Juniper Junos OS Vulnerability (JSA79094)

#TRUSTED 49655a5c3294e9177ad93a98c9799bae6062dba39e0ee70deabf09810455af52df7e4a237c1e5b8173080a48ff007e699fc2c5b500e81c8b5230cbafb7a401d2b0ae481c539c655c93de0d7c56a0b8e7afcf5c3e3c1c574bc3e7cbc9458f7c995f30b736a06acc572daa914a1df9c4fac38d76207688f05a9cdfefb1bcf9611a3ba149869a7ce939da2162c8ceae979b398b62991e5fc1edd5527730702ec8b9bd12b60c7f28312072e598fbb7bff361eed49456ee27a6ae26e3d80b2c8756a168b9ee2377ea0ce995b27f77cbefd14d0ec13e4d17c13ba2bc84311750bbf761040377af01693cf7fda50ad5f9ffc8e9b16622fcbde2fb72b807e7aa97ea72d20632335d3690f1435b5ddecdeaa941a56e6f92593f283bded1dc751419f9a33075ae5c524c9a04650ebc479760dfcb3d3af951f395a23c97ab547e7e81e36d340aa7693934a665bbe620c301e1884b9752c887676a61f24a551a1636ee95378ddbf3dd7d28f28df6ddaee3a222c8d2d529d84755a5b8e32bd2c853dcaeeea5588ecdc97d5a701dca0d59ab81f6909cc8127d667309a5e2b0d2c81e3832387d215071238cbe3c805df12099aee4834a4ffdeb3054daab4299f2553b16a59cdaf18cfd459bd36c76d0441b62115038c1fc76fb5a129a64feea5c440537dd4bead4cbce493d66953a6c48bc0307b4a239c6710b539f3628b5e3a840513e7c100526
#TRUST-RSA-SHA256 93798a0afca981d16083de9c3ece338f027e6d438fb6d2751b2681d8645a7cf13b235c40c1d1de9dc998ef6fa55a65ce9e53713327be44215c31382dc8a5b2c17c3fb21695507e468ecdbe2aa2d64ceb6c613bdd8dd6deccb2d44232329f24d30121022e7775902216e3a2c6bf5db99df79608137a18806a769196133b766b58b89f0f448d846e702723aa78b9efd3643b18ce99a545ed5d2e8659fa8346ce59c9f2b6857dc520cb37bb37c71db4d1a97751cd9a4b77f79a3c9b74dedb9e7cbc57bab9af8cbf7e3ba17921f5c38b6542f548f2fc20fae7b3ec1d485a6ce30e5fe1f6cf5a25c04e5c9fde8fdc7dbd4736d0b11f05479249848fc52c8a72d238a3ee0e8ef4623e07c5db73b1e4e00430961489b2c6bc1d4dc9da45904b53da61e6d60d4adb9a3257058e1d7f6165fe70bba45e089b24feacaa9dfb152173490b23a23b3b170938ad1970b11a2d3bca9f0a72a0e52272c93692058326140af22eb44f45daea5d9e4883f349d6fb20c54450d9588e6a3882ac5b9e40c41935a4cdcbd3cbaeab3b46af3e054fc49277f03056bf5a688e8f94fc442c9af4057c288a744b0eb33f65117d80a8276d5fe84bf345a7b42fb5f236f8684b8b229ef2e76f7f77f9fa3b3b358f41808649afcf8dc02663ce8dcd8d3db2c33947ec4b2691a069080c6cabfe12aca679d7682855c5a16916136bd00fdbbd552217f59060103ca1
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(193874);
  script_version("1.0");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/25");

  script_cve_id("CVE-2024-30394");
  script_xref(name:"JSA", value:"JSA79094");
  script_xref(name:"IAVA", value:"2024-A-0232");

  script_name(english:"Juniper Junos OS Vulnerability (JSA79094)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"The version of Junos OS installed on the remote host is affected by a vulnerability as referenced in the JSA79094
advisory.

  - A Stack-based Buffer Overflow vulnerability in the Routing Protocol Daemon (rpd) component of Junos OS and
    Junos OS Evolved allows an unauthenticated, network-based attacker to cause an rpd crash, leading to
    Denial of Service (DoS). (CVE-2024-30394)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://supportportal.juniper.net/s/article/2024-04-Security-Bulletin-Junos-OS-A-specific-EVPN-type-5-route-causes-rpd-crash-CVE-2024-30394
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d8a28d66");
  script_set_attribute(attribute:"solution", value:
"Apply the relevant Junos software release referenced in Juniper advisory JSA79094");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-30394");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/04/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/04/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/04/25");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:juniper:junos");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Junos Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("junos_version.nasl");
  script_require_keys("Host/Juniper/JUNOS/Version");

  exit(0);
}

include('junos.inc');
include('junos_kb_cmd_func.inc');


var ver = get_kb_item_or_exit('Host/Juniper/JUNOS/Version');

var vuln_ranges;
if (ver =~ 'EVO$')
{
  vuln_ranges = [
    {'min_ver':'0.0', 'fixed_ver':'21.4R3-S5-EVO'},
    {'min_ver':'22.1', 'fixed_ver':'22.1R3-S4-EVO'},
    {'min_ver':'22.2', 'fixed_ver':'22.2R3-S2-EVO'},
    {'min_ver':'22.3', 'fixed_ver':'22.3R3-S1-EVO'},
    {'min_ver':'22.4', 'fixed_ver':'22.4R3-EVO'},
    {'min_ver':'23.2', 'fixed_ver':'23.2R2-EVO'},
  ];
}
else
{
  vuln_ranges = [
    {'min_ver':'0.0', 'fixed_ver':'21.2R3-S7'},
    {'min_ver':'21.4', 'fixed_ver':'21.4R3-S5'},
    {'min_ver':'22.1', 'fixed_ver':'22.1R3-S4'},
    {'min_ver':'22.2', 'fixed_ver':'22.2R3-S2'},
    {'min_ver':'22.3', 'fixed_ver':'22.3R3-S1'},
    {'min_ver':'22.4', 'fixed_ver':'22.4R3'},
    {'min_ver':'23.2', 'fixed_ver':'23.2R2'},
  ];
}

var override = TRUE;
var buf = junos_command_kb_item(cmd:'show configuration');
if (buf)
{
  override = FALSE;
  if (!preg(string:buf, pattern:"protocols evpn", multiline:TRUE))
    audit(AUDIT_HOST_NOT, 'running a vulnerable configuration');
}

var fix = junos_compare_range(target_version:ver, vuln_ranges:vuln_ranges);
if (empty_or_null(fix)) 
  audit(AUDIT_INST_VER_NOT_VULN, 'Junos OS', ver);

junos_report(ver:ver, fix:fix, override:override, severity:SECURITY_HOLE);