Cisco Nexus 3600 External BGP DoS (cisco-sa-nxos-po-acl-TkyePgvL)

#TRUSTED 2452fdcbe89a6f643e6aee9e7918ebc91af9c87f103e473001ffbe6e8b5650c06252023add33445d4efe6c20678d37b08690a15c42b62774ae4cbae56e18e5e33c09b8b13e277010730c013a6a0364d7d0debf0d6beda709d21b4588f12f45d6927802c256548784728ff7921f024f96915b7d013c9b919809a581c959cb73045bc91ee5122e4f81b722d700c249be63225af88d217ea0d5084985d559794eac81d7c67a2511bccd2520947ab55d526f13a7fd966cb95ad1ed8d5cc4a196bb86b8ea191bab2c97530c3e11c99bfe3c7927163d9e2fd3747a4130a00550e623fc00c5a05fe1bdf7e42a281e3a19a4974f50d0648348004788a17224acfea6f06e82cce6a43a415a6a72f566432fc2041e3e1bd27df0e819cb5a0350c92549925ff1b54efa88937e05922817817970b74ae28dcfa4e9dd2690bb0e15da4292a62f28379fdad35bae04b3bc48aa31ad0dac0e5154c980e5311d46631b201bb5802f917adfb721be9520da6416109bd099d313e2af53b764d91b1994f6bfd244c2c54d390691e8fade2d2458f6c26c1a10f83c5ab14e05fba7470902d809afc518f8138e6a216150dbff55ebafdc4a17b181b5052cfec727f2601d306098d98f7f233932d6136e6ac418af87737a959a5036d1ca421f50f6962224d0f51105d63ab1f9191fcec82789757a55ddc6a116ce4ff2c5a878caac978682b7cbf0b5080928
#TRUST-RSA-SHA256 6da878ac983136948cb2dc89185e0d760628f0d13d0f8da93ad36259541c3370c2dea3f46e5aabff90395538581a30375eee71e06a5b1457b2d132077eb27400860186fd7db7044b886d92f66a0a6b0fe172571efec8aa6dc052e3a93fc873ddf2dfb18f2521d744d9c323859c863826a9a30af51fd9f3db701c232e7bbdd496e5082e11a44457e47fa0b809a44b874ee1b72964a1e33483f451933cab11c2c51f1c659e049d94e22e5031af06c717e92e3899e0edccdef562d9e570bedf2019a9a9fcb5b8e2b2b4ddebe847f6a35c4cdfd3e5db6d844f81f6ef69b70365ef3ce1834374c4521bbcff5a0c05e61714648074c022f1a8aa5cadca0cbfc6f8f769f67a9aaf5e66893fd717f85340173faf4b32ff48f2ac4bf05a01d7c984f9a08dfe20e21d74f09f33460b8628c45f204eab167d94f3a628a53a6b8deb32862dafac9d50b3c2ccc3cff81964177a14e479f40f60de0cba1ba23b701abcd9bf72b9ee3a3165061e8cd80aa2ffe7449962286865016124adecc422c1423ab60644644419a800c1ead2b76233ed0307ba604eae3e5696dc12cabd13ec3dae6a2aaa3c4c81bbcfcc9a90d8ddc3e33a591e276f168da242a0a373f237ca530c7c173f92e7ff97d1b52550571d6b4363869a45b3d7fe3ac1f8bea1250dcf1fc6ab73019b56fa3998d09cba90598e3d776467d896b11716cb1f63f90a1d71234fb0482b19
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(191465);
  script_version("1.0");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/01");

  script_cve_id("CVE-2024-20321");
  script_xref(name:"CISCO-BUG-ID", value:"CSCwh09703");
  script_xref(name:"CISCO-BUG-ID", value:"CSCwh96478");
  script_xref(name:"CISCO-SA", value:"cisco-sa-nxos-ebgp-dos-L3QCwVJ");
  script_xref(name:"IAVA", value:"2024-A-0119");

  script_name(english:"Cisco Nexus 3600 External BGP DoS (cisco-sa-nxos-po-acl-TkyePgvL)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
  script_set_attribute(attribute:"description", value:
"A vulnerability in the External Border Gateway Protocol (eBGP) implementation of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

This vulnerability exists because eBGP traffic is mapped to a shared hardware rate-limiter queue. An attacker could 
exploit this vulnerability by sending large amounts of network traffic with certain characteristics through an affected
device. A successful exploit could allow the attacker to cause eBGP neighbor sessions to be dropped, leading to a DoS 
condition in the network.

Please see the included Cisco BIDs and Cisco Security Advisory for more information.");
  # https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-ebgp-dos-L3QCwVJ
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1e3d5bb2");
  # https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-75059
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e327a04a");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwh09703");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwh96478");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug IDs CSCwh09703, CSCwh96478");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-20321");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(400);

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/02/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/02/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/03/01");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:nx-os");
  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_nxos_version.nasl");
  script_require_keys("Host/Cisco/NX-OS/Version", "Host/Cisco/NX-OS/Model", "Host/Cisco/NX-OS/Device", "Settings/ParanoidReport");

  exit(0);
}

include('cisco_workarounds.inc');
include('ccf.inc');

var product_info = cisco::get_product_info(name:'Cisco NX-OS Software');

# We cannot test for the full vulnerable condition
if (report_paranoia < 2) audit(AUDIT_PARANOID);

# Just Nexus 3600 Series Switches for now
if (('Nexus' >!< product_info.device || product_info.model !~ "(^|[^0-9])36[0-9]{2,3}"))
audit(AUDIT_HOST_NOT, 'affected');

# Bug Checker is showing 10.4(2) as the first fixed or not affected version, see http://www.nessus.org/u?3f81dca0
var version_list = make_list(
  '6.0(2)A3(1)',
  '6.0(2)A3(2)',
  '6.0(2)A3(4)',
  '6.0(2)A4(1)',
  '6.0(2)A4(2)',
  '6.0(2)A4(3)',
  '6.0(2)A4(4)',
  '6.0(2)A4(5)',
  '6.0(2)A4(6)',
  '6.0(2)A6(1)',
  '6.0(2)A6(1a)',
  '6.0(2)A6(2)',
  '6.0(2)A6(2a)',
  '6.0(2)A6(3)',
  '6.0(2)A6(3a)',
  '6.0(2)A6(4)',
  '6.0(2)A6(4a)',
  '6.0(2)A6(5)',
  '6.0(2)A6(5a)',
  '6.0(2)A6(5b)',
  '6.0(2)A6(6)',
  '6.0(2)A6(7)',
  '6.0(2)A6(8)',
  '6.0(2)A7(1)',
  '6.0(2)A7(1a)',
  '6.0(2)A7(2)',
  '6.0(2)A7(2a)',
  '6.0(2)A8(1)',
  '6.0(2)A8(2)',
  '6.0(2)A8(3)',
  '6.0(2)A8(4)',
  '6.0(2)A8(4a)',
  '6.0(2)A8(5)',
  '6.0(2)A8(6)',
  '6.0(2)A8(7)',
  '6.0(2)A8(7a)',
  '6.0(2)A8(7b)',
  '6.0(2)A8(8)',
  '6.0(2)A8(9)',
  '6.0(2)A8(10a)',
  '6.0(2)A8(10)',
  '6.0(2)A8(11)',
  '6.0(2)A8(11a)',
  '6.0(2)A8(11b)',
  '6.0(2)U2(1)',
  '6.0(2)U2(2)',
  '6.0(2)U2(3)',
  '6.0(2)U2(4)',
  '6.0(2)U2(5)',
  '6.0(2)U2(6)',
  '6.0(2)U3(1)',
  '6.0(2)U3(2)',
  '6.0(2)U3(3)',
  '6.0(2)U3(4)',
  '6.0(2)U3(5)',
  '6.0(2)U3(6)',
  '6.0(2)U3(7)',
  '6.0(2)U3(8)',
  '6.0(2)U3(9)',
  '6.0(2)U4(1)',
  '6.0(2)U4(2)',
  '6.0(2)U4(3)',
  '6.0(2)U4(4)',
  '6.0(2)U5(1)',
  '6.0(2)U5(2)',
  '6.0(2)U5(3)',
  '6.0(2)U5(4)',
  '6.0(2)U6(1)',
  '6.0(2)U6(2)',
  '6.0(2)U6(3)',
  '6.0(2)U6(4)',
  '6.0(2)U6(5)',
  '6.0(2)U6(6)',
  '6.0(2)U6(7)',
  '6.0(2)U6(8)',
  '6.0(2)U6(1a)',
  '6.0(2)U6(2a)',
  '6.0(2)U6(3a)',
  '6.0(2)U6(4a)',
  '6.0(2)U6(5a)',
  '6.0(2)U6(5b)',
  '6.0(2)U6(5c)',
  '6.0(2)U6(9)',
  '6.0(2)U6(10)',
  '6.0(2)U6(10a)',
  '7.0(3)F3(1)',
  '7.0(3)F3(2)',
  '7.0(3)F3(3)',
  '7.0(3)F3(3a)',
  '7.0(3)F3(4)',
  '7.0(3)F3(3c)',
  '7.0(3)F3(5)',
  '7.0(3)I2(2a)',
  '7.0(3)I2(2b)',
  '7.0(3)I2(2c)',
  '7.0(3)I2(2d)',
  '7.0(3)I2(2e)',
  '7.0(3)I2(3)',
  '7.0(3)I2(4)',
  '7.0(3)I2(5)',
  '7.0(3)I2(1)',
  '7.0(3)I2(1a)',
  '7.0(3)I2(2)',
  '7.0(3)I2(2r)',
  '7.0(3)I2(2s)',
  '7.0(3)I2(2v)',
  '7.0(3)I2(2w)',
  '7.0(3)I2(2x)',
  '7.0(3)I2(2y)',
  '7.0(3)I3(1)',
  '7.0(3)I4(1)',
  '7.0(3)I4(2)',
  '7.0(3)I4(3)',
  '7.0(3)I4(4)',
  '7.0(3)I4(5)',
  '7.0(3)I4(6)',
  '7.0(3)I4(7)',
  '7.0(3)I4(8)',
  '7.0(3)I4(8a)',
  '7.0(3)I4(8b)',
  '7.0(3)I4(8z)',
  '7.0(3)I4(1t)',
  '7.0(3)I4(6t)',
  '7.0(3)I4(9)',
  '7.0(3)I5(1)',
  '7.0(3)I5(2)',
  '7.0(3)I5(3)',
  '7.0(3)I5(3a)',
  '7.0(3)I5(3b)',
  '7.0(3)I6(1)',
  '7.0(3)I6(2)',
  '7.0(3)I7(1)',
  '7.0(3)I7(2)',
  '7.0(3)I7(3)',
  '7.0(3)I7(4)',
  '7.0(3)I7(5)',
  '7.0(3)I7(5a)',
  '7.0(3)I7(3z)',
  '7.0(3)I7(6)',
  '7.0(3)I7(6z)',
  '7.0(3)I7(7)',
  '7.0(3)I7(8)',
  '7.0(3)I7(9)',
  '7.0(3)I7(9w)',
  '7.0(3)I7(10)',
  '9.2(1)',
  '9.2(2)',
  '9.2(2t)',
  '9.2(3)',
  '9.2(3y)',
  '9.2(4)',
  '9.2(2v)',
  '9.3(1)',
  '9.3(2)',
  '9.3(3)',
  '9.3(4)',
  '9.3(5)',
  '9.3(6)',
  '9.3(7)',
  '9.3(7k)',
  '9.3(7a)',
  '9.3(8)',
  '9.3(9)',
  '9.3(10)',
  '9.3(11)',
  '10.1(1)',
  '10.1(2)',
  '10.1(2t)',
  '10.2(1)',
  '10.2(2)',
  '10.2(3)',
  '10.2(3t)',
  '10.2(4)',
  '10.2(5)',
  '10.3(1)',
  '10.3(2)',
  '10.3(3)',
  '10.4(1)',
  '10.3(4a)'
);

var reporting = make_array(
  'port'    , 0,
  'severity', SECURITY_WARNING,
  'version' , product_info['version'],
  'bug_id'  , 'CSCwh09703, CSCwh96478'
);

var workarounds = make_list(CISCO_WORKAROUNDS['generic_workaround']);
var workaround_params = WORKAROUND_CONFIG['nxos_bgp_neighbor'];

cisco::check_and_report(
  product_info:product_info,
  workarounds:workarounds,
  workaround_params:workaround_params,
  reporting:reporting,
  vuln_versions:version_list
);