This plugin detects the usage of the Treck TCP/IP stack by the host thereby indicating that it could be potentially vulnerable to the Ripple20 vulnerabilities. Patches are being slowly rolled out by vendors and we will release plugins for patches as they are released by the vendors. In the interim, if you have applied the patches from the vendor for the Ripple20 vulnerabilities on this host, please recast the severity of this plugin.
Note: This plugin requires ICMP traffic to be unblocked between the scanner and the host
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(137702);
script_version("1.11");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/04");
script_cve_id(
"CVE-2020-11896",
"CVE-2020-11897",
"CVE-2020-11898",
"CVE-2020-11899",
"CVE-2020-11900",
"CVE-2020-11901",
"CVE-2020-11902",
"CVE-2020-11903",
"CVE-2020-11904",
"CVE-2020-11905",
"CVE-2020-11906",
"CVE-2020-11907",
"CVE-2020-11908",
"CVE-2020-11909",
"CVE-2020-11910",
"CVE-2020-11911",
"CVE-2020-11912",
"CVE-2020-11913",
"CVE-2020-11914"
);
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/03/17");
script_xref(name:"CEA-ID", value:"CEA-2020-0052");
script_name(english:"Treck TCP/IP stack multiple vulnerabilities. (Ripple20)");
script_set_attribute(attribute:"synopsis", value:
"The Treck network stack used by the remote host is affected by multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"This plugin detects the usage of the Treck TCP/IP stack by the host thereby indicating that it could be potentially
vulnerable to the Ripple20 vulnerabilities. Patches are being slowly rolled out by vendors and we will release plugins
for patches as they are released by the vendors. In the interim, if you have applied the patches from the vendor for the
Ripple20 vulnerabilities on this host, please recast the severity of this plugin.
Note: This plugin requires ICMP traffic to be unblocked between the scanner and the host");
script_set_attribute(attribute:"see_also", value:"https://www.jsof-tech.com/ripple20/");
# https://www.jsof-tech.com/wp-content/uploads/2020/06/JSOF_Ripple20_Technical_Whitepaper_June20.pdf
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?431098c1");
script_set_attribute(attribute:"see_also", value:"https://support.hp.com/emea_africa-en/document/c06640149");
script_set_attribute(attribute:"see_also", value:"https://psirt.bosch.com/security-advisories/BOSCH-SA-662084.html");
script_set_attribute(attribute:"solution", value:
"Apply the relevant patches as they become available.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-11897");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2020/06/17");
script_set_attribute(attribute:"patch_publication_date", value:"2020/06/17");
script_set_attribute(attribute:"plugin_publication_date", value:"2020/06/22");
script_set_attribute(attribute:"plugin_type", value:"combined");
script_set_attribute(attribute:"cpe", value:"x-cpe:/a:treck:tcp_ip");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("treck_detect.nbin", "treck_detect2.nbin", "treck_ip_opt7.nbin", "ssh_get_info.nasl", "os_fingerprint.nasl", "snmp_sysDesc.nasl", "snmp_cisco_type.nasl");
script_require_keys("treck_network_stack");
exit(0);
}
##
# Determine if we've got Cisco
# @return TRUE if we're reasonably confident the target is Cisco, otherwise FALSE.
##
function is_cisco()
{
local_var cisco_list, os, confidence, cisco_model, cisco_model_desc;
# Check if local detections look like Cisco
cisco_list = get_kb_list('Host/Cisco/*');
if (!empty_or_null(cisco_list))
return TRUE;
# If we're relatively confident it's Cisco, return TRUE
os = toupper(get_kb_item('Host/OS'));
confidence = get_kb_item('Host/OS/Confidence');
if ('CISCO' >< os && confidence >= 75)
return TRUE;
# If SNMP looks like it's Cisco, return TRUE
cisco_model = get_kb_item('CISCO/model');
cisco_model_desc = get_kb_item('CISCO/model_desc');
if (!empty_or_null(cisco_model) && !empty_or_null(cisco_model_desc))
return TRUE;
return FALSE;
}
##
# Determine if we've got StarOS
# @return TRUE if the target looks at all like StarOS, otherwise FALSE.
##
function is_staros()
{
local_var os, cisco_model, cisco_model_desc;
# If we locally detected StarOS, return TRUE
if(get_kb_item('Host/Cisco/StarOS'))
return TRUE;
# If the OS is StarOS, return TRUE
os = toupper(get_kb_item('Host/OS'));
if ('STAROS' >< os)
return TRUE;
# If SNMP looks like it's a StarOS device, return TRUE
cisco_model = get_kb_item('CISCO/model');
cisco_model_desc = get_kb_item('CISCO/model_desc');
if (!empty_or_null(cisco_model) && cisco_model =~ "ciscoASR5[50]00")
return TRUE;
if (!empty_or_null(cisco_model_desc) && cisco_model_desc =~ "Cisco Systems ASR5[50]00")
return TRUE;
return FALSE;
}
##
# Determine if we've got unaffected versions of HP iLO
# @return TRUE if the target is an unaffected HP iLO, otherwise FALSE.
# Based on https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbhf04012en_us
##
function is_hpilo()
{
var os, hpilo_gen, hpilo_fw, hpilo_model, hpilo_card, hpilo_moon;
# If we detected HP iLO, return TRUE
if(get_kb_item('Host/OS/ilo_detect'))
return TRUE;
# If the OS is HP iLO, return TRUE
os = toupper(get_kb_item('Host/OS'));
if ('LIGHTS-OUT' >< os)
return TRUE;
# Define generation, firmware version, model, card, and if it's a Moonshot
hpilo_gen = get_kb_item('ilo/generation');
hpilo_fw = get_kb_item('ilo/firmware');
hpilo_model = get_kb_item('www/ilo/server_model');
hpilo_moon = get_kb_item('www/ilo/moonshot');
hpilo_card = get_kb_item('ilo/cardtype');
# Now check to exclude unaffected models. TRUE if unaffected based on model, generation, and version.
if(empty_or_null(hpilo_moon))
{
if ((!empty_or_null(hpilo_gen)) && (!empty_or_null(hpilo_fw)))
{
if(('gen10' >< tolower(hpilo_model)) && (hpilo_gen == 5))
{
if(ver_compare(fix:"2.18", ver:hpilo_fw, strict:FALSE) >= 0)
return TRUE;
}
else if(hpilo_gen == 4)
{
if(ver_compare(fix:"2.75", ver:hpilo_fw, strict:FALSE) >= 0)
return TRUE;
}
else if(hpilo_gen == 3)
{
if(ver_compare(fix:"1.93", ver:hpilo_fw, strict:FALSE) >= 0)
return TRUE;
}
}
}
else if ((!empty_or_null(hpilo_fw)) && (!empty_or_null(hpilo_card)) && (!empty_or_null(hpilo_model)))
{
if(('proliant' >< tolower(hpilo_card)) && ('m750' >< tolower(hpilo_model)))
{
if(ver_compare(fix:"2.30", ver:hpilo_fw, strict:FALSE) >= 0)
return TRUE;
}
}
return FALSE;
}
get_kb_item_or_exit('treck_network_stack');
var prod;
if(is_cisco() && !is_staros())
prod = 'Cisco';
else if(is_hpilo())
prod = 'HP iLO';
if (((!is_cisco() && !is_staros() && !is_hpilo())) || # vuln HP iLO or non-Cisco/StarOS device
((!is_hpilo() && is_cisco() && is_staros())) || # vuln StarOS device
((!is_hpilo() && !is_cisco() && is_staros()))) # vuln StarOS device low conf
{
var report = '\n Detected Treck TCP\\IP network stack.';
security_report_v4(port:0, severity:SECURITY_HOLE, extra:report);
}
else
audit(AUDIT_HOST_NOT, 'a vulnerable ' + prod + ' product');
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11896
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11897
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11898
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11899
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11900
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11901
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11902
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11903
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11904
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11905
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11906
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11907
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11908
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11909
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11910
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11911
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11912
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11913
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11914
www.nessus.org/u?431098c1
psirt.bosch.com/security-advisories/BOSCH-SA-662084.html
support.hp.com/emea_africa-en/document/c06640149
www.jsof-tech.com/ripple20/