Cisco ASA SSL VPN Memory Blocks Exhaustion DoS (CSCuq68888)

#TRUSTED a1d45399152b389433d9118cef9b199d7c78eb110f027ef508a42382518ee7e30e8ac9d5e507e8d551c255cf651cb6ae8df037a3aabcc30ba5282c6dc623be345f7e0c5fd8b099857a05df85b643863fe54406cac422a9e6e8379799036be80b65a9ed8194448e37a73057aa62af634663cc49494326e273098d79c3c356e312bff93927475ba75a906a3162aef49c3ad950d7826cd764af06cd339adfcc476e560fcfea40151a52c6ecadaba1119260e2c975658f6e27c6339ac93cf310f9a3f8a0ca9c596bd332416e5b7e3817022753b744ccbafcd3ed6ab7ef3bbe74d44ccc50e51a23e95391ec4906a60c1ea4a96b4716e18d449c2ba722449ab6802c7206a9837d383f1ee62c8d17e629f535840369f53d811262a14c639ab828976e68434b8332abfd56e260316ded5f6042744a1657c3ecccbfa3f224b5ff2f6d6920f5ab87ae91a9c8930f0047cc8b820b4344931f147a82162f9e6b690a889b6267420f1a2f20d130549affa11875cd8e7ad250c41acd34eeac4409bf61cae15b9150429e7d73456caa34d1002501212446ad4dcdc519c7f39e1fac4f5c7d5892fcd2601e61ab5dd885b0a3dac5c56c418c4ae48a365270a93ae8924d9ecc9784dc3ba7fb3273fdfd846de9cf1e754bde2815995ae411c58504d78a51bcded153d66b4eb533725e91b4977d5d377274f7dd6003dbf0ac3fb1b49dd6e097fd1b0517
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(79803);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2018/11/15");

  script_cve_id("CVE-2014-3407");
  script_bugtraq_id(71317);
  script_xref(name:"CISCO-BUG-ID", value:"CSCuq68888");

  script_name(english:"Cisco ASA SSL VPN Memory Blocks Exhaustion DoS (CSCuq68888)");
  script_summary(english:"Checks the ASA version.");

  script_set_attribute(attribute:"synopsis", value:"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its banner, the version of the Cisco ASA software on the
remote device is affected by a vulnerability in the SSL VPN feature
due to improper implementation of memory blocks allocation when
processing crafted HTTP packets. A remote, unauthenticated attacker
can exploit this issue by sending specially crafted HTTP requests
designed to exhaust memory to cause a denial of service.");
  # https://tools.cisco.com/security/center/viewAlert.x?alertId=36542
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c8e2a24c");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/security/center/viewAlert.x?alertId=36542");
  script_set_attribute(attribute:"solution", value:"Apply the relevant patch referenced in the vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:adaptive_security_appliance_software");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/11/26");
  script_set_attribute(attribute:"patch_publication_date", value:"2014/11/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/12/08");

  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.");
  script_family(english:"CISCO");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/Cisco/ASA");

  exit(0);
}

include("audit.inc");
include("cisco_func.inc");
include("cisco_kb_cmd_func.inc");

asa = get_kb_item_or_exit('Host/Cisco/ASA');
ver = extract_asa_version(asa);
if (isnull(ver)) audit(AUDIT_FN_FAIL, 'extract_asa_version');

fixed_ver = NULL;

# Affected version list from advisory
versions = make_list(
  "8.4.1",
  "8.4.1.3",
  "8.4.1.11",
  "8.4.2",
  "8.4.2.1",
  "8.4.2.8",
  "8.4.3",
  "8.4.3.8",
  "8.4.3.9",
  "8.4.4",
  "8.4.4.1",
  "8.4.4.3",
  "8.4.4.5",
  "8.4.4.9",
  "8.4.5",
  "8.4.5.6",
  "8.4.6",
  "8.4.7",
  "8.4.7.3",
  "8.4.7.15",
  "8.4.7.22",
  "8.4.7.23",
  "8.6.1",
  "8.6.1.1",
  "8.6.1.2",
  "8.6.1.5",
  "8.6.1.10",
  "8.6.1.12",
  "8.6.1.13",
  "8.6.1.14",
  "9.0.1",
  "9.0.2",
  "9.0.2.10",
  "9.0.3",
  "9.0.3.6",
  "9.0.3.8",
  "9.0.4",
  "9.0.4.1",
  "9.0.4.5",
  "9.0.4.7",
  "9.0.4.17",
  "9.0.4.20",
  "9.0.4.24",
  "9.1.1",
  "9.1.1.4",
  "9.1.2",
  "9.1.2.8",
  "9.1.3",
  "9.1.3.2",
  "9.1.4",
  "9.1.4.5",
  "9.1.5",
  "9.1.5.10",
  "9.1.5.12",
  "9.2.1",
  "9.2.2",
  "9.2.2.4",
  "9.2.2.7",
  "9.2.3",
  "9.3.1",
  "9.3.1.1",
  "9.3.2"
);

foreach version (versions)
{
  if (cisco_gen_ver_compare(a:ver, b:version) == 0)
  {
    if (ver =~ "^8\.") fixed_ver = "Refer to the vendor.";
    else if (ver =~ "^9\.0[^0-9]" && check_asa_release(version:ver, patched:"9.0(4.25)"))
      fixed_ver = "9.0(4.25)";
    else if (ver =~ "^9\.1[^0-9]" && check_asa_release(version:ver, patched:"9.1(5.15)"))
      fixed_ver = "9.1(5.15)";
    else if (ver =~ "^9\.2[^0-9]" && check_asa_release(version:ver, patched:"9.2(2.100)"))
      fixed_ver = "9.2(2.100)";
    else if (ver =~ "^9\.3[^0-9]" && check_asa_release(version:ver, patched:"9.3(1.99)"))
      fixed_ver = "9.3(1.99)";
    break;
  }
}

if (isnull(fixed_ver))
  audit(AUDIT_INST_VER_NOT_VULN, "Cisco ASA software", ver);

flag     = FALSE;
override = FALSE;

# Check if SSL VPN is configured
if (get_kb_item("Host/local_checks_enabled"))
{
  buf = cisco_command_kb_item("Host/Cisco/Config/show_running-config_webvpn", "show running-config webvpn");
  if (check_cisco_result(buf))
  {
    if (preg(multiline:TRUE, pattern:"enable", string:buf)) flag = TRUE;
  }
  else if (cisco_needs_enable(buf)) override = TRUE;
}

if (!flag && !override) audit(AUDIT_HOST_NOT, "affected");

if (report_verbosity > 0)
{
  report =
    '\n  Installed version : ' + ver +
    '\n  Fixed version     : ' + fixed_ver +
    '\n';
  security_warning(port:0, extra:report+cisco_caveat(override));
}
else security_warning(port:0, extra:cisco_caveat(override));