CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
17.0%
A vulnerability with the handling of MPLS traffic for Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause the netstack process to unexpectedly restart, which could cause the device to stop processing network traffic or to reload. This vulnerability is due to lack of proper error checking when processing an ingress MPLS frame. An attacker could exploit this vulnerability by sending a crafted IPv6 packet that is encapsulated within an MPLS frame to an MPLS-enabled interface of the targeted device. A successful exploit could allow the attacker to cause a denial of service (DoS) condition. Note: The IPv6 packet can be generated multiple hops away from the targeted device and then encapsulated within MPLS. The DoS condition may occur when the NX-OS device processes the packet.
Please see the included Cisco BIDs and Cisco Security Advisory for more information.
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#TRUSTED 2963c141da35c01b1affd0aea055c53e022a3a65bb57d6dce426cbb70e7df71137608a09227cb94b0ca39d92eaf9c3fd7b09d9befd6a7b0ab68f0b695adca84a9a5f4749e3a06dc6bda94baad5bd72b9f59eca5bb75e9a7c882e53f4eee5c6d6fd62d0ddcc832d9bdf1610bfa6081f0c0cfea05c7112dc9e42f60629b5c8a05105155aeb92c84f27f95b929e442dda4ca5a4630569bf7714514f2ddd7350e0814860df32a9ebab799f9c7462259bb9fcc80c01b1454f521aba37154b7d144adea1e8ef9d9b3fd423bca89fc9af67efb890e82bd533615972dedc4901105065e09fec3477e9732b5246216b3a5a1d28d0d8deaac7f8948db343da1b3906dfe57a1805e1bafac020440caeed8835aa1407983f268eac4626fd20adc09f4bb986f4bc9a2b917c2a23a513ae4fc27d067a4343093211303cb4eb2cce1952bce5d7635d67dd3a19f09e76ab36c3c3d6b27336679648b7e4650743038e0cc3699d934ae1c1e441db059df124d4bd8da8f4f912282b1c5c4c57e38cf13b224722d033d17ff2a6f11ba84689e93b49702f8188c8def4851ba18e72c9390c94b38e3daf2c7ea0e4392f137cc3b2b49d0f15e0c9b307c08b7975a606742906056962258433d0eba8da3816481c74f2fc9d8599b7976b3e7cea7e7efef9e2eabbee31bd0736665aaebbc53c6617fe6d01a5e581ee7353fac66ca1ec0788d8eb6c3aa6f99923
#TRUST-RSA-SHA256 6e5688b415701e2689f22bce541ff7d47d89c308c0e4ce207a121adc212232b015f2b729c83c473f4c66e1cce301ac28a57c7ffb994e789e581eebd9bd85614e364043a8e8dac60651bcc6682be528944e710621ad72f0c4e45bc8b1be3d5819bbd7248692aaaeac91fb58c5df4514607683d41d19c45347f42b12c15f78fe9a0efa7d8443ced5a755e96e9afafac9676e04e62105bcb0685d33572195b96323ad8e48c782c8841147198c56fc796dcce497d8bfc4f9ecbd04f8b3ce09776cb766b60524b2fd770c49c9a94ca98ae333f514f44476aca2bee97a387d10594337ec0f0e4925be595c1057e208727b78bca998200e1389e8facea185f7b24fa07cecefc4c583dfde78562bc60ec2e881ea10d5a10455b1eb640d275f90f0a42f81f23d7403463ca42b130c4ea586190980d219cbc2c58beb791bc11dcb1071e111d23cbf164d9aecbd8139ce228fbf25e93f254abba7bc7a9ad6451975a5c0e457aec87d9cdfd51a55a97d7f4c5dc0b021e1e4fc30da95b6c9ed1b7b9cca923ec512032a78f53b682602d79af93f67cc00780229b77cd3c40ab298b4f75da6eb47d54c6d5dd71f7a4e8e139d40354cb9e9e53d2d6fb3cc95baf61f170153db3c84d100ceccdf38b92453ded0fba3b4800edf6f59efbc37721e8e58e878dabf184512355084a592a1c7b8aa6d1b93d625b211100278980d0bb1de2c4924a6402394
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(191469);
script_version("1.0");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/01");
script_cve_id("CVE-2024-20267");
script_xref(name:"CISCO-BUG-ID", value:"CSCva52387");
script_xref(name:"CISCO-BUG-ID", value:"CSCwh42690");
script_xref(name:"CISCO-SA", value:"cisco-sa-ipv6-mpls-dos-R9ycXkwM");
script_xref(name:"IAVA", value:"2024-A-0119");
script_name(english:"Cisco NX-OS Software MPLS Encapsulated IPv6 DoS (cisco-sa-ipv6-mpls-dos-R9ycXkwM)");
script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
script_set_attribute(attribute:"description", value:
"A vulnerability with the handling of MPLS traffic for Cisco NX-OS Software could allow an unauthenticated, remote
attacker to cause the netstack process to unexpectedly restart, which could cause the device to stop processing network
traffic or to reload. This vulnerability is due to lack of proper error checking when processing an ingress MPLS frame.
An attacker could exploit this vulnerability by sending a crafted IPv6 packet that is encapsulated within an MPLS frame
to an MPLS-enabled interface of the targeted device. A successful exploit could allow the attacker to cause a denial of
service (DoS) condition. Note: The IPv6 packet can be generated multiple hops away from the targeted device and then
encapsulated within MPLS. The DoS condition may occur when the NX-OS device processes the packet.
Please see the included Cisco BIDs and Cisco Security Advisory for more information.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
# https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipv6-mpls-dos-R9ycXkwM
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f3c8adc2");
# https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-75059
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e327a04a");
script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCva52387");
script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwh42690");
script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug IDs CSCva52387, CSCwh42690");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-20267");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(120);
script_set_attribute(attribute:"vuln_publication_date", value:"2024/02/28");
script_set_attribute(attribute:"patch_publication_date", value:"2024/02/28");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/03/01");
script_set_attribute(attribute:"plugin_type", value:"combined");
script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:nx-os");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CISCO");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("cisco_nxos_version.nasl");
script_require_keys("Host/Cisco/NX-OS/Version", "Host/Cisco/NX-OS/Model", "Host/Cisco/NX-OS/Device");
exit(0);
}
include('cisco_workarounds.inc');
include('ccf.inc');
var product_info = cisco::get_product_info(name:'Cisco NX-OS Software');
if ('Nexus' >!< product_info.device || product_info.model !~ "([3679][0-9]{2,3})|(5[56][0-9]{1,2})")
audit(AUDIT_HOST_NOT, 'affected');
var version_list = [];
if ('Nexus' >< product_info.device && product_info.model =~ "^3[0-9]{2,3}")
{
version_list = make_list(
'6.0(2)A3(1)',
'6.0(2)A3(2)',
'6.0(2)A3(4)',
'6.0(2)A4(1)',
'6.0(2)A4(2)',
'6.0(2)A4(3)',
'6.0(2)A4(4)',
'6.0(2)A4(5)',
'6.0(2)A4(6)',
'6.0(2)A6(1)',
'6.0(2)A6(1a)',
'6.0(2)A6(2)',
'6.0(2)A6(2a)',
'6.0(2)A6(3)',
'6.0(2)A6(3a)',
'6.0(2)A6(4)',
'6.0(2)A6(4a)',
'6.0(2)A6(5)',
'6.0(2)A6(5a)',
'6.0(2)A6(5b)',
'6.0(2)A6(6)',
'6.0(2)A6(7)',
'6.0(2)A6(8)',
'6.0(2)A7(1)',
'6.0(2)A7(1a)',
'6.0(2)A7(2)',
'6.0(2)A7(2a)',
'6.0(2)A8(1)',
'6.0(2)A8(2)',
'6.0(2)A8(3)',
'6.0(2)A8(4)',
'6.0(2)A8(4a)',
'6.0(2)A8(5)',
'6.0(2)A8(6)',
'6.0(2)A8(7)',
'6.0(2)A8(7a)',
'6.0(2)A8(7b)',
'6.0(2)A8(8)',
'6.0(2)A8(9)',
'6.0(2)A8(10a)',
'6.0(2)A8(10)',
'6.0(2)A8(11)',
'6.0(2)A8(11a)',
'6.0(2)A8(11b)',
'6.0(2)U2(1)',
'6.0(2)U2(2)',
'6.0(2)U2(3)',
'6.0(2)U2(4)',
'6.0(2)U2(5)',
'6.0(2)U2(6)',
'6.0(2)U3(1)',
'6.0(2)U3(2)',
'6.0(2)U3(3)',
'6.0(2)U3(4)',
'6.0(2)U3(5)',
'6.0(2)U3(6)',
'6.0(2)U3(7)',
'6.0(2)U3(8)',
'6.0(2)U3(9)',
'6.0(2)U4(1)',
'6.0(2)U4(2)',
'6.0(2)U4(3)',
'6.0(2)U4(4)',
'6.0(2)U5(1)',
'6.0(2)U5(2)',
'6.0(2)U5(3)',
'6.0(2)U5(4)',
'6.0(2)U6(1)',
'6.0(2)U6(2)',
'6.0(2)U6(3)',
'6.0(2)U6(4)',
'6.0(2)U6(5)',
'6.0(2)U6(6)',
'6.0(2)U6(7)',
'6.0(2)U6(8)',
'6.0(2)U6(1a)',
'6.0(2)U6(2a)',
'6.0(2)U6(3a)',
'6.0(2)U6(4a)',
'6.0(2)U6(5a)',
'6.0(2)U6(5b)',
'6.0(2)U6(5c)',
'6.0(2)U6(9)',
'6.0(2)U6(10)',
'6.0(2)U6(10a)',
'7.0(3)F3(1)',
'7.0(3)F3(2)',
'7.0(3)F3(3)',
'7.0(3)F3(3a)',
'7.0(3)F3(4)',
'7.0(3)F3(3c)',
'7.0(3)F3(5)',
'7.0(3)I2(2a)',
'7.0(3)I2(2b)',
'7.0(3)I2(2c)',
'7.0(3)I2(2d)',
'7.0(3)I2(2e)',
'7.0(3)I2(3)',
'7.0(3)I2(4)',
'7.0(3)I2(5)',
'7.0(3)I2(1)',
'7.0(3)I2(1a)',
'7.0(3)I2(2)',
'7.0(3)I2(2r)',
'7.0(3)I2(2s)',
'7.0(3)I2(2v)',
'7.0(3)I2(2w)',
'7.0(3)I2(2x)',
'7.0(3)I2(2y)',
'7.0(3)I3(1)',
'7.0(3)I4(1)',
'7.0(3)I4(2)',
'7.0(3)I4(3)',
'7.0(3)I4(4)',
'7.0(3)I4(5)',
'7.0(3)I4(6)',
'7.0(3)I4(7)',
'7.0(3)I4(8)',
'7.0(3)I4(8a)',
'7.0(3)I4(8b)',
'7.0(3)I4(8z)',
'7.0(3)I4(1t)',
'7.0(3)I4(6t)',
'7.0(3)I4(9)',
'7.0(3)I5(1)',
'7.0(3)I5(2)',
'7.0(3)I5(3)',
'7.0(3)I5(3a)',
'7.0(3)I5(3b)',
'7.0(3)I6(1)',
'7.0(3)I6(2)',
'7.0(3)I7(1)',
'7.0(3)I7(2)',
'7.0(3)I7(3)',
'7.0(3)I7(4)',
'7.0(3)I7(5)',
'7.0(3)I7(5a)',
'7.0(3)I7(3z)',
'7.0(3)I7(6)',
'7.0(3)I7(6z)',
'7.0(3)I7(7)',
'7.0(3)I7(8)',
'7.0(3)I7(9)',
'7.0(3)I7(9w)',
'7.0(3)I7(10)',
'9.2(1)',
'9.2(2)',
'9.2(2t)',
'9.2(3)',
'9.2(3y)',
'9.2(4)',
'9.2(2v)',
'7.0(3)IC4(4)',
'7.0(3)IM7(2)',
'9.3(1)',
'9.3(2)',
'9.3(3)',
'9.3(4)',
'9.3(5)',
'9.3(6)',
'9.3(7)',
'9.3(7k)',
'9.3(7a)',
'9.3(8)',
'9.3(9)',
'9.3(10)',
'9.3(11)',
'9.3(12)',
'10.1(1)',
'10.1(2)',
'10.1(2t)',
'10.2(1)',
'10.2(2)',
'10.2(3)',
'10.2(3t)',
'10.2(4)',
'10.2(5)',
'10.2(3v)',
'10.2(6)',
'10.3(1)',
'10.3(2)',
'10.3(3)',
'10.4(1)'
);
}
if ('Nexus' >< product_info.device && product_info.model =~ "^7[0-9]{2,3}")
{
version_list = make_list(
'6.2(2)',
'6.2(2a)',
'6.2(6)',
'6.2(6b)',
'6.2(8)',
'6.2(8a)',
'6.2(8b)',
'6.2(10)',
'6.2(12)',
'6.2(18)',
'6.2(16)',
'6.2(14b)',
'6.2(14)',
'6.2(14a)',
'6.2(6a)',
'6.2(20)',
'6.2(20a)',
'6.2(22)',
'6.2(24)',
'6.2(24a)',
'6.2(26)',
'7.2(0)D1(1)',
'7.2(1)D1(1)',
'7.2(2)D1(2)',
'7.2(2)D1(1)',
'7.2(2)D1(3)',
'7.2(2)D1(4)',
'7.3(0)D1(1)',
'7.3(0)DX(1)'
);
}
if ('Nexus' >< product_info.device && product_info.model =~ "^9[0-9]{2,3}")
{
version_list = make_list(
'7.0(3)F1(1)',
'7.0(3)F2(1)',
'7.0(3)F2(2)',
'7.0(3)F3(1)',
'7.0(3)F3(3)',
'7.0(3)F3(3a)',
'7.0(3)F3(4)',
'7.0(3)F3(3c)',
'7.0(3)F3(5)',
'7.0(3)I2(2a)',
'7.0(3)I2(2b)',
'7.0(3)I2(2c)',
'7.0(3)I2(2d)',
'7.0(3)I2(2e)',
'7.0(3)I2(3)',
'7.0(3)I2(4)',
'7.0(3)I2(5)',
'7.0(3)I2(1)',
'7.0(3)I2(1a)',
'7.0(3)I2(2)',
'7.0(3)I2(2r)',
'7.0(3)I2(2s)',
'7.0(3)I2(2v)',
'7.0(3)I2(2w)',
'7.0(3)I2(2x)',
'7.0(3)I2(2y)',
'7.0(3)I3(1)',
'7.0(3)I4(1)',
'7.0(3)I4(2)',
'7.0(3)I4(3)',
'7.0(3)I4(4)',
'7.0(3)I4(5)',
'7.0(3)I4(6)',
'7.0(3)I4(7)',
'7.0(3)I4(8)',
'7.0(3)I4(8a)',
'7.0(3)I4(8b)',
'7.0(3)I4(8z)',
'7.0(3)I4(1t)',
'7.0(3)I4(6t)',
'7.0(3)I4(9)',
'7.0(3)I5(1)',
'7.0(3)I5(2)',
'7.0(3)I5(3)',
'7.0(3)I5(3a)',
'7.0(3)I5(3b)',
'7.0(3)I6(1)',
'7.0(3)I6(2)',
'7.0(3)I7(1)',
'7.0(3)I7(2)',
'7.0(3)I7(3)',
'7.0(3)I7(4)',
'7.0(3)I7(5)',
'7.0(3)I7(5a)',
'7.0(3)I7(3z)',
'7.0(3)I7(6)',
'7.0(3)I7(7)',
'7.0(3)I7(8)',
'7.0(3)I7(9)',
'7.0(3)I7(9w)',
'7.0(3)I7(10)',
'9.2(1)',
'9.2(2)',
'9.2(3)',
'9.2(3y)',
'9.2(4)',
'7.0(3)IA7(1)',
'7.0(3)IA7(2)',
'7.0(3)IC4(4)',
'7.0(3)IM3(1)',
'7.0(3)IM3(2)',
'7.0(3)IM3(2a)',
'7.0(3)IM3(2b)',
'7.0(3)IM3(3)',
'9.3(1)',
'9.3(2)',
'9.3(3)',
'9.3(1z)',
'9.3(4)',
'9.3(5)',
'9.3(6)',
'9.3(5w)',
'9.3(7)',
'9.3(7k)',
'9.3(7a)',
'9.3(8)',
'9.3(9)',
'9.3(10)',
'9.3(11)',
'9.3(12)',
'10.1(1)',
'10.1(2)',
'10.2(1)',
'10.2(1q)',
'10.2(2)',
'10.2(3)',
'10.2(2a)',
'10.2(3t)',
'10.2(4)',
'10.2(5)',
'10.2(6)',
'10.3(1)',
'10.3(2)',
'10.3(3)',
'10.3(99w)',
'10.3(3w)',
'10.3(99x)',
'10.3(3o)',
'10.3(3p)',
'10.3(3q)',
'10.4(1)'
);
}
if ('Nexus' >< product_info.device && product_info.model =~ "^5[56][0-9]{1,2}|^6[0-9]{2,3}")
{
version_list = make_list(
'7.1(0)N1(1a)',
'7.1(0)N1(1b)',
'7.1(0)N1(1)',
'7.1(1)N1(1)',
'7.1(1)N1(1a)',
'7.1(2)N1(1)',
'7.1(2)N1(1a)',
'7.1(3)N1(1)',
'7.1(3)N1(2)',
'7.1(3)N1(5)',
'7.1(3)N1(4)',
'7.1(3)N1(3)',
'7.1(3)N1(2a)',
'7.1(4)N1(1)',
'7.1(4)N1(1d)',
'7.1(4)N1(1c)',
'7.1(4)N1(1a)',
'7.1(5)N1(1)',
'7.1(5)N1(1b)',
'7.3(0)N1(1)',
'7.3(0)N1(1b)',
'7.3(0)N1(1a)'
);
}
var workarounds = make_list(CISCO_WORKAROUNDS['generic_workaround']);
var workaround_params = [WORKAROUND_CONFIG['show_mpls_interfaces_detail']];
var reporting = make_array(
'port' , 0,
'severity', SECURITY_HOLE,
'version' , product_info['version'],
'bug_id' , 'CSCva52387, CSCwh42690',
'cmds' , make_list('show mpls interface detail')
);
cisco::check_and_report(
product_info:product_info,
workarounds:workarounds,
workaround_params:workaround_params,
reporting:reporting,
vuln_versions:version_list
);
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
17.0%