Cisco IOS Software PROFINET denial of service (cisco-sa-20170927-profinet)

2017-10-05T00:00:00
ID CISCO-SA-20170927-PROFINET.NASL
Type nessus
Reporter Tenable
Modified 2018-08-09T00:00:00

Description

According to its self-reported version and configuration, the Cisco IOS software running on the remote device is affected by a denial of service vulnerability in the PROFINET Discovery and Configuration Protocol (PN-DCP) feature. An unauthenticated, remote attacker can exploit this, via specially crafted PN-DCP requests, to cause the switch to stop processing traffic, requiring a device restart to regain functionality.

                                        
                                            #TRUSTED 9ae102cd2b8eb0984cd101ca6f58d74b08a65379bf04bff305e260d89db066722c1b9d828709af4a848c54d0285efafe5ccebe47bc92b3a29c43cbd24faac0ea0175d551ba2bbbeec61baebe8b41b55752fbead55e4f65d40dc3c274ed839815c1f2e659aac93e682de42ae03e1b3e1c7494898115fa377c129f68073ae051556db7dcceff6bca23f6ea1b072c6d022728e0f83967648a9749e1485d017bab79f6c58cd94ecef3290d83dc95c55ec931399d806f4e8dd51b665ab28b035146b6c95127b29a8fbae5e48eff3b7101beafda0b2635aa37c065e6df45e0e7dde5e67498c01bcb62a800d21f8a9a7188c8c399502b02b4cf6f7b5e9e09c2795ba465269fc95bfbe8f560cc5a8ade9c88ec2255383c36dce9ea5ef98ea2811e696714d418a0b8231fafd9c6e49d491388978a99715e4d014210f4983c9b928ea957d6f012777fe701e54d9b0de104cb9e3a342abaf2db0e53746d347a3c5a70b18938ef6cccb8b840ab77f24583c9e747438354811448e9d431eb4937c76507f31d92816e714931f58a5a0672883da8ea32b3b67c5d7625b372dab58948b31e8b9dcdb23c97e2f059d33e8fe05ebc5772b5b2f27191cf2ef0c5c0f65d749a9804e0f8f57a66e4933fbac747e5440d1b2827a79c5ca34300a1a066d3058ebb26569e9fb9a435b9bd3638961506b5fb2d27015e4af75a1c739f7079acc83517fadef035
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(103670);
  script_version("1.7");
  script_set_attribute(attribute:"plugin_modification_date", value:"2018/08/09");

  script_cve_id("CVE-2017-12235");
  script_bugtraq_id(101043);
  script_xref(name:"CISCO-BUG-ID", value:"CSCuz47179");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20170927-profinet");

  script_name(english:"Cisco IOS Software PROFINET denial of service (cisco-sa-20170927-profinet)");
  script_summary(english:"Checks the IOS version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version and configuration, the Cisco
IOS software running on the remote device is affected by a denial of
service vulnerability in the PROFINET Discovery and Configuration
Protocol (PN-DCP) feature. An unauthenticated, remote attacker can
exploit this, via specially crafted PN-DCP requests, to cause the
switch to stop processing traffic, requiring a device restart to
regain functionality.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170927-profinet
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9b66383b");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID
CSCuz47179.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/09/27");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/09/27");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/10/05");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.");

  script_dependencies("cisco_ios_version.nasl");
  script_require_keys("Host/Cisco/IOS/Version");

  exit(0);
}

include("audit.inc");
include("cisco_func.inc");
include("cisco_kb_cmd_func.inc");

flag = 0;
override = 0;

ver = get_kb_item_or_exit("Host/Cisco/IOS/Version");

vuln_versions = make_list(
  '12.2(55)SE',
  '15.0(1)EY',
  '12.2(55)SE3',
  '12.2(52)SE',
  '12.2(58)SE',
  '12.2(52)SE1',
  '15.0(2)SE',
  '12.2(58)SE1',
  '12.2(55)SE4',
  '12.2(58)SE2',
  '12.2(55)SE5',
  '12.2(55)SE6',
  '15.0(2)SE1',
  '15.0(1)EY1',
  '15.0(2)SE2',
  '15.0(2)EC',
  '15.0(2)EB',
  '12.2(55)SE7',
  '15.2(2)E',
  '15.0(1)EY2',
  '15.0(2)EY',
  '15.0(2)SE3',
  '15.0(2)EY1',
  '15.0(2)SE4',
  '15.2(1)EY',
  '15.0(2)SE5',
  '15.0(2)EY2',
  '12.2(55)SE9',
  '15.0(2)EA1',
  '15.0(2)EY3',
  '15.0(2)SE6',
  '15.2(2)EB',
  '15.2(1)EY1',
  '12.4(25e)JAO3a',
  '12.4(25e)JAO20s',
  '12.2(55)SE10',
  '15.3(3)JN',
  '15.2(2)E1',
  '15.1(4)M11',
  '15.0(2)SE7',
  '15.2(2b)E',
  '15.2(3)E1',
  '15.2(2)E2',
  '15.3(3)SA',
  '15.2(2)E3',
  '12.4(25e)JAP3',
  '12.4(25e)JAO5m',
  '15.0(2)SE8',
  '15.0(2)SE9',
  '15.1(4)M12',
  '15.2(2a)E2',
  '15.2(3)E2',
  '15.2(2)EA1',
  '15.2(2)EA2',
  '15.2(3)EA',
  '15.2(3)EA1',
  '15.2(1)EY2',
  '15.2(2)JA3',
  '15.2(4)JB8',
  '15.3(3)JAX3',
  '15.3(3)JN5',
  '15.4(3)SN2',
  '15.5(2)SN0a',
  '15.2(3)E3',
  '15.2(2)EB1',
  '15.5(3)SN1',
  '15.3(3)JN6',
  '15.3(3)JBB3',
  '15.2(4)EA',
  '12.2(55)SE11',
  '15.2(2)E4',
  '15.2(4)EA1',
  '15.2(2)E5',
  '12.4(25e)JAP1n',
  '15.3(3)JBB7',
  '15.3(3)JC30',
  '15.2(3)E2a',
  '15.5(3)S2a',
  '15.3(3)JBB6a',
  '15.0(2)SE10',
  '15.2(3)EX',
  '15.3(3)JPB',
  '15.2(3)E4',
  '15.2(2)EA3',
  '15.2(2)EB2',
  '15.3(3)JNP2',
  '15.6(2)S0a',
  '15.2(4)EA3',
  '15.4(3)S5a',
  '15.5(3)S2b',
  '15.6(1)S1a',
  '12.4(25e)JAP9',
  '15.2(4)EC',
  '15.1(2)SG7a',
  '15.5(3)S3a',
  '15.3(3)JC50',
  '15.3(3)JC51',
  '15.6(2)S2',
  '15.3(3)JN10',
  '15.2(4)EB',
  '15.2(2)E6',
  '15.2(4)EA4',
  '15.2(4)EA2',
  '15.3(3)JPB2',
  '15.5(3)S4a',
  '15.2(2)E5a',
  '15.5(3)S4b',
  '15.2(3)E5',
  '15.0(2)SE10a',
  '15.2(4)EA5',
  '15.2(2)E5b',
  '15.2(5a)E1',
  '15.6(2)SP1b',
  '15.5(3)S4d',
  '15.6(2)SP1c',
  '15.2(4a)EA5',
  '15.5(3)S4e',
  '15.1(2)SG9',
  '15.3(3)JPC3',
  '15.3(3)JDA3',
  '15.5(3)S5a',
  '15.4(3)S6b',
  '15.4(3)S7a',
  '15.3(3)JNC4',
  '15.4(3)M7a',
  '15.5(3)S5b',
  '15.6(2)S3',
  '15.3(3)JC7',
  '15.6(2)SP2a',
  '15.3(3)JND2',
  '15.3(3)JCA7',
  '15.0(2)SQD7',
  '15.2(5)E2a',
  '15.2(5)E2b',
  '15.3(3)JE1',
  '15.3(3)JN12'
);

# Check for vuln version
foreach version (vuln_versions)
{
  if (version == ver)
  {
    flag++;
    break;
  }
}

# Check that NAT is enabled
if (flag && get_kb_item("Host/local_checks_enabled"))
{
  flag = 0;
  buf = cisco_command_kb_item("Host/Cisco/Config/show_running-config_|_include_profinet",
                              "show running-config | include profinet");
  if (check_cisco_result(buf))
  {
    if (!preg(multiline:TRUE, pattern:"no profinet", string:buf))
      flag++;
  }
  else if (cisco_needs_enable(buf))
  {
    flag++;
    override++;
  }
}

if (flag)
{
  security_report_cisco(
    port     : 0,
    severity : SECURITY_HOLE,
    override : override,
    version  : ver,
    bug_id   : 'CSCuz47179',
    cmds     : make_list('show running-config', 'show running-config | include profinet')
  );
}
else audit(AUDIT_INST_VER_NOT_VULN, "Cisco IOS software", ver);