Lucene search

HistoryJul 25, 2023 - 12:00 a.m.

Cisco NX-OS Software Border Gateway Protocol MD5 Authentication Bypass (CVE-2020-3165)

2023-07-2500:00:00

www.tenable.com

cisco nx-os

bgp

md5 authentication

remote attack

bypass

vulnerability

tcp connection

exploit

tenable.ot scanner

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

0.001 Low

EPSS

Percentile

49.9%

JSON

A vulnerability in the implementation of Border Gateway Protocol (BGP) Message Digest 5 (MD5) authentication in Cisco NX-OS Software could allow an unauthenticated, remote attacker to bypass MD5 authentication and establish a BGP connection with the device. The vulnerability occurs because the BGP MD5 authentication is bypassed if the peer does not have MD5 authentication configured, the NX-OS device does have BGP MD5 authentication configured, and the NX-OS BGP virtual routing and forwarding (VRF) name is configured to be greater than 19 characters.
An attacker could exploit this vulnerability by attempting to establish a BGP session with the NX-OS peer. A successful exploit could allow the attacker to establish a BGP session with the NX-OS device without MD5 authentication. The Cisco implementation of the BGP protocol accepts incoming BGP traffic only from explicitly configured peers. To exploit this vulnerability, an attacker must send the malicious packets over a TCP connection that appears to come from a trusted BGP peer. To do so, the attacker must obtain information about the BGP peers in the affected system’s trusted network.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(501383);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/07/26");

  script_cve_id("CVE-2020-3165");

  script_name(english:"Cisco NX-OS Software Border Gateway Protocol MD5 Authentication Bypass (CVE-2020-3165)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"A vulnerability in the implementation of Border Gateway Protocol (BGP)
Message Digest 5 (MD5) authentication in Cisco NX-OS Software could
allow an unauthenticated, remote attacker to bypass MD5 authentication
and establish a BGP connection with the device. The vulnerability
occurs because the BGP MD5 authentication is bypassed if the peer does
not have MD5 authentication configured, the NX-OS device does have BGP
MD5 authentication configured, and the NX-OS BGP virtual routing and
forwarding (VRF) name is configured to be greater than 19 characters.
An attacker could exploit this vulnerability by attempting to
establish a BGP session with the NX-OS peer. A successful exploit
could allow the attacker to establish a BGP session with the NX-OS
device without MD5 authentication. The Cisco implementation of the BGP
protocol accepts incoming BGP traffic only from explicitly configured
peers. To exploit this vulnerability, an attacker must send the
malicious packets over a TCP connection that appears to come from a
trusted BGP peer. To do so, the attacker must obtain information about
the BGP peers in the affected system's trusted network.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200226-nxos-bgpmd5
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e3876f25");
  script_set_attribute(attribute:"solution", value:
"Refer to the vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-3165");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_cwe_id(798);

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/02/26");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/02/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/07/25");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:nx-os:9.2%281%29");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:nx-os:9.2%282%29");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:nx-os:9.2%283%29");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:nx-os:9.3%281%29");
  script_set_attribute(attribute:"generated_plugin", value:"former");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Cisco");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Cisco');

var asset = tenable_ot::assets::get(vendor:'Cisco');

var vuln_cpes = {
    "cpe:/o:cisco:nx-os:9.2%281%29" :
        {"versionEndIncluding" : "9.2%281%29", "versionStartIncluding" : "9.2%281%29", "family" : "NXOS"},
    "cpe:/o:cisco:nx-os:9.2%282%29" :
        {"versionEndIncluding" : "9.2%282%29", "versionStartIncluding" : "9.2%282%29", "family" : "NXOS"},
    "cpe:/o:cisco:nx-os:9.2%283%29" :
        {"versionEndIncluding" : "9.2%283%29", "versionStartIncluding" : "9.2%283%29", "family" : "NXOS"},
    "cpe:/o:cisco:nx-os:9.3%281%29" :
        {"versionEndIncluding" : "9.3%281%29", "versionStartIncluding" : "9.3%281%29", "family" : "NXOS"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);

VendorProductVersionCPE
cisconx-os9.2%281%29cpe:/o:cisco:nx-os:9.2%281%29
cisconx-os9.2%282%29cpe:/o:cisco:nx-os:9.2%282%29
cisconx-os9.2%283%29cpe:/o:cisco:nx-os:9.2%283%29
cisconx-os9.3%281%29cpe:/o:cisco:nx-os:9.3%281%29

Vendor	Product	Version	CPE
cisco	nx-os	9.2%281%29	cpe:/o:cisco:nx-os:9.2%281%29
cisco	nx-os	9.2%282%29	cpe:/o:cisco:nx-os:9.2%282%29
cisco	nx-os	9.2%283%29	cpe:/o:cisco:nx-os:9.2%283%29
cisco	nx-os	9.3%281%29	cpe:/o:cisco:nx-os:9.3%281%29

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3165

www.nessus.org/u?e3876f25

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

0.001 Low

EPSS

Percentile

49.9%

JSON

Related for TENABLE_OT_CISCO_CVE-2020-3165.NASL