Cisco IOS XR Software Access Control List Bypass (cisco-sa-dnx-acl-PyzDkeYF)

#TRUSTED 055798cbe2d0823c45f792145ed047c4c70786f5955cb277f17de48e7f4ea9f38023e16d3cf9da9ca149247f13e579cabd2ab8622fa519cb6e4796c50750b9a174b2878a3dd1c8a35046114b27371150caf3f3e490ecf74f7c1ca8a67dee3ef1721ff492caf30c7a641daadb05f94ce6491b44968f6e340ec780ce8fca51ef28a274bc04c9e29d2f62490c47c846a2284f64d8103eb83347664c5573d77d1c39226c26338a9901f85e92511bc887d2a43fd6e2c48b29fa105fe74cbfac61fc4069a3795fd57ea2b02242c2113ca7439eb5c39d8ee9f78ae061d93147ced99068caac83416ed9c3f5aae4af814a82f6af119e3ae68104951cda48e43f6b8bebd37635f94c0a0621cfde1f9c84156c57556efe5e5e77f4d00279957a76e76d8dc00f5baf189a4b382e3a9be69fbfd3ef088c9b284d0410129b2c8174a1c7a9942e4ff9407f4ff0f2b81948a51352a6b50b6c880cc87487824a3b7a9eb46f81d27790600019dec9fe828a7a029dce4211ff37a972a5c546a63e43ebdcd744214f83a6d3ccc4f58e6a59115bb2eb7b5cc87a2f944844e62f8e9b59da5d65b42004e90b7ae9a6b15bab91539847d2bee9d5632628fccccb76f87e2b0ae510e26fc3616518da4fd73c4abb7729623ed2b876cd60786ae92bdd06be345a148ae32d625b2b248b939317fd08a0fd52e938d513c549b679d32611e9368e90191260f23431
#TRUST-RSA-SHA256 43f6a781e16aedd1bbb60901fcf1e58bb1c19253e78971708e346e1bd6f77a1a5ca2b9e15257093278c103e12fe1b8fcdbe6051beba343f0f6bc8edce31ae3fed18ea3ada93d24f3ef1ef4fda67bf217ad96d9a8ea2cb3e90eb994752d7b9636c92e3042a57d2b2b65167c1e201b51b7235c83650414ed90a411e05812745e25753e061b6e9df2037a2a586b31247dc23638237c8d0c72ba2ffcba65ba7eec3aefd4eaee673d3ddddc5a38c1fb56cb1f94727317718a19a78c5bb94b552b7dfffb6ff7aefc56bf2c3153b475cee2edbe00b746d776e93ff10ffa250a2d63709bb0630b6e972adffcdba3555599bb80c348800c3eec94519e1b09c868e34bc91a6bfc91fe69f1b848ee7ffca822016e7d07051c1618996d785502aa84b19030132ad34f05402eb3ead647d71bae2358247fb77ce0e737c0f0e58d05ffce3a60e6340f8455a51b8acc830f25c3e5e270cd33764fe66b52aac3b62e739d11bb9dc475c2d762f6f55ca8c26e0b09b985232abfb75b5a059ffc986c9592066429a35ec3be48be8da89ea82af91fa46d93e7d243935b01e7eea360d059b04e35a1fcfb83e1528f2478818852d963ab2e5ff883c26e0043941b78e812acb5ddfa614f31fcd092d2f932b8e37136d4527d172b658dfe8aeaca9c3113c982b8c0c3198b5f2caccc84650fde967957a93f21d28bbd6db9561ec150433178bee7f752771e3b
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(186227);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/11/24");

  script_cve_id("CVE-2023-20191");
  script_xref(name:"CISCO-BUG-ID", value:"CSCwe63504");
  script_xref(name:"CISCO-SA", value:"cisco-sa-dnx-acl-PyzDkeYF");

  script_name(english:"Cisco IOS XR Software Access Control List Bypass (cisco-sa-dnx-acl-PyzDkeYF)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco IOS XR is affected by a vulnerability.

  - A vulnerability in the access control list (ACL) processing on MPLS interfaces in the ingress direction of
    Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass a configured ACL. This
    vulnerability is due to incomplete support for this feature. An attacker could exploit this vulnerability
    by attempting to send traffic through an affected device. A successful exploit could allow the attacker to
    bypass an ACL on the affected device. There are workarounds that address this vulnerability. This advisory
    is part of the September 2023 release of the Cisco IOS XR Software Security Advisory Bundled Publication.
    For a complete list of the advisories and links to them, see Cisco Event Response: September 2023
    Semiannual Cisco IOS XR Software Security Advisory Bundled Publication . (CVE-2023-20191)

Please see the included Cisco BIDs and Cisco Security Advisory for more information.");
  # https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnx-acl-PyzDkeYF
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ccb9c2c6");
  # https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-75241
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6a0abd7f");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwe63504");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCwe63504");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-20191");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/09/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/09/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/11/24");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xr");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_xr_version.nasl");
  script_require_keys("Host/Cisco/IOS-XR/Version");

  exit(0);
}

include('cisco_workarounds.inc');
include('ccf.inc');

var product_info = cisco::get_product_info(name:'Cisco IOS XR');
var ingress_found = FALSE;

var override = 0;
# Not using cisco_workarounds.inc because it's not likely to be reused 

# Check for mpls enabled
var buf = cisco_command_kb_item('Host/Cisco/Config/show_mpls_interfaces', 'show mpls interfaces');

if (check_cisco_result(buf))
{
  var pattern = "^([a-zA-Z0-9\/]+)\s+((Yes|No)\s+([a-zA-Z0-9\(\)]*)\s+)+Yes$";
  buf = split(buf, sep:'\n', keep:FALSE);
  
  foreach line (buf)
  {
    var conf_match = pregmatch(pattern:pattern, multiline:TRUE, string:line);

    if (!isnull(conf_match) && !isnull(conf_match[1]))
    {
        # RP/0/RP0/CPU0:NCS5501-1##show mpls interfaces
        # Thu Mar 16 02:47:56.142 UTC
        # Interface                  LDP      Tunnel   Static   Enabled
        # -------------------------- -------- -------- -------- --------
        # TenGigE0/0/0/0             No       No       No       Yes
      # save found interface ex. TenGigE0/0/0/0
      var interface = conf_match[1];

      # check interfaces have either an IPv4 or IPv6 ingress ACL applied
      var buf2 = cisco_command_kb_item('Host/Cisco/Config/show_run_interface', 'show run interface' + interface);

      if (check_cisco_result(buf2))
      {
        var pattern2 = "ipv[46].*ingress";

        var conf_match2 = pregmatch(pattern:pattern2, multiline:TRUE, string:buf2);

        if (!isnull(conf_match2))
        {
          ingress_found = TRUE;
          break;
        }
      }
      else if (cisco_needs_enable(buf))
        override = 1;
    }
  }
}
else if (cisco_needs_enable(buf))
  override = 1;

if (!ingress_found)
    audit(AUDIT_HOST_NOT, "affected because IP ingress ACL filtering on MPLS interfaces is not configured on the host");

var model = toupper(product_info.model);

# Vulnerable model list
if ('IOSXRWBD' >!< model && ('NCS' >!< model && model !~ "5[46][0-9]{1}|5[57][0-9]{2}"))
    audit(AUDIT_HOST_NOT, 'xaffected');

if ('NCS5500' >< model)
{
    smus['7.0.1'] = 'CSCwe63504';
    smus['7.7.2'] = 'CSCwe63504';
}

if ('IOSXRWBD' >< model)
{
    smus['7.2.1'] = 'CSCwe63504';
    smus['7.4.15'] = 'CSCwe63504';
    smus['7.7.2'] = 'CSCwe63504';
}

if ('NCS540L' >< model)
{
    smus['7.7.2'] = 'CSCwe63504';
}

vuln_ranges = [
  {'min_ver' : '6.4',  'fix_ver' : '7.7.21'},
  {'min_ver' : '7.8',  'fix_ver' : '7.9.2'},
  {'min_ver' : '7.10', 'fix_ver' : '7.10.1'}
];

var reporting = make_array(
  'port'    , product_info['port'],
  'severity', SECURITY_HOLE,
  'version' , product_info['version'],
  'bug_id'  , 'CSCwe63504',
  'cmds'    , make_list('show mpls interfaces', 'show run interface') 
);

cisco::check_and_report(
  product_info:product_info,
  reporting:reporting,
  vuln_ranges:vuln_ranges,
  smus:smus
);