Cisco IOS XE Software Connectivity Fault Management (CFM) DoS

2014-11-07T00:00:00
ID CISCO-SN-CSCUQ93406-IOSXE.NASL
Type nessus
Reporter Tenable
Modified 2018-07-06T00:00:00

Description

The remote Cisco device is affected by a denial of service vulnerability due to due to improper parsing of malformed Ethernet Connectivity Fault Management (CFM) packets. A remote, unauthenticated attacker, using specially crafted CFM packets, could trigger a denial of service condition, resulting in a reload of the device.

                                        
                                            #TRUSTED adf825966338579b2b116c3ee049b962fee8dbba4a807423b90aa4ba2796910e77db9edb5b05f8f901eac37cd1a64e0293a5231cbbfd3b5c2f720b25d069ab68b99b252a35062cb4c930f83dd519b9ff052e576c6f64704b33ee7c823e86cd1dae1d876de10fcce8d28f4b9e45d8ff391d4e685d60f7b61a96783080bdaa8118a7414f17e12af0be8fe2c898a8ee6e8946289c941fb816f0fb49b0095cf4dc87f58f80b643f478a32b4de36631d508ddfdc8c59bb9b548e127bdc1d67949f1a25dd40cd803666624ce1ecc8e0ab5c092499ff84403219bae4b876033c48a8b0796e7057d76050f35d11ebf364fafdc73575e8c597552bf69a1c5575d9a12a1774ef2aa024aaac89e8da3ac0c6f81c60f52cb1b0a73234773f81858e03464c1c5529a1e0a45c00fd5fb3beeaf4b1b27c277ce89d8e06a47ceca0d7d09b04ee6d1133ba566dd9926e5d3385b45aa6244b7b6d61d6efc5bbe3317429fc28c9f7ab96d77fd7cd77b82306b6172898aac6774d05ea95edc6f4de70248b3137a180b15d7b15dc66b29ccb7470dc0870f756931c50964bdf6cff613b67634d8e2392e4823ff38b2e58b51b98d4aac1b55aea2d2798c7cbab19b699b09ddc7857b1a5489ad81bdea24dfa8caf68c94267ea88e553a7c0d619e1d22f893c0f5a860ffb9fc866cc4470a3c0861050095c0d30bc15fc6d30961e1a4343e40a6397b9c3a5b95
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(78919);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2018/07/06");

  script_cve_id("CVE-2014-3409");
  script_bugtraq_id(70715);
  script_xref(name:"CISCO-BUG-ID", value:"CSCuq93406");

  script_name(english:"Cisco IOS XE Software Connectivity Fault Management (CFM) DoS");
  script_summary(english:"Checks the IOS XE version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote Cisco device is affected by a denial of service
vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote Cisco device is affected by a denial of service
vulnerability due to due to improper parsing of malformed Ethernet
Connectivity Fault Management (CFM) packets. A remote, unauthenticated
attacker, using specially crafted CFM packets, could trigger a denial
of service condition, resulting in a reload of the device.");
  # http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3409
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?aa61ade4");
  script_set_attribute(attribute:"solution", value:
"Apply the relevant patch referenced in the Cisco Security Notice.

Alternatively, disable Ethernet Connectivity Fault Management (CFM).");
  script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/10/24");
  script_set_attribute(attribute:"patch_publication_date", value:"2013/10/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/11/07");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.");

  script_dependencies("cisco_ios_xe_version.nasl");
  script_require_keys("Host/Cisco/IOS-XE/Version");

  exit(0);
}

include("audit.inc");
include("cisco_func.inc");
include("cisco_kb_cmd_func.inc");

flag = 0;

version = get_kb_item_or_exit("Host/Cisco/IOS-XE/Version");

# Check model
model = get_kb_item("Host/Cisco/IOS-XE/Model");

if (!model)
{
  # If no model, just do ver checks per Alert page
  # 3.1S .0, .1, .2, .3
  if (version =~ "^3\.1\.[0-3]S$") flag++;
  # 3.2S .0, .1, .2
  else if (version =~ "^3\.2\.[0-2]S$") flag++;
  # 3.3S .0, .1, .2
  else if (version =~ "^3\.3\.[0-2]S$") flag++;
  # 3.4S .0, .1, .2, .3, .4, .5, .6
  else if (version =~ "^3\.4\.[0-6]S$") flag++;
  # 3.5S Base, .0, .1, .2
  # 3.6S Base, .0, .1, .2
  # 3.7S Base, .0, .1, .2, .3, .4, .5, .6
  else if (version =~ "^3\.[5-7]S$") flag++;
  else if (version =~ "^3\.[5-7]\.[0-2]S$") flag++;
  else if (version =~ "^3\.7\.[4-6]S$") flag++;
  # 3.9S .0, .1, .2
  else if (version =~ "^3\.9\.[0-2]S$") flag++;
  # 3.10S .0, .0a, .1, .2, .3, .4
  else if (version =~ "^3\.10\.(0a|[0-4])S$") flag++;
  # 3.11S .1, .2
  else if (version =~ "^3\.11\.[0-2]S$") flag++;
  # 3.12S .0
  else if (version == '3.12.0S') flag++;
  # 3.13S .0
  else if (version == '3.13.0S') flag++;
}
else
{
  # If model is present, do ver check per model per Bug page note
  if ('ASR901' >< model && version =~ "^3\.3\.") flag++;
  else if ('ASR903' >< model && version =~ "^3\.5\.") flag++;
  else if ('ASR920' >< model && version =~ "^3\.13\.") flag++;
  else if (('ASR1k' >< model || model =~ '^ASR 10[0-9][0-9]($|[^0-9])') && version =~ "^3\.2\.") flag++;
}

if (get_kb_item("Host/local_checks_enabled") && flag > 0)
{
  flag = 0;
  buf = cisco_command_kb_item("Host/Cisco/Config/show_running-config", "show running-config");
  if (check_cisco_result(buf))
  {
    if (preg(multiline:TRUE, pattern:"ethernet cfm", string:buf)) flag = 1;
  }
  else if (cisco_needs_enable(buf)) { flag = 1; override = 1; }
}

if (flag > 0)
{
  if (report_verbosity > 0)
  {
    report =
      '\n  Cisco bug ID      : CSCuq93406' +
      '\n  Installed release : ' + version +
      '\n';
    security_warning(port:0, extra:report + cisco_caveat(override));
  }
  else security_warning(port:0, extra:cisco_caveat(override));
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");