F5 Networks BIG-IP : Expat vulnerability (K52320548)

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from F5 Networks BIG-IP Solution K52320548.
#
# The text description of this plugin is (C) F5 Networks.
#

include("compat.inc");

if (description)
{
  script_id(103313);
  script_version("3.9");
  script_cvs_date("Date: 2019/01/04 10:03:41");

  script_cve_id("CVE-2016-0718");

  script_name(english:"F5 Networks BIG-IP : Expat vulnerability (K52320548)");
  script_summary(english:"Checks the BIG-IP version.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote device is missing a vendor-supplied security patch."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"An out-of-bounds read flaw was found in the way Expat processed
certain input. A remote attacker could send specially crafted XML
that, when parsed by an application using the Expat library, would
cause that application to crash or, possibly, execute arbitrary code
with the permission of the user running the
application.(CVE-2016-0718)

Impact

A remote attacker could send specially crafted XML which, when parsed
by an application using the Expat library, would cause that
application to stop responding orpossiblyrun arbitrary code with the
permission of the user running the application.

BIG-IP ASM control plane

An authenticated user with the relevant privileges, such as Web
Application Security Editor,can exploit the vulnerability and gain
full control of the system.

big3d/gtmd

The big3d / gtmd processes may be exposed to this vulnerability over
the management port and self IP addresses when the Port Lockdown
setting is set to Default , All , or Custom with TCP port 4353
included. The impact for the big3d process is a temporary disruption
in the communicationbetween peer systems until the system
automatically restarts the big3d process."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://support.f5.com/csp/article/K52320548"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade to one of the non-vulnerable versions listed in the F5
Solution K52320548."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_access_policy_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_advanced_firewall_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_acceleration_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_security_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_visibility_and_reporting");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_global_traffic_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_link_controller");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_local_traffic_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_policy_enforcement_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_webaccelerator");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:f5:big-ip");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:f5:big-ip_protocol_security_manager");

  script_set_attribute(attribute:"patch_publication_date", value:"2017/09/18");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/09/19");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"F5 Networks Local Security Checks");

  script_dependencies("f5_bigip_detect.nbin");
  script_require_keys("Host/local_checks_enabled", "Host/BIG-IP/hotfix", "Host/BIG-IP/modules", "Host/BIG-IP/version", "Settings/ParanoidReport");

  exit(0);
}


include("f5_func.inc");

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
version = get_kb_item("Host/BIG-IP/version");
if ( ! version ) audit(AUDIT_OS_NOT, "F5 Networks BIG-IP");
if ( isnull(get_kb_item("Host/BIG-IP/hotfix")) ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/hotfix");
if ( ! get_kb_item("Host/BIG-IP/modules") ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/modules");

sol = "K52320548";
vmatrix = make_array();

if (report_paranoia < 2) audit(AUDIT_PARANOID);

# AFM
vmatrix["AFM"] = make_array();
vmatrix["AFM"]["affected"  ] = make_list("13.0.0","12.0.0-12.1.3","11.6.0-11.6.3","11.4.1-11.5.6");
vmatrix["AFM"]["unaffected"] = make_list("13.1.0","13.0.1","12.1.3.2","11.6.3.2","11.5.7");

# AM
vmatrix["AM"] = make_array();
vmatrix["AM"]["affected"  ] = make_list("13.0.0","12.0.0-12.1.3","11.6.0-11.6.3","11.4.1-11.5.6");
vmatrix["AM"]["unaffected"] = make_list("13.1.0","13.0.1","12.1.3.2","11.6.3.2","11.5.7");

# APM
vmatrix["APM"] = make_array();
vmatrix["APM"]["affected"  ] = make_list("13.0.0","12.0.0-12.1.3","11.6.0-11.6.3","11.4.1-11.5.6","11.2.1");
vmatrix["APM"]["unaffected"] = make_list("13.1.0","13.0.1","12.1.3.2","11.6.3.2","11.5.7");

# ASM
vmatrix["ASM"] = make_array();
vmatrix["ASM"]["affected"  ] = make_list("13.0.0","12.0.0-12.1.3","11.6.0-11.6.3","11.4.1-11.5.6","11.2.1");
vmatrix["ASM"]["unaffected"] = make_list("13.1.0","13.0.1","12.1.3.2","11.6.3.2","11.5.7");

# AVR
vmatrix["AVR"] = make_array();
vmatrix["AVR"]["affected"  ] = make_list("13.0.0","12.0.0-12.1.3","11.6.0-11.6.3","11.4.1-11.5.6","11.2.1");
vmatrix["AVR"]["unaffected"] = make_list("13.1.0","13.0.1","12.1.3.2","11.5.7");

# GTM
vmatrix["GTM"] = make_array();
vmatrix["GTM"]["affected"  ] = make_list("11.6.0-11.6.3","11.4.1-11.5.6","11.2.1");
vmatrix["GTM"]["unaffected"] = make_list("11.6.3.2","11.5.7");

# LC
vmatrix["LC"] = make_array();
vmatrix["LC"]["affected"  ] = make_list("13.0.0","12.0.0-12.1.3","11.6.0-11.6.3","11.4.1-11.5.6","11.2.1");
vmatrix["LC"]["unaffected"] = make_list("13.1.0","13.0.1","12.1.3.2","11.6.3.2","11.5.7");

# LTM
vmatrix["LTM"] = make_array();
vmatrix["LTM"]["affected"  ] = make_list("13.0.0","12.0.0-12.1.3","11.6.0-11.6.3","11.4.1-11.5.6","11.2.1");
vmatrix["LTM"]["unaffected"] = make_list("13.1.0","13.0.1","12.1.3.2","11.6.3.2","11.5.7");

# PEM
vmatrix["PEM"] = make_array();
vmatrix["PEM"]["affected"  ] = make_list("13.0.0","12.0.0-12.1.3","11.6.0-11.6.3","11.4.1-11.5.6");
vmatrix["PEM"]["unaffected"] = make_list("13.1.0","13.0.1","12.1.3.2","11.6.3.2","11.5.7");


if (bigip_is_affected(vmatrix:vmatrix, sol:sol))
{
  if (report_verbosity > 0) security_hole(port:0, extra:bigip_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = bigip_get_tested_modules();
  audit_extra = "For BIG-IP module(s) " + tested + ",";
  if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);
  else audit(AUDIT_HOST_NOT, "running any of the affected modules");
}