Juniper Junos OS Vulnerability (JSA75735)

#TRUSTED 3636b9a011af3793fb3585554878649b237a1fad78837f552906d2113769fd039c5e165dfa0418e349c409ae72f88deb12b42262cee817b60747492fd5be646b81a8a11e32371d60cd7fd67448c15eef8acb100d1be750fc1d053b896d07311df0c6b98b3b22a7b1e8790e0785d7bf916bf29326361f54b42f10ce8c34230dd83b717cbf3569bd6f11c2f80625bd18c0232b49447946b0e67780c58bf11206595321c467d4b013c626a9b93c1118620e06281655cf3ba0685cca68ddf1445bc8291d8bf2eb56cbd71b515350c6914011e7143e4e38f868424b1c099ccd202225256123919cc4c46af64e5bf180c6108aa27431fa04cedf94e0b0bb92888ece2d1a94a17093111a54a0333297d358de536e2c57635232947a32215f80208b2f766992d488e9f119ae3d126576a32259584e5a962ebd03e6d6125ca8097e3f65139c7714ac20dd6e59d5e7c9074fd2004610df58dec365c196885ec0eb2730d850849e5e9204f47733993276b3c28a8918f8aaacedac51fd544d90de8b55ce4b8415d943fbd6b7df228f7cf8548e7b8d8fd7fd218c98dc4ebc7a8dcd4d94aedf7438451f200540a98933708dd34397d1e0ba3687c82882169e1fa1b81fd67467f65aa2033f1e13701a6ce18d7cc32dfecf2d6ea85d8a28075cad12aa7c7115b4a69ee1df194304ec201cf87c63a0dc679e0ee6758e8fd3d5a7589b277e8518f41c
#TRUST-RSA-SHA256 6b467a946bad697330e23638d1082a8bad8467192f23769d875690906c4bc46a35dd27b950832fd888b7db4dfd010076b07558093a11323f9d833c2d9936f13ab9ac59b81130b5918005511bb82a624f888db3df0a14cd076302df97ca39d6639bcbd13bee880892b44d120fde9d0e3f84f40af9202fb967afea8084fd182f4bbbe20a55b79151c6273829b59eeba0a012e6b16a781d7514b13b8daf88e12464fcf0d4564a69ca5d27cf582b53a58cb69e870799d8b439818f1460e20c6b8a043ea22c02f1de00794efc4496d89ec7063cf83d7efb79146f18c7af7da2671c696ef270d9acf2949f0f9146a3a97b366bbbd4f276378c62e235f4ee239491e62eae2cff1651dc02179f55fafdf2dac70089ab9217df8467ca0f0fc7c16862112946bce073278e5f3ca6124de5a3ed880854f1c9b3375da7d8e0ba381447cfde7dc4a8415aa74fa032a0a25184c98ed90dabf4630848fccd560e53057bff4e1d18bf44c5200281e2befe8b8241a43fa836cc1f7abebe7821e3cc4a3791053e07a73753d61da50dde629deb0e0a334c5ca09eac7fbf8425ee54b2a6ad663cea0b944264e47f670242d4bfa18d95b97de9f2e049cd909b1c08783cbe735447511742b0372ad8a80d25480378ca66801ada162e92aa1fa99acc36fb255291defee2559d4c8af4a5ddfd3d3d8035b50262ebcb93de2f8b0d7b41c23ce9f506839a1a63
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(189763);
  script_version("1.0");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/30");

  script_cve_id("CVE-2024-21596");
  script_xref(name:"JSA", value:"JSA75735");

  script_name(english:"Juniper Junos OS Vulnerability (JSA75735)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"The version of Junos OS installed on the remote host is affected by a vulnerability as referenced in the JSA75735
advisory.

  - A Heap-based Buffer Overflow vulnerability in the Routing Protocol Daemon (RPD) of Juniper Networks Junos
    OS and Junos OS Evolved allows an unauthenticated, network based attacker to cause a Denial of Service
    (DoS). If an attacker sends a specific BGP UPDATE message to the device, this will cause a memory
    overwrite and therefore an RPD crash and restart in the backup Routing Engine (RE). Continued receipt of
    these packets will cause a sustained Denial of Service (DoS) condition in the backup RE. The primary RE is
    not impacted by this issue and there is no impact on traffic. This issue only affects devices with NSR
    enabled. This issue requires an attacker to have an established BGP session to a system affected by the
    issue. This issue affects both eBGP and iBGP implementations. This issue affects: Juniper Networks Junos
    OS * All versions earlier than 20.4R3-S9; * 21.2 versions earlier than 21.2R3-S7; * 21.3 versions earlier
    than 21.3R3-S5; * 21.4 versions earlier than 21.4R3-S5; * 22.1 versions earlier than 22.1R3-S4; * 22.2
    versions earlier than 22.2R3-S2; * 22.3 versions earlier than 22.3R3-S1; * 22.4 versions earlier than
    22.4R2-S2, 22.4R3; * 23.1 versions earlier than 23.1R2; * 23.2 versions earlier than 23.2R1-S2, 23.2R2.
    Juniper Networks Junos OS Evolved * All versions earlier than 21.3R3-S5-EVO; * 21.4-EVO versions earlier
    than 21.4R3-S5-EVO; * 22.1-EVO versions earlier than 22.1R3-S4-EVO; * 22.2-EVO versions earlier than
    22.2R3-S2-EVO; * 22.3-EVO versions later than 22.3R1-EVO; * 22.4-EVO versions earlier than 22.4R2-S2-EVO,
    22.4R3-EVO; * 23.1-EVO versions earlier than 23.1R2-EVO; * 23.2-EVO versions earlier than 23.2R1-S2-EVO,
    23.2R2-EVO. (CVE-2024-21596)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://supportportal.juniper.net/s/article/Overview-of-the-Juniper-Networks-SIRT-Quarterly-Security-Bulletin-Publication-Process?r=40&ui-knowledge-components-aura-actions.KnowledgeArticleVersionCreateDraftFromOnlineAction.createDraftFromOnlineArticle=1
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f52ed971");
  # https://supportportal.juniper.net/s/article/In-which-releases-are-vulnerabilities-fixed?r=40&ui-knowledge-components-aura-actions.KnowledgeArticleVersionCreateDraftFromOnlineAction.createDraftFromOnlineArticle=1
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f121aca9");
  # https://supportportal.juniper.net/s/article/Common-Vulnerability-Scoring-System-CVSS-and-Juniper-s-Security-Advisories?r=40&ui-knowledge-components-aura-actions.KnowledgeArticleVersionCreateDraftFromOnlineAction.createDraftFromOnlineArticle=1
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a73cfa7d");
  # https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-A-specific-BGP-UPDATE-message-will-cause-a-crash-in-the-backup-Routing-Engine-CVE-2024-21596
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0ba27a10");
  script_set_attribute(attribute:"solution", value:
"Apply the relevant Junos software release referenced in Juniper advisory JSA75735");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-21596");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/01/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/01/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/01/30");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:juniper:junos");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Junos Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("junos_version.nasl");
  script_require_keys("Host/Juniper/JUNOS/Version");

  exit(0);
}

include('junos.inc');
include('junos_kb_cmd_func.inc');

var ver = get_kb_item_or_exit('Host/Juniper/JUNOS/Version');

var vuln_ranges = [
  {'min_ver':'0.0', 'fixed_ver':'20.4R3-S9'},
  {'min_ver':'0.0', 'fixed_ver':'21.3R3-S5-EVO'},
  {'min_ver':'21.2', 'fixed_ver':'21.2R3-S7'},
  {'min_ver':'21.3', 'fixed_ver':'21.3R3-S5'},
  {'min_ver':'21.4', 'fixed_ver':'21.4R3-S5'},
  {'min_ver':'21.4', 'fixed_ver':'21.4R3-S5-EVO'},
  {'min_ver':'22.1', 'fixed_ver':'22.1R3-S4'},
  {'min_ver':'22.1', 'fixed_ver':'22.1R3-S4-EVO'},
  {'min_ver':'22.2', 'fixed_ver':'22.2R3-S2'},
  {'min_ver':'22.2', 'fixed_ver':'22.2R3-S2-EVO'},
  {'min_ver':'22.3', 'fixed_ver':'22.3R3-S1'},
  {'min_ver':'22.3', 'fixed_ver':'22.3R1-EVO'},
  {'min_ver':'22.4', 'fixed_ver':'22.4R2-S2', 'fixed_display':'22.4R2-S2, 22.4R3'},
  {'min_ver':'22.4', 'fixed_ver':'22.4R2-S2-EVO', 'fixed_display':'22.4R2-S2-EVO, 22.4R3-EVO'},
  {'min_ver':'23.2', 'fixed_ver':'23.2R1-S2', 'fixed_display':'23.2R1-S2, 23.2R2'},
  {'min_ver':'23.2', 'fixed_ver':'23.2R1-S2-EVO', 'fixed_display':'23.2R1-S2-EVO, 23.2R2-EVO'}
];

var override = TRUE;
var buf = junos_command_kb_item(cmd:'show configuration | display set');
if (buf)
{
  override = FALSE;
  if (!preg(string:buf, pattern:"^set protocols bgp", multiline:TRUE))
    audit(AUDIT_HOST_NOT, 'using a vulnerable configuration');
  if (!preg(string:buf, pattern:"^set routing-options nonstop-routing", multiline:TRUE))
    audit(AUDIT_HOST_NOT, 'affected because the Nonstop Active Routing (NSR) feature is not enabled');
}

var fix = junos_compare_range(target_version:ver, vuln_ranges:vuln_ranges);
if (empty_or_null(fix)) audit(AUDIT_INST_VER_NOT_VULN, 'Junos OS', ver);
junos_report(ver:ver, fix:fix, override:override, severity:SECURITY_WARNING);