Rockwell Automation Stratix Industrial Managed Ethernet Switch 7Pk Errors (CVE-2018-0155)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(501771);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/04");

  script_cve_id("CVE-2018-0155");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/03/17");

  script_name(english:"Rockwell Automation Stratix Industrial Managed Ethernet Switch 7Pk Errors (CVE-2018-0155)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"A vulnerability in the Bidirectional Forwarding Detection (BFD) 
offload implementation could allow an unauthenticated remote attacker 
to cause a crash of the iosd process, causing a DoS condition.
The vulnerability is due to insufficient error handling when the 
BFD header in a BFD packet is incomplete. An attacker could exploit 
this vulnerability by sending a crafted BFD message to or across 
an affected switch. A successful exploit could allow the attacker 
to trigger a reload of the system.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  # https://www.cisa.gov/news-events/ics-advisories/icsa-18-107-05
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?37660900");
  # https://www.rockwellautomation.com/en-us/support/advisory.PN1021.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a252fb13");
  script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-18-107-05");
  script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.

Rockwell Automation has released the following knowledge base article 1073315:

https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1073315/ (login required)

Cisco has released new Snort Rules at https://www.cisco.com/web/software/286271056/117258/sf-rules-2018-03-29-new.html
to help address the following vulnerabilities:

- CVE-2018-0171 - Snort Rule 46096 and 46097
- CVE-2018-0156 - Snort Rule 41725
- CVE-2018-0174 - Snort Rule 46120
- CVE-2018-0172 - Snort Rule 46104
- CVE-2018-0173 - Snort Rule 46119

Cisco adds the following notes for the Smart Install vulnerabilities (CVE-2018-0171 and CVE-2018-0156):

- Smart Install is turned off by express setup; however, upgraded switches but not re-setup may have it enabled.
- Disable the Smart Install feature with the no vstack configuration command if it is not needed or once setup is
complete.
- Users who do use the feature—and need to leave it enabled—can use ACLs to block incoming traffic on TCP port 4786.

CVE-2018-0155: Administrators who do not use the BFD feature in their environments can disable the BFD feature by using
the feature bfd disable command in global configuration mode to prevent exploitation of this vulnerability.
Administrators who do use the BFD feature can implement Control Plane Policing (CoPP) to allow processing of BFD packets
from known BFD peers only and drop all other BFD traffic to limit exposure.

CVE-2018-0167 and CVE-2018-0175 have no specific mitigations in place. See the following Cisco advisory for more
details:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-lldp

Rockwell Automation also recommends that users implement the following general security guidelines:

- Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible
from the Internet.
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may
have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as
secure as the connected devices.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-0155");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(755);

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/03/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/03/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/11/15");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:rockwellautomation:allen-bradley_stratix_8300_industrial_managed_ethernet_switch");
  script_set_attribute(attribute:"generated_plugin", value:"former");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Rockwell");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Rockwell');

var asset = tenable_ot::assets::get(vendor:'Rockwell');

var vuln_cpes = {
    "cpe:/h:rockwellautomation:allen-bradley_stratix_8300_industrial_managed_ethernet_switch" :
        {"versionEndIncluding" : "15.2(4a)EA5", "family" : "Stratix"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_HOLE);