Cisco NX-OS HSRP DoS (CSCup11309)

2015-05-30T00:00:00
ID CISCO-SN-CVE-2014-3295-NXOS.NASL
Type nessus
Reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2020-04-02T00:00:00

Description

The remote Cisco device contains a flaw in the Hot Standby Router Protocol (HSRP) authentication. A remote attacker, using a specially crafted HSRP packet, can bypass HSRP authentication and configure HSRP group members to the SPEAK state, causing a denial of service.

                                        
                                            #TRUSTED 2e6b9598909253e0556c7ca31ca0841dfa32a310fdb03f4a56f54819dcded58f8be7cf0504ad38f9707af7f27c6d2ac29cf510334a6526adf9b6fd3296475cec9a0815176914d0fd06bb13bc824d08ffa53c7ccd250688638342e1fdc2e2e365de2abc10f3d740a2d0e674be1fbe42315247227f3c235f217b79b4078e1169ba6b6e6cddfb71f96525bbc0289467efd761bdc6500521f6d2eee432f352ded58f1b36ce9846c5b86d83242faf3796db4f498db7c993a8cfaf69aa5854d7cbae7c811b4c761b248e896fd81df09f0fd01b78585f28f600e0169537b19ce05871e255794e49b0a47afe8a9724f6410fd8b0ca18710b0f42e5d4d668cda6d44862aaaf8245ffa80985118790d4cff807747ee6657e19171c75683ef4c45c9bfa392d45e68ecda13cc6ae82f0979b15447da2d8d6576d34d59994389e1db9cc96d2f711933985fb2a0620870ad6c91e8cef429fe237d27931e3790f3d772f75bc48562070b568d3af320f2bf81ee39ecc1c1c3a6ca7ac7ec80a325ca2c41ac675e48446215ec2bcd9a7d6bf0578a2d6a318f5db0009e2a49baccc5cb6ef1b2cf1fd288152c27e40f4a677ad00e7629450e67f455bc4023396e76d8145877e24425934dd87c27bdd34815b3e65017a5376f22a1616b3d882fb32cd0155ae6f0fa22f934391c674fdb6a78342cc3924089683863b1b5a098da0526fbe3ff7958e11ab6e
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(83904);
  script_version("1.9");
  script_cvs_date("Date: 2019/11/22");

  script_cve_id("CVE-2014-3295");
  script_bugtraq_id(67983);
  script_xref(name:"CISCO-BUG-ID", value:"CSCup11309");

  script_name(english:"Cisco NX-OS HSRP DoS (CSCup11309)");
  script_summary(english:"Checks the NX-OS version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is affected by a denial of service vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote Cisco device contains a flaw in the Hot Standby Router
Protocol (HSRP) authentication. A remote attacker, using a specially
crafted HSRP packet, can bypass HSRP authentication and configure HSRP
group members to the SPEAK state, causing a denial of service.");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/security/center/viewAlert.x?alertId=34585");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCup11309");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version, 6.2(10) or later, as referenced
in Cisco bug ID CSCup11309.");
  script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:N/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/06/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2014/06/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/05/30");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:nx-os");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_nxos_version.nasl");
  script_require_keys("Host/Cisco/NX-OS/Version", "Host/Cisco/NX-OS/Device", "Host/Cisco/NX-OS/Model", "Host/local_checks_enabled");

  exit(0);
}

include("audit.inc");
include("cisco_func.inc");
include("cisco_kb_cmd_func.inc");

device = get_kb_item_or_exit("Host/Cisco/NX-OS/Device");
model = get_kb_item_or_exit("Host/Cisco/NX-OS/Model");
version = get_kb_item_or_exit("Host/Cisco/NX-OS/Version");

flag = 0;
override = 0;

# According to the Note only Nexus 7000 is affected
if (device != 'Nexus' || model !~ "^7[0-9][0-9][0-9]([^0-9]|$)")
  audit(AUDIT_DEVICE_NOT_VULN, device + ' ' + model);

if (version =~ "^[0-5]([^0-9]|$)" ||
    version =~ "^6\.[0-1]([^0-9]|$)" ||
    version =~ "^6\.2\([0-9]([^0-9]|$)"
) flag++;

if (flag)
{
  flag = 0;

  # Check for HSRP enabled
  if (get_kb_item_or_exit("Host/local_checks_enabled"))
  {
    buf = cisco_command_kb_item("Host/Cisco/Config/show_hsrp", "show hsrp");
    if (check_cisco_result(buf))
    {
      if ('HSRP' >< buf) flag++;
    }
    else if (cisco_needs_enable(buf))
    {
      flag++;
      override++;
    }
  }
}


if (flag)
{
  if (report_verbosity > 0)
  {
    report =
    '\n  Cisco bug ID      : CSCup11309' +
    '\n  Installed release : ' + version +
    '\n';
    security_warning(port:0, extra:report + cisco_caveat(override));
  }
  else security_warning(port:0, extra:cisco_caveat(override));
  exit(0);
}
else audit(AUDIT_DEVICE_NOT_VULN, device + ' ' + model, version);;