Cisco IOS XE Software Raw Socket Transport Denial of Service Vulnerability

2019-10-09T00:00:00
ID CISCO-SA-20190925-RAWTCP-DOS.NASL
Type nessus
Reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2019-10-09T00:00:00

Description

According to its self-reported version, Cisco IOS XE Software is affected by a vulnerability. The vulnerability in the Raw Socket Transport feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition. The vulnerability is due to improper parsing of Raw Socket Transport payloads. An attacker could exploit this vulnerability by establishing a TCP session and then sending a malicious TCP segment via IPv4 to an affected device. This cannot be exploited via IPv6, as the Raw Socket Transport feature does not support IPv6 as a network layer protocol.

Please see the included Cisco BIDs and Cisco Security Advisory for more information

                                        
                                            #TRUSTED 6db5c57ecebf71db5ebedfe71d28ce502d5768b2e6867dee6898f85f9e18d2f810b50571cfb8ccea8f53333982f040b8d39561f7cf1e636feaa729b22b021efcec390bf484297beacee6715472ef5527fb3adee1b7c813a4ba91b547ba2f56dba58069d3fbfc20affb3b978f63b9a953708db6455db4d5790610d35225d2b2546a1cacf8694eaaac50d4d92fa150e2107ddfce6d9fd702d9791ac3ae6e5800c07137d4f67ba10b506f46041adf704cf0d4c0f506988bdeadf18824e181e5523fdd13ae00d7543a8eaf3931faf6080578a5f10aa6d2042700189d25cc0d396f577994fa96dcc6966177995fa8110fe2b3859c6e4cb22264afb6acad452b68da5062e47d2eae0351eaa6fe35212de7a9e09f6dca067d3057b3ed23db5205ee894becb69e78e61e177f7f544429c7f6baf83c429770494561c822d3146757d1cb7c1ea100e3a9992683443999f968d6f373f77c1cbbc836a4de8e9230b471a493e8bb76950d7e6487e072bdf856ad68ace4d20477a7f076ee5396dd8a799f1aa3514c5fe23e3daa2d2b598a55e45dee8a0a51b67ec55493a6ed61a27a31f61e1071c7675a6d9d587e2a1d877b68f6239d2df89f60509b78c2e4e9920f50a18d95e54f31d327caed4fded8fa32f7e15b08d54a576fdbdf1d631e7ec02c5c5247e230c23106af545c60a3c60d57f00157356cf640cb291d204309a08e1cd4c8354e4c
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(129732);
  script_version("1.8");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/10");

  script_cve_id("CVE-2019-12653");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvj91021");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20190925-rawtcp-dos");

  script_name(english:"Cisco IOS XE Software Raw Socket Transport Denial of Service Vulnerability");
  script_summary(english:"Checks the version of Cisco IOS XE Software");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco IOS XE Software is affected by a vulnerability. The vulnerability in
the Raw Socket Transport feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger
a reload of an affected device, resulting in a denial of service (DoS) condition. The vulnerability is due to improper
parsing of Raw Socket Transport payloads. An attacker could exploit this vulnerability by establishing a TCP session
and then sending a malicious TCP segment via IPv4 to an affected device. This cannot be exploited via IPv6, as the Raw
Socket Transport feature does not support IPv6 as a network layer protocol. 

Please see the included Cisco BIDs and Cisco Security Advisory for more information");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-rawtcp-dos
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0cd2a48a");
  script_set_attribute(attribute:"see_also", value:"http://tools.cisco.com/security/center/viewErp.x?alertId=ERP-72547");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvj91021");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvj91021");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-12653");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_cwe_id(20);

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/25");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/09/25");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/09");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_xe_version.nasl");
  script_require_keys("Host/Cisco/IOS-XE/Version");

  exit(0);
}

include('audit.inc');
include('cisco_workarounds.inc');
include('ccf.inc');

product_info = cisco::get_product_info(name:'Cisco IOS XE Software');

model = toupper(product_info['model']);
if (model !~ 'ASR90[0-9]([^0-9]|$)')
  audit(AUDIT_HOST_NOT, 'an affected model');

version_list=make_list(
  '3.2.0JA',
  '16.9.4',
  '16.9.3s',
  '16.9.3h',
  '16.9.3a',
  '16.9.3',
  '16.9.2s',
  '16.9.2a',
  '16.9.2',
  '16.9.1s',
  '16.9.1d',
  '16.9.1c',
  '16.9.1b',
  '16.9.1a',
  '16.9.1'
);

workarounds = make_list(CISCO_WORKAROUNDS['raw_socket_tcp_iosxe']);
workaround_params = make_list();

reporting = make_array(
  'port'     , 0,
  'severity' , SECURITY_HOLE,
  'version'  , product_info['version'],
  'bug_id'   , 'CSCvj91021',
  'cmds'     , make_list('show raw-socket tcp detail | include Socket|listening')
);

cisco::check_and_report(
  product_info:product_info,
  workarounds:workarounds,
  workaround_params:workaround_params,
  reporting:reporting,
  vuln_versions:version_list,
  router_only: TRUE
);