Cisco IOS XE Software DHCP Snooping with Endpoint Analytics DoS (cisco-sa-dhcp-dos-T3CXPO9z)

#TRUSTED 9db5c055d98eff2c503a99ef7a10e8ea11364ecb2d99ff10fc1c29af716509083341f4641fdbc3dffd584b7b3e0f21739bcfc2b0fe4138ba4c759293353995b5bfefba2ce24f1439381863e0e6ae5985239833001f847ee7f80ab1b7b49abf9ae12d34ac8167792e6c3a1e87a65e96d7f32d1c601fba2e8e257b8bef2992aa04f4dd019b4acae221ca0839b4c03dcb8e051304c79fd422345cbeb308c4340afee2aa40a8a3d5de345429017ab9c312d5c23dba0d0f2ad6f3cd37fcd583adcbe1ca97aa0f540eb116c85aa52b69e0b88637463882a89a8fb878be1745788b4be908fab2bd8d30fb225c1c5e0a49b13319cba8694d1270b6d963915b1114ba74f3aa923bd85841571b852c5785c6e3eff2fdd47f9ed11be3a55b96f5ff45c39c1ab90744189b4c6c65504f1d99c03d29f6bd515f877a55989c364184bf76dbf4c77a14ca8dd9a742f2e07b095c860dec04ebbf6f3636cc997c58aab1911f217b18538717689f654b5c3752a9ade05a6da498b6c74f9708e31df79554bb2cd30cdd087cd1aee7cbd9b8a31446bdf90c7f2b2c9e7537e41230164b91cfe9ceede2c4c5912780f025b7fec990786bcfb39d3ff856e6589f48783686941b3b3a178bb84298b5de7b4b130ab8c4bd21248c60471e950c3c6c90dd17554b957c96d6072b96141950c9613235c484048432fb389f5d32f1a3cc29c75e683bd884acdf9b1e
#TRUST-RSA-SHA256 9ce639819b46873173cf7b12aa7d888d73d6f48f625178c1022d8774de8c6d4fbde0ee3a33f13fcf0d4c945f6f04d9828bbe42a26f01cf62eb0c21449b04be64a9df93b5a149bf5f74c44e901fec813e4ac68c95cc548303e610dbc5dafb0f4ba1c18b4a0a06bd5e1642614e3a6388c93dbcdb1ca97e7598c9aae649630d800e0777db2a2517a86a3aab75efaefa8889df777a915e3d491553c898d1ebd9c8621acd11eb12c2a300e164298e0519dced7b3182b3b76ad5784a5bb1c42d0c5e4457f5948d0998d1d710718788a701156da448d7846a0dc0de3d7220b60d86d83f4fbe3a35bd91c1c61ac072c52af6f46916b217a0a7e0f89b176392127451179a4cedeefa631b2b7320d0cbf479492f559a538f641135c5ffea15177adfc52593df11810062cde17ae64e8f9b3141d52e2d8d3f632781e50b2c883f3a9386315fd8ebbe11b2f7d6fb65055e150a7295914e31f0fb0bb74a3dfadface825c5f5d69f208f85cedfa28b423c63336bb557c8c8902ed1494d70f9a3c0c6fce853c3a3245f233e9849026c3eedc50762ac186b4e6ab7e77f201587e9a448abae0f3b81f5338412524facf1da7cee5370a891b5242be026739cebb449f0266b6e661dafa2e7baef8e022851779be6ecf4c44076961749b5b04b014fab361cfc9ae2de0ef2493cf6e6eb88097d170cc41374a44f7ef3ff63a0059bcbde37f83ef7805187
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(193270);
  script_version("1.0");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/12");

  script_cve_id("CVE-2024-20259");
  script_xref(name:"CISCO-BUG-ID", value:"CSCwh59449");
  script_xref(name:"CISCO-SA", value:"cisco-sa-dhcp-dos-T3CXPO9z");
  script_xref(name:"IAVA", value:"2024-A-0188");

  script_name(english:"Cisco IOS XE Software DHCP Snooping with Endpoint Analytics DoS (cisco-sa-dhcp-dos-T3CXPO9z)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco IOS-XE Software is affected by a vulnerability.

  - A vulnerability in the DHCP snooping feature of Cisco IOS XE Software could allow an unauthenticated,
    remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS)
    condition. This vulnerability is due to a crafted IPv4 DHCP request packet being mishandled when endpoint
    analytics are enabled. An attacker could exploit this vulnerability by sending a crafted DHCP request
    through an affected device. A successful exploit could allow the attacker to cause the device to reload,
    resulting in a DoS condition. Note: The attack vector is listed as network because a DHCP relay anywhere
    on the network could allow exploits from networks other than the adjacent one. (CVE-2024-20259)

Please see the included Cisco BIDs and Cisco Security Advisory for more information.");
  # https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dhcp-dos-T3CXPO9z
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ab86ccef");
  # https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-75056
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a1da659d");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwh59449");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCwh59449");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-20259");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(122);

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/03/27");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/03/27");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/04/12");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_xe_version.nasl");
  script_require_keys("Host/Cisco/IOS-XE/Version", "Host/Cisco/IOS-XE/Model");

  exit(0);
}

include('cisco_workarounds.inc');
include('ccf.inc');

var product_info = cisco::get_product_info(name:'Cisco IOS XE Software');

var model = toupper(product_info.model);

# Catalyst 9000 Series Switches
# DNA Traffic Telemetry Appliance
if (('CATALYST' >!< model || model !~ "9[0-9]+") && 'DN-APL-TTA' >!< model)
    audit(AUDIT_HOST_NOT, 'affected');

var version_list=make_list(
  '17.1.1',
  '17.1.1a',
  '17.1.1s',
  '17.1.1t',
  '17.1.2',
  '17.1.3',
  '17.2.1',
  '17.2.1a',
  '17.2.1r',
  '17.2.1v',
  '17.2.2',
  '17.2.3',
  '17.3.1',
  '17.3.1a',
  '17.3.1w',
  '17.3.1x',
  '17.3.1z',
  '17.3.2',
  '17.3.2a',
  '17.3.3',
  '17.3.3a',
  '17.3.4',
  '17.3.4a',
  '17.3.4b',
  '17.3.4c',
  '17.3.5',
  '17.3.5a',
  '17.3.5b',
  '17.3.6',
  '17.3.7',
  '17.3.8',
  '17.3.8a',
  '17.4.1',
  '17.4.1a',
  '17.4.1b',
  '17.4.1c',
  '17.4.2',
  '17.4.2a',
  '17.5.1',
  '17.5.1a',
  '17.6.1',
  '17.6.1a',
  '17.6.1w',
  '17.6.1x',
  '17.6.1y',
  '17.6.1z',
  '17.6.1z1',
  '17.6.2',
  '17.6.3',
  '17.6.3a',
  '17.6.4',
  '17.6.5',
  '17.6.5a',
  '17.6.6',
  '17.6.6a',
  '17.7.1',
  '17.7.1a',
  '17.7.1b',
  '17.7.2',
  '17.8.1',
  '17.8.1a',
  '17.9.1',
  '17.9.1a',
  '17.9.1w',
  '17.9.1x',
  '17.9.1x1',
  '17.9.1y',
  '17.9.1y1',
  '17.9.2',
  '17.9.2a',
  '17.9.3',
  '17.9.3a',
  '17.9.4',
  '17.9.4a',
  '17.10.1',
  '17.10.1a',
  '17.10.1b',
  '17.11.1',
  '17.11.1a',
  '17.11.99SW',
  '17.12.1',
  '17.12.1a',
  '17.12.1w'
);

var workarounds = make_list(CISCO_WORKAROUNDS['generic_workaround']);
var workaround_params = [
  WORKAROUND_CONFIG['dhcp_snooping_vlan'],
  WORKAROUND_CONFIG['show_avc_sd_service'],
  {'require_all_generic_workarounds': TRUE}
];

var reporting = make_array(
  'port'    , product_info['port'],
  'severity', SECURITY_HOLE,
  'version' , product_info['version'],
  'bug_id'  , 'CSCwh59449',
  'cmds'    , make_list('show running-config', 'show avc sd-service info detailed'),
  'fix'     , 'See vendor advisory'
);

cisco::check_and_report(
  product_info:product_info,
  workarounds:workarounds,
  workaround_params:workaround_params,
  reporting:reporting,
  vuln_versions:version_list
);