The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesnβt require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed.
This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(502151);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/18");
script_cve_id("CVE-2020-26145");
script_name(english:"Cisco Multiple Products Use of a Broken or Risky Cryptographic Algorithm (CVE-2020-26145)");
script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
script_set_attribute(attribute:"description", value:
"The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2,
and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all
fragments of a frame are encrypted under the same key. An adversary
can abuse this to decrypt selected fragments when another device sends
fragmented frames and the WEP, CCMP, or GCMP encryption key is
periodically renewed.
This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
script_set_attribute(attribute:"see_also", value:"https://www.fragattacks.com");
script_set_attribute(attribute:"see_also", value:"https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md");
script_set_attribute(attribute:"see_also", value:"http://www.openwall.com/lists/oss-security/2021/05/11/12");
script_set_attribute(attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2021/06/msg00019.html");
script_set_attribute(attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2021/06/msg00020.html");
# https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c9516038");
# https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00473.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?be0512b5");
# https://www.arista.com/en/support/advisories-notices/security-advisories/12602-security-advisory-63
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?839210e5");
script_set_attribute(attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2023/04/msg00002.html");
script_set_attribute(attribute:"solution", value:
"Refer to the vendor advisory.");
script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:N/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-26145");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(327);
script_set_attribute(attribute:"vuln_publication_date", value:"2021/05/11");
script_set_attribute(attribute:"patch_publication_date", value:"2021/05/11");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/03/18");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ip_phone_8861_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ip_phone_8865_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ip_phone_8832_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ip_phone_6861_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ip_phone_8821_firmware");
script_set_attribute(attribute:"generated_plugin", value:"former");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Tenable.ot");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("tenable_ot_api_integration.nasl");
script_require_keys("Tenable.ot/Cisco");
exit(0);
}
include('tenable_ot_cve_funcs.inc');
get_kb_item_or_exit('Tenable.ot/Cisco');
var asset = tenable_ot::assets::get(vendor:'Cisco');
var vuln_cpes = {
"cpe:/o:cisco:ip_phone_6861_firmware" :
{"versionEndExcluding" : "11.3(5)", "family" : "CiscoIPPhones"},
"cpe:/o:cisco:ip_phone_8821_firmware" :
{"versionEndExcluding" : "11.0(6)sr2", "family" : "CiscoIPPhones"},
"cpe:/o:cisco:ip_phone_8832_firmware" :
{"versionEndExcluding" : "14.1(1)", "family" : "CiscoIPPhones"},
"cpe:/o:cisco:ip_phone_8861_firmware" :
{"versionEndExcluding" : "14.1(1)", "family" : "CiscoIPPhones"},
"cpe:/o:cisco:ip_phone_8865_firmware" :
{"versionEndExcluding" : "14.1(1)", "family" : "CiscoIPPhones"}
};
tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_NOTE);
Vendor | Product | Version | CPE |
---|---|---|---|
cisco | ip_phone_8861_firmware | cpe:/o:cisco:ip_phone_8861_firmware | |
cisco | ip_phone_8865_firmware | cpe:/o:cisco:ip_phone_8865_firmware | |
cisco | ip_phone_8832_firmware | cpe:/o:cisco:ip_phone_8832_firmware | |
cisco | ip_phone_6861_firmware | cpe:/o:cisco:ip_phone_6861_firmware | |
cisco | ip_phone_8821_firmware | cpe:/o:cisco:ip_phone_8821_firmware |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26145
www.nessus.org/u?839210e5
www.nessus.org/u?be0512b5
www.nessus.org/u?c9516038
www.openwall.com/lists/oss-security/2021/05/11/12
github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md
lists.debian.org/debian-lts-announce/2021/06/msg00019.html
lists.debian.org/debian-lts-announce/2021/06/msg00020.html
lists.debian.org/debian-lts-announce/2023/04/msg00002.html
www.fragattacks.com