Cisco IOS Software PROFINET denial of service (cisco-sa-20170927-profinet)

2017-10-05T00:00:00
ID CISCO-SA-20170927-PROFINET.NASL
Type nessus
Reporter Tenable
Modified 2018-08-24T00:00:00

Description

According to its self-reported version and configuration, the Cisco IOS software running on the remote device is affected by a denial of service vulnerability in the PROFINET Discovery and Configuration Protocol (PN-DCP) feature. An unauthenticated, remote attacker can exploit this, via specially crafted PN-DCP requests, to cause the switch to stop processing traffic, requiring a device restart to regain functionality.

                                        
                                            #TRUSTED 06c55237cc11a49185b5b5c79ee1a046cdb96588837d3087bdcd5f5063302d8f263acaa27520446034f8f3aba8c173a94420cdd2f7b90278aa30d0922cab76c670283634813f4407dfb253ea01807606faebaaa207b4abafef3ed6e28106fe93192c861c7d8207bddbf730d2d3fea41e231998c4337beea8843945657a1d5aaffa7eac21726dd3a72e3e4130cf793c0b3e586dd8bd33ca8d0ecb1ce402bb95562edba1f0f80cfbcd4c1f543315bcf8d1848d3bea36a4500cc9177b03160ecfb6a23481f4d1a781d4a012ac12b8d87cd6fcc598bc95f356bede63484cbb3ef3a0fa2ab13bce5dc3bd677f34ac98bdca92678050903ce01b899046e2a73eff6988f83be432400faeeb6c6adbaaddb847b02a6d07177ef2bbe5de231efe3358bf44c320cf83ebc6cdb98bf39e86abee2e25f1b7aa24f2172069bca3756483ea63436f5872c2169dd72cadae6e08ffc6ebd4bec724846138fead356dd3906ff9e9c9151cf174979fa888e2f6906b0d4f56bd74be60571b99099e37f83a5dbcb57bb4e4cbe6c33b5f2597e7836b7f1976537888aee8c6d45781d082ea8209b1bc5c3a940c7fecc1ee94f121af785fa5d154449f708441d56a237ca951952879a1d264fe9d84edc2d539906a9504b4b9f66daf81b3d644ded3e1aba79c6b7128d8855c10bfe7d62d4009da70a0df8476cd2938fa6fae1a51f3758c25e29b2aceedf889
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(103670);
  script_version("1.9");
  script_set_attribute(attribute:"plugin_modification_date", value:"2018/08/24");

  script_cve_id("CVE-2017-12235");
  script_bugtraq_id(101043);
  script_xref(name:"CISCO-BUG-ID", value:"CSCuz47179");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20170927-profinet");

  script_name(english:"Cisco IOS Software PROFINET denial of service (cisco-sa-20170927-profinet)");
  script_summary(english:"Checks the IOS version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version and configuration, the Cisco
IOS software running on the remote device is affected by a denial of
service vulnerability in the PROFINET Discovery and Configuration
Protocol (PN-DCP) feature. An unauthenticated, remote attacker can
exploit this, via specially crafted PN-DCP requests, to cause the
switch to stop processing traffic, requiring a device restart to
regain functionality.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170927-profinet
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9b66383b");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID
CSCuz47179.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-12235");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/09/27");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/09/27");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/10/05");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_version.nasl");
  script_require_keys("Host/Cisco/IOS/Version");

  exit(0);
}

include("audit.inc");
include("cisco_workarounds.inc");
include("ccf.inc");

product_info = cisco::get_product_info(name:"Cisco IOS");

version_list = make_list(
  '12.2(55)SE',
  '15.0(1)EY',
  '12.2(55)SE3',
  '12.2(52)SE',
  '12.2(58)SE',
  '12.2(52)SE1',
  '15.0(2)SE',
  '12.2(58)SE1',
  '12.2(55)SE4',
  '12.2(58)SE2',
  '12.2(55)SE5',
  '12.2(55)SE6',
  '15.0(2)SE1',
  '15.0(1)EY1',
  '15.0(2)SE2',
  '15.0(2)EC',
  '15.0(2)EB',
  '12.2(55)SE7',
  '15.2(2)E',
  '15.0(1)EY2',
  '15.0(2)EY',
  '15.0(2)SE3',
  '15.0(2)EY1',
  '15.0(2)SE4',
  '15.2(1)EY',
  '15.0(2)SE5',
  '15.0(2)EY2',
  '12.2(55)SE9',
  '15.0(2)EA1',
  '15.0(2)EY3',
  '15.0(2)SE6',
  '15.2(2)EB',
  '15.2(1)EY1',
  '12.4(25e)JAO3a',
  '12.4(25e)JAO20s',
  '12.2(55)SE10',
  '15.3(3)JN',
  '15.2(2)E1',
  '15.1(4)M11',
  '15.0(2)SE7',
  '15.2(2b)E',
  '15.2(3)E1',
  '15.2(2)E2',
  '15.3(3)SA',
  '15.2(2)E3',
  '12.4(25e)JAP3',
  '12.4(25e)JAO5m',
  '15.0(2)SE8',
  '15.0(2)SE9',
  '15.1(4)M12',
  '15.2(2a)E2',
  '15.2(3)E2',
  '15.2(2)EA1',
  '15.2(2)EA2',
  '15.2(3)EA',
  '15.2(3)EA1',
  '15.2(1)EY2',
  '15.2(2)JA3',
  '15.2(4)JB8',
  '15.3(3)JAX3',
  '15.3(3)JN5',
  '15.4(3)SN2',
  '15.5(2)SN0a',
  '15.2(3)E3',
  '15.2(2)EB1',
  '15.5(3)SN1',
  '15.3(3)JN6',
  '15.3(3)JBB3',
  '15.2(4)EA',
  '12.2(55)SE11',
  '15.2(2)E4',
  '15.2(4)EA1',
  '15.2(2)E5',
  '12.4(25e)JAP1n',
  '15.3(3)JBB7',
  '15.3(3)JC30',
  '15.2(3)E2a',
  '15.5(3)S2a',
  '15.3(3)JBB6a',
  '15.0(2)SE10',
  '15.2(3)EX',
  '15.3(3)JPB',
  '15.2(3)E4',
  '15.2(2)EA3',
  '15.2(2)EB2',
  '15.3(3)JNP2',
  '15.6(2)S0a',
  '15.2(4)EA3',
  '15.4(3)S5a',
  '15.5(3)S2b',
  '15.6(1)S1a',
  '12.4(25e)JAP9',
  '15.2(4)EC',
  '15.1(2)SG7a',
  '15.5(3)S3a',
  '15.3(3)JC50',
  '15.3(3)JC51',
  '15.6(2)S2',
  '15.3(3)JN10',
  '15.2(4)EB',
  '15.2(2)E6',
  '15.2(4)EA4',
  '15.2(4)EA2',
  '15.3(3)JPB2',
  '15.5(3)S4a',
  '15.2(2)E5a',
  '15.5(3)S4b',
  '15.2(3)E5',
  '15.0(2)SE10a',
  '15.2(4)EA5',
  '15.2(2)E5b',
  '15.2(5a)E1',
  '15.6(2)SP1b',
  '15.5(3)S4d',
  '15.6(2)SP1c',
  '15.2(4a)EA5',
  '15.5(3)S4e',
  '15.1(2)SG9',
  '15.3(3)JPC3',
  '15.3(3)JDA3',
  '15.5(3)S5a',
  '15.4(3)S6b',
  '15.4(3)S7a',
  '15.3(3)JNC4',
  '15.4(3)M7a',
  '15.5(3)S5b',
  '15.6(2)S3',
  '15.3(3)JC7',
  '15.6(2)SP2a',
  '15.3(3)JND2',
  '15.3(3)JCA7',
  '15.0(2)SQD7',
  '15.2(5)E2a',
  '15.2(5)E2b',
  '15.3(3)JE1',
  '15.3(3)JN12'
);

workarounds = make_list(CISCO_WORKAROUNDS['profinet']);

reporting = make_array(
  'port'     , 0,
  'severity' , SECURITY_HOLE,
  'version'  , product_info['version'],
  'bug_id'   , 'CSCuz47179',
  'cmds'     , make_list('show running-config')
);

cisco::check_and_report(product_info:product_info, workarounds:workarounds, reporting:reporting, vuln_versions:version_list);