7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.2 High
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
30.4%
According to its self-reported version, Cisco IOS XR is affected by a vulnerability.
Please see the included Cisco BIDs and Cisco Security Advisory for more information.
#TRUSTED 055798cbe2d0823c45f792145ed047c4c70786f5955cb277f17de48e7f4ea9f38023e16d3cf9da9ca149247f13e579cabd2ab8622fa519cb6e4796c50750b9a174b2878a3dd1c8a35046114b27371150caf3f3e490ecf74f7c1ca8a67dee3ef1721ff492caf30c7a641daadb05f94ce6491b44968f6e340ec780ce8fca51ef28a274bc04c9e29d2f62490c47c846a2284f64d8103eb83347664c5573d77d1c39226c26338a9901f85e92511bc887d2a43fd6e2c48b29fa105fe74cbfac61fc4069a3795fd57ea2b02242c2113ca7439eb5c39d8ee9f78ae061d93147ced99068caac83416ed9c3f5aae4af814a82f6af119e3ae68104951cda48e43f6b8bebd37635f94c0a0621cfde1f9c84156c57556efe5e5e77f4d00279957a76e76d8dc00f5baf189a4b382e3a9be69fbfd3ef088c9b284d0410129b2c8174a1c7a9942e4ff9407f4ff0f2b81948a51352a6b50b6c880cc87487824a3b7a9eb46f81d27790600019dec9fe828a7a029dce4211ff37a972a5c546a63e43ebdcd744214f83a6d3ccc4f58e6a59115bb2eb7b5cc87a2f944844e62f8e9b59da5d65b42004e90b7ae9a6b15bab91539847d2bee9d5632628fccccb76f87e2b0ae510e26fc3616518da4fd73c4abb7729623ed2b876cd60786ae92bdd06be345a148ae32d625b2b248b939317fd08a0fd52e938d513c549b679d32611e9368e90191260f23431
#TRUST-RSA-SHA256 43f6a781e16aedd1bbb60901fcf1e58bb1c19253e78971708e346e1bd6f77a1a5ca2b9e15257093278c103e12fe1b8fcdbe6051beba343f0f6bc8edce31ae3fed18ea3ada93d24f3ef1ef4fda67bf217ad96d9a8ea2cb3e90eb994752d7b9636c92e3042a57d2b2b65167c1e201b51b7235c83650414ed90a411e05812745e25753e061b6e9df2037a2a586b31247dc23638237c8d0c72ba2ffcba65ba7eec3aefd4eaee673d3ddddc5a38c1fb56cb1f94727317718a19a78c5bb94b552b7dfffb6ff7aefc56bf2c3153b475cee2edbe00b746d776e93ff10ffa250a2d63709bb0630b6e972adffcdba3555599bb80c348800c3eec94519e1b09c868e34bc91a6bfc91fe69f1b848ee7ffca822016e7d07051c1618996d785502aa84b19030132ad34f05402eb3ead647d71bae2358247fb77ce0e737c0f0e58d05ffce3a60e6340f8455a51b8acc830f25c3e5e270cd33764fe66b52aac3b62e739d11bb9dc475c2d762f6f55ca8c26e0b09b985232abfb75b5a059ffc986c9592066429a35ec3be48be8da89ea82af91fa46d93e7d243935b01e7eea360d059b04e35a1fcfb83e1528f2478818852d963ab2e5ff883c26e0043941b78e812acb5ddfa614f31fcd092d2f932b8e37136d4527d172b658dfe8aeaca9c3113c982b8c0c3198b5f2caccc84650fde967957a93f21d28bbd6db9561ec150433178bee7f752771e3b
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(186227);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/11/24");
script_cve_id("CVE-2023-20191");
script_xref(name:"CISCO-BUG-ID", value:"CSCwe63504");
script_xref(name:"CISCO-SA", value:"cisco-sa-dnx-acl-PyzDkeYF");
script_name(english:"Cisco IOS XR Software Access Control List Bypass (cisco-sa-dnx-acl-PyzDkeYF)");
script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco IOS XR is affected by a vulnerability.
- A vulnerability in the access control list (ACL) processing on MPLS interfaces in the ingress direction of
Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass a configured ACL. This
vulnerability is due to incomplete support for this feature. An attacker could exploit this vulnerability
by attempting to send traffic through an affected device. A successful exploit could allow the attacker to
bypass an ACL on the affected device. There are workarounds that address this vulnerability. This advisory
is part of the September 2023 release of the Cisco IOS XR Software Security Advisory Bundled Publication.
For a complete list of the advisories and links to them, see Cisco Event Response: September 2023
Semiannual Cisco IOS XR Software Security Advisory Bundled Publication . (CVE-2023-20191)
Please see the included Cisco BIDs and Cisco Security Advisory for more information.");
# https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnx-acl-PyzDkeYF
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ccb9c2c6");
# https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-75241
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6a0abd7f");
script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwe63504");
script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCwe63504");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-20191");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2023/09/13");
script_set_attribute(attribute:"patch_publication_date", value:"2023/09/13");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/11/24");
script_set_attribute(attribute:"potential_vulnerability", value:"true");
script_set_attribute(attribute:"plugin_type", value:"combined");
script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xr");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CISCO");
script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("cisco_ios_xr_version.nasl");
script_require_keys("Host/Cisco/IOS-XR/Version");
exit(0);
}
include('cisco_workarounds.inc');
include('ccf.inc');
var product_info = cisco::get_product_info(name:'Cisco IOS XR');
var ingress_found = FALSE;
var override = 0;
# Not using cisco_workarounds.inc because it's not likely to be reused
# Check for mpls enabled
var buf = cisco_command_kb_item('Host/Cisco/Config/show_mpls_interfaces', 'show mpls interfaces');
if (check_cisco_result(buf))
{
var pattern = "^([a-zA-Z0-9\/]+)\s+((Yes|No)\s+([a-zA-Z0-9\(\)]*)\s+)+Yes$";
buf = split(buf, sep:'\n', keep:FALSE);
foreach line (buf)
{
var conf_match = pregmatch(pattern:pattern, multiline:TRUE, string:line);
if (!isnull(conf_match) && !isnull(conf_match[1]))
{
# RP/0/RP0/CPU0:NCS5501-1##show mpls interfaces
# Thu Mar 16 02:47:56.142 UTC
# Interface LDP Tunnel Static Enabled
# -------------------------- -------- -------- -------- --------
# TenGigE0/0/0/0 No No No Yes
# save found interface ex. TenGigE0/0/0/0
var interface = conf_match[1];
# check interfaces have either an IPv4 or IPv6 ingress ACL applied
var buf2 = cisco_command_kb_item('Host/Cisco/Config/show_run_interface', 'show run interface' + interface);
if (check_cisco_result(buf2))
{
var pattern2 = "ipv[46].*ingress";
var conf_match2 = pregmatch(pattern:pattern2, multiline:TRUE, string:buf2);
if (!isnull(conf_match2))
{
ingress_found = TRUE;
break;
}
}
else if (cisco_needs_enable(buf))
override = 1;
}
}
}
else if (cisco_needs_enable(buf))
override = 1;
if (!ingress_found)
audit(AUDIT_HOST_NOT, "affected because IP ingress ACL filtering on MPLS interfaces is not configured on the host");
var model = toupper(product_info.model);
# Vulnerable model list
if ('IOSXRWBD' >!< model && ('NCS' >!< model && model !~ "5[46][0-9]{1}|5[57][0-9]{2}"))
audit(AUDIT_HOST_NOT, 'xaffected');
if ('NCS5500' >< model)
{
smus['7.0.1'] = 'CSCwe63504';
smus['7.7.2'] = 'CSCwe63504';
}
if ('IOSXRWBD' >< model)
{
smus['7.2.1'] = 'CSCwe63504';
smus['7.4.15'] = 'CSCwe63504';
smus['7.7.2'] = 'CSCwe63504';
}
if ('NCS540L' >< model)
{
smus['7.7.2'] = 'CSCwe63504';
}
vuln_ranges = [
{'min_ver' : '6.4', 'fix_ver' : '7.7.21'},
{'min_ver' : '7.8', 'fix_ver' : '7.9.2'},
{'min_ver' : '7.10', 'fix_ver' : '7.10.1'}
];
var reporting = make_array(
'port' , product_info['port'],
'severity', SECURITY_HOLE,
'version' , product_info['version'],
'bug_id' , 'CSCwe63504',
'cmds' , make_list('show mpls interfaces', 'show run interface')
);
cisco::check_and_report(
product_info:product_info,
reporting:reporting,
vuln_ranges:vuln_ranges,
smus:smus
);
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.2 High
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
30.4%