',
  '15.1(4)M12',
  '15.2(2a)E2',
  '15.2(3)E2',
  '15.2(2)EA1',
  '15.2(2)EA2',
  '15.2(3)EA',
  '15.2(3)EA1',
  '15.2(1)EY2',
  '15.2(2)JA3',
  '15.2(4)JB8',
  '15.3(3)JAX3',
  '15.3(3)JN5',
  '15.4(3)SN2',
  '15.5(2)SN0a',
  '15.2(3)E3',
  '15.2(2)EB1',
  '15.5(3)SN1',
  '15.3(3)JN6',
  '15.3(3)JBB3',
  '15.2(4)EA',
  '12.2(55)SE11',
  '15.2(2)E4',
  '15.2(4)EA1',
  '15.2(2)E5',
  '12.4(25e)JAP1n',
  '15.3(3)JBB7',
  '15.3(3)JC30',
  '15.2(3)E2a',
  '15.5(3)S2a',
  '15.3(3)JBB6a',
  '15.0(2)SE10',
  '15.2(3)EX',
  '15.3(3)JPB',
  '15.2(3)E4',
  '15.2(2)EA3',
  '15.2(2)EB2',
  '15.3(3)JNP2',
  '15.6(2)S0a',
  '15.2(4)EA3',
  '15.4(3)S5a',
  '15.5(3)S2b',
  '15.6(1)S1a',
  '12.4(25e)JAP9',
  '15.2(4)EC',
  '15.1(2)SG7a',
  '15.5(3)S3a',
  '15.3(3)JC50',
  '15.3(3)JC51',
  '15.6(2)S2',
  '15.3(3)JN10',
  '15.2(4)EB',
  '15.2(2)E6',
  '15.2(4)EA4',
  '15.2(4)EA2',
  '15.3(3)JPB2',
  '15.5(3)S4a',
  '15.2(2)E5a',
  '15.5(3)S4b',
  '15.2(3)E5',
  '15.0(2)SE10a',
  '15.2(4)EA5',
  '15.2(2)E5b',
  '15.2(5a)E1',
  '15.6(2)SP1b',
  '15.5(3)S4d',
  '15.6(2)SP1c',
  '15.2(4a)EA5',
  '15.5(3)S4e',
  '15.1(2)SG9',
  '15.3(3)JPC3',
  '15.3(3)JDA3',
  '15.5(3)S5a',
  '15.4(3)S6b',
  '15.4(3)S7a',
  '15.3(3)JNC4',
  '15.4(3)M7a',
  '15.5(3)S5b',
  '15.6(2)S3',
  '15.3(3)JC7',
  '15.6(2)SP2a',
  '15.3(3)JND2',
  '15.3(3)JCA7',
  '15.0(2)SQD7',
  '15.2(5)E2a',
  '15.2(5)E2b',
  '15.3(3)JE1',
  '15.3(3)JN12'
);

# Check for vuln version
foreach version (vuln_versions)
{
  if (version == ver)
  {
    flag++;
    break;
  }
}

# Check that NAT is enabled
if (flag && get_kb_item("Host/local_checks_enabled"))
{
  flag = 0;
  buf = cisco_command_kb_item("Host/Cisco/Config/show_running-config_|_include_profinet",
                              "show running-config | include profinet");
  if (check_cisco_result(buf))
  {
    if (!preg(multiline:TRUE, pattern:"no profinet", string:buf))
      flag++;
  }
  else if (cisco_needs_enable(buf))
  {
    flag++;
    override++;
  }
}

if (flag)
{
  security_report_cisco(
    port     : 0,
    severity : SECURITY_HOLE,
    override : override,
    version  : ver,
    bug_id   : 'CSCuz47179',
    cmds     : make_list('show running-config', 'show running-config | include profinet')
  );
}
else audit(AUDIT_INST_VER_NOT_VULN, "Cisco IOS software", ver);