Cisco IOS XE Software Quality of Service Remote Code Execution Vulnerability

2018-03-29T00:00:00
ID CISCO-SA-20180328-QOS-IOSXE.NASL
Type nessus
Reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2020-08-02T00:00:00

Description

According to its self-reported version, the IOS XE is affected by one or more vulnerabilities. Please see the included Cisco BIDs and the Cisco Security Advisory for more information.

                                        
                                            #TRUSTED 40f033780ed059ea8fc0ca1b2cbbd23cf8785fec0d25e5c4bde95380ebac7aa324d9ee86be5d0b3260ce50d7b658cc6e174b8d4068c86d9673b1c54e74ea99aa18e3db3ddd4896907703b9d58fd85cc79edd0081d2bbce3e92fd07cb76b8dd8f79478efe6d1eebc20575a518949e41279b6ae80caa63c4f9e18992d91d3bfb94fd8e8a54433a332c57eb49783e0a320997f7199c226304a3237d03d34a2f5cd2e0fe59842089a7b09298ceb14466078e3e7badf57dcb8d6f4c0d055aab72fb9e299871f2b041210d2a1ffc8db1d488c3477430095ae341a4532f03a40b2fb702212abd7917aa42ce96fbec63e8bf0dbcec6b679d10702f74d76c28d9fd3389ddfaff51486e21fc0126da99d1f3c0c23695f2c524f617956a50e4aa3c024aa2d2706aa4b6809f1740b1a44b1cc644e6939c4dbe62c674fbb1f388128ff0cef7063ef073dd091cb2f0a5bde4e37446f9cc3e3a2137b92b2badd95e2a1159f3492a04e3d88636a31612d5d62fe55f74846414e9ba4f176316c8274e3d8ca9c71e763ab6cb850ff325095ca442cced8aa3b5c4402152b78ab36295a2eba102cdd98c2dbb19e942fb7fba1495dd87fa9dc32383f750f85ce4f94810842c6b52cc73e427b25c640f966a31f28755614c73ee5861e687ebdb5ab9c0bc612d39e587b9e3e8196497893d22771ceeabb7d2805acb9876621ba3ac0a5331c39711d5c2e1ca
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(108721);
  script_version("1.12");
  script_cvs_date("Date: 2019/11/08");

  script_cve_id("CVE-2018-0151");
  script_bugtraq_id(103540);
  script_xref(name:"CISCO-BUG-ID", value:"CSCvf73881");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20180328-qos");

  script_name(english:"Cisco IOS XE Software Quality of Service Remote Code Execution Vulnerability");
  script_summary(english:"Checks the IOS XE version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, the IOS XE is affected
by one or more vulnerabilities. Please see the included Cisco BIDs
and the Cisco Security Advisory for more information.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-qos
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?10160b36");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf73881");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID(s)
CSCvf73881.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/03/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/03/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/29");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cpe:/o:cisco:ios_xe");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_xe_version.nasl");
  script_require_keys("Host/Cisco/IOS-XE/Version");

  exit(0);
}

include("audit.inc");
include("cisco_workarounds.inc");
include("ccf.inc");

product_info = cisco::get_product_info(name:"Cisco IOS XE Software");

version_list = make_list(
  "15.2(2)E5b",
  "15.2(5a)E1",
  "15.2(6)E0b",
  "3.14.0S",
  "3.15.0S",
  "3.14.1S",
  "3.16.0S",
  "3.14.2S",
  "3.14.3S",
  "3.15.1S",
  "3.15.2S",
  "3.16.1S",
  "3.16.1aS",
  "3.15.3S",
  "3.16.2S",
  "15.5(3)S0a",
  "3.16.3S",
  "3.14.4S",
  "15.5(2)S4",
  "15.5(3)S4",
  "3.16.5S",
  "3.16.6S",
  "15.5(3)S6a",
  "15.5(3)S6b",
  "15.5(1)T",
  "15.5(2)T",
  "15.5(1)T3",
  "15.5(2)T1",
  "15.5(2)T2",
  "15.5(2)T3",
  "15.5(2)T4",
  "15.5(1)T4",
  "15.5(3)M",
  "15.5(3)M1",
  "15.5(3)M0a",
  "15.5(3)M2",
  "15.5(3)M3",
  "15.5(3)M4",
  "15.5(3)M4a",
  "15.5(3)M5",
  "15.5(3)M6",
  "15.5(3)M6a",
  "15.5(3)SN",
  "3.17.0S",
  "3.18.0S",
  "15.6(2)S1",
  "3.17.1S",
  "3.17.2S",
  "15.6(2)S0a",
  "15.6(2)S2",
  "3.17.3S",
  "15.6(2)S3",
  "3.17.4S",
  "15.6(2)S4",
  "15.6(1)T",
  "15.6(2)T",
  "15.6(1)T0a",
  "15.6(1)T1",
  "15.6(2)T1",
  "15.6(1)T2",
  "15.6(2)T2",
  "15.6(1)T3",
  "15.6(2)T3",
  "15.3(1)SY3",
  "15.6(2)SP",
  "15.6(2)SP1",
  "15.6(2)SP2",
  "15.6(2)SP3",
  "15.6(2)SN",
  "15.3(3)JD8",
  "15.6(3)M",
  "15.6(3)M1",
  "15.6(3)M0a",
  "15.6(3)M1b",
  "15.6(3)M2",
  "15.6(3)M2a",
  "15.6(3)M3",
  "15.6(3)M3a",
  "15.3(3)JDA8",
  "15.3(3)JF2",
  "15.7(3)M",
  "15.7(3)M0a"
  );

workarounds = make_list(CISCO_WORKAROUNDS['show_udp_dmvpn']);
workaround_params = make_list();

reporting = make_array(
  'port'     , 0,
  'severity' , SECURITY_HOLE,
  'version'  , product_info['version'],
  'bug_id'   , "CSCvf73881",
  'cmds'     , make_list("show udp")
);

cisco::check_and_report(product_info:product_info, workarounds:workarounds, workaround_params:workaround_params, reporting:reporting, vuln_versions:version_list);