Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.CISCO-SA-LNT-L9ZOKBZ5-IOSXR.NASL
HistoryJan 29, 2024 - 12:00 a.m.

Cisco IOS XR Software Image Verification (cisco-sa-lnt-L9zOkBz5)

2024-01-2900:00:00
This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
9
cisco
ios xr
vulnerability
image verification
arbitrary code
authenticated
local attacker
iso image
exploit
cve-2023-20135
bids
security advisory

7 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

7.6 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

5.1%

JSON

According to its self-reported version, Cisco IOS XR is affected by a vulnerability.

  • A vulnerability in Cisco IOS XR Software image verification checks could allow an authenticated, local attacker to execute arbitrary code on the underlying operating system. This vulnerability is due to a time-of-check, time-of-use (TOCTOU) race condition when an install query regarding an ISO image is performed during an install operation that uses an ISO image. An attacker could exploit this vulnerability by modifying an ISO image and then carrying out install requests in parallel. A successful exploit could allow the attacker to execute arbitrary code on an affected device. (CVE-2023-20135)

Please see the included Cisco BIDs and Cisco Security Advisory for more information.

#TRUSTED 912f9e8c277222f5578d859ebbd4f10b56dbb9b7aa064478d6bba7ef274c7202072b4851221b37a6dbc04ba8f2e91c314390f771876a21e2c3c680fb53df7a8a9f6ecdd53ebe81d4553d5482b60d7a13f99016b7e2eb55cbe7f9faf5cb8a6abcd1c5190f3b05c4792670843eb55f95b9e84a370564308b7c9306a9bacaff2c17b2b0f16432c7451cee860bd6f1f3e8eca110ea052401ec7ba8e1ae8cfb39789d402daf01d40a080ce653dbc7ddf34b8e6eac025f96a8015ee4eb16a0b5f60debf0d892ce1c6270862b94b1efcfb886d26a1df9d3ac9f8b4d0561f1c8e6457d1214482ac4b0ea812cbdbc82678dba9a9742d483266f26d5192f036dc3e5c63bbc1740a7fd1618ce758965bdb747b0aa42ec914ade63d3747290e76d90ceb3fd96f227dc219150890e9484a64f158e907db463fa8ec6c830de9bf6d0b66c1042d9b209b38e9575d11e93d78e56284050d04e1bdad2794f0ae5e26707c2bc189704127bc9a79d6ceb05e05e1f7cbb9ee1ce41610f1651643c98d8aa9962147795afe095ca4033171e4aef0edf40430c1eef3c4b3ea40c853baceb6bf8175e2dd4e185de3b4e2750244bf7886461a3cda85cfb47e55e0e5fc1bb09e966c3bc5282c5a3ae229613c81601524f59d4d5e09c2f19db15527ab16760a2fecc2fb2d1fa4dc6e7eeeaebcdcfb9183a500d7e40ca5ba612a6abe72a5fd0e337befe420b4e31
#TRUST-RSA-SHA256 749dcf7ab9760beb6b4cbad6886eb8c782fc2fd4c4056c4efa7743753c17aace0b040c5dc85c443e5d1599f24dee2e4e78045478d382dfb2da6593e960f9fac0e32eb743864abac3091a6c00f099e09c3dd33ee804cc103405f58e2715baa7bbbe7f93c88737f9a338020e16e74c74d33726c6c6f44c57d5c0464d5f6088f1668cb1994563f0d5d9770e17b89701b816eb88b6106c0fc58b947ad172f76ec5af82fe2b9d98620173b5e2a79c296ca3b7da1283a3a56c4b2a527dfdcb4c0e94e62edd2218f163d116fe48a9185605f16b2f06c99e55ff673c2e36a73ecf4ea3d1da13ba44b35f5a4b72fc0b62e61858a6b307977fffda063d4840015c2c7769b88d03343fcac83fc895cd010b639633f0d43e568a976532aa71cc130fe4a5b1fc2c8f725b9f2e37a98a1903bfe032a10d6ef29a9fe5fb0e301947b5ec2967cd638cfd59393ca4ea82e712edce09309c35bb6c574261c29a4102b6195a3a17e7a23c76029e4a05198f02f399543135f7103ed894629151dc246ec320ca5eb490af8b088cf35017cb3891e078cdc052ca61b933c395cae8a7d82ff35ff119bb055f2791c9452d83288f46178da79ed9a8b419c516114a1aa86c7a3ceb83db5d1d2f7cb9327c783e1e45b235dbd9007dc6592d062af77181a9e4387a1ff6dfc1711cf0dd9616f6fd1a1e627b5ae9d34952af4873493563f09fc27e87d1decd6333e6
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(189726);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/29");

  script_cve_id("CVE-2023-20135");
  script_xref(name:"CISCO-BUG-ID", value:"CSCwd87928");
  script_xref(name:"CISCO-SA", value:"cisco-sa-lnt-L9zOkBz5");

  script_name(english:"Cisco IOS XR Software Image Verification (cisco-sa-lnt-L9zOkBz5)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco IOS XR is affected by a vulnerability.

  - A vulnerability in Cisco IOS XR Software image verification checks could allow an authenticated, local
    attacker to execute arbitrary code on the underlying operating system. This vulnerability is due to a
    time-of-check, time-of-use (TOCTOU) race condition when an install query regarding an ISO image is
    performed during an install operation that uses an ISO image. An attacker could exploit this vulnerability
    by modifying an ISO image and then carrying out install requests in parallel. A successful exploit could
    allow the attacker to execute arbitrary code on an affected device. (CVE-2023-20135)

Please see the included Cisco BIDs and Cisco Security Advisory for more information.");
  # https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-lnt-L9zOkBz5
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8117bf1f");
  # https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-75241
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6a0abd7f");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwd87928");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCwd87928");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-20135");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/09/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/09/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/01/29");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xr");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_xr_version.nasl");
  script_require_keys("Host/Cisco/IOS-XR/Version");

  exit(0);
}

include('cisco_workarounds.inc');
include('ccf.inc');

var product_info = cisco::get_product_info(name:'Cisco IOS XR');

var model = toupper(product_info.model);
var lnt = toupper(product_info.lnt);
var vuln_ranges = [];

# Vulnerable model list
# 8000 Series Routers
# Network Convergence System (NCS) 540 Series Routers that are running the NCS540L images
# Network Convergence System (NCS) 5700 Series Routers that are running the NCS5700 images 
# (NCS-57B1-5DSE-SYS, NCS-57B1-6D24-SYS and NCS-57C1-48Q6-SYS)

# 8000 Series Router
if (model =~ "8[0-9]{3}")
{
  vuln_ranges = [ 
    {'min_ver' : '7.5.2', 'fix_ver' : '7.6' },
    {'min_ver' : '7.7', 'fix_ver' : '7.10.1'}
  ];

# NCS 540 /5700
}
else if (model =~ "NCS\s?540" || model =~ "NCS\s?5700")
{
  vuln_ranges = [ 
    {'min_ver' : '7.5.2', 'fix_ver' : '7.6' },
    {'min_ver' : '7.7', 'fix_ver' : '7.10.1'}
  ];

  // NCS540 running NCS540L software image
  // vuln if LNT in 'show version' output
  var workarounds = make_list(CISCO_WORKAROUNDS['show_version']);
  var workaround_params = {'pat' : 'LNT'};
}
else
{
  audit(AUDIT_HOST_NOT, 'an affected model');
}

var reporting = make_array(
  'port'    , product_info['port'],
  'severity', SECURITY_WARNING,
  'version' , product_info['version'],
  'bug_id'  , 'CSCwd87928',
  'fix'     , '7.10.1'
);

cisco::check_and_report(
  product_info:product_info,
  reporting:reporting,
  vuln_ranges:vuln_ranges,
  workarounds:workarounds,
  workaround_params:workaround_params
);
VendorProductVersionCPE
ciscoios_xrcpe:/o:cisco:ios_xr

Related

cisco 1
prion 1
cvelist 1
cve 1
nvd 1
cisco
cisco
Cisco IOS XR Software Image Verification Vulnerability
2023-09-13 16:00:00
prion
prion
Race condition
2023-09-13 17:15:00
cvelist
cvelist
CVE-2023-20135
2023-09-13 16:38:36
cve
cve
CVE-2023-20135
2023-09-13 17:15:09
nvd
nvd
CVE-2023-20135
2023-09-13 17:15:09

7 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

7.6 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

5.1%

JSON
Related for CISCO-SA-LNT-L9ZOKBZ5-IOSXR.NASL
cisco1prion1cvelist1cve1nvd1