Cisco NX-OS Software HSRP Authentication Denial of Service Vulnerability

2016-05-12T00:00:00
ID OPENVAS:1361412562310105712
Type openvas
Reporter This script is Copyright (C) 2016 Greenbone Networks GmbH
Modified 2017-03-16T00:00:00

Description

A vulnerability in Hot Standby Router Protocol (HSRP) authentication in the Cisco Nexus series could allow an unauthenticated, adjacent attacker to affect the state of HSRP group members and cause black holing of traffic.

The vulnerability is due to incorrect parsing of malformed HSRP packets. An attacker could exploit this vulnerability by sending malformed HSRP packets to bypass HSRP authentication. An exploit could allow the attacker to bypass HSRP authentication and affect the state of active HSRP group members, causing them to go to SPEAK state, which leads to black holing of traffic and causes a denial of service (DoS) condition.

Cisco has confirmed the vulnerability in a security notice; however, software updates are not available.

Although an attacker does not need to authenticate to a targeted device to exploit this vulnerability, the attacker must be on the same collision or broadcast domain of the targeted device. This access requirement may reduce the likelihood of a successful exploit.

Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.

                                        
                                            ###############################################################################
# OpenVAS Vulnerability Test
# $Id: gb_cisco_nx_os_Cisco-SA-20140611-CVE-2014-3295.nasl 5588 2017-03-16 10:00:36Z teissa $
#
# Cisco NX-OS Software HSRP Authentication Denial of Service Vulnerability
#
# Authors:
# Michael Meyer <michael.meyer@greenbone.net>
#
# Copyright:
# Copyright (c) 2016 Greenbone Networks GmbH
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

CPE = "cpe:/o:cisco:nx-os";

if (description)
{
 script_oid("1.3.6.1.4.1.25623.1.0.105712");
 script_cve_id("CVE-2014-3295");
 script_tag(name:"cvss_base", value:"4.8");
 script_tag(name:"cvss_base_vector", value:"AV:A/AC:L/Au:N/C:N/I:P/A:P");
 script_version ("$Revision: 5588 $");

 script_name("Cisco NX-OS Software HSRP Authentication Denial of Service Vulnerability");

 script_xref(name:"URL", value:"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/Cisco-SA-20140611-CVE-2014-3295");
 

 script_tag(name: "vuldetect" , value:"Check the version.");

 script_tag(name: "solution" , value:"See the referenced vendor advisory for a solution.");
 script_tag(name: "summary" , value:"A vulnerability in Hot Standby Router Protocol (HSRP) authentication in the Cisco Nexus series could
allow an unauthenticated, adjacent attacker to affect the state of HSRP group members and cause
black holing of traffic.

The vulnerability is due to incorrect parsing of malformed HSRP packets. An attacker could exploit
this vulnerability by sending malformed HSRP packets to bypass HSRP authentication. An exploit could
allow the attacker to bypass HSRP authentication and affect the state of active HSRP group members,
causing them to go to SPEAK state, which leads to black holing of traffic and causes a denial of
service (DoS) condition.

Cisco has confirmed the vulnerability in a security notice; however, software updates are not
available.


Although an attacker does not need to authenticate to a targeted device to exploit this
vulnerability, the attacker must be on the same collision or broadcast domain of the targeted
device. This access requirement may reduce the likelihood of a successful exploit.

Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not
known to be publicly available.");

 script_tag(name:"qod_type", value:"package");
 script_tag(name:"solution_type", value:"VendorFix");

 script_tag(name:"last_modification", value:"$Date: 2017-03-16 11:00:36 +0100 (Thu, 16 Mar 2017) $");
 script_tag(name:"creation_date", value:"2016-05-12 16:36:13 +0200 (Thu, 12 May 2016)");
 script_category(ACT_GATHER_INFO);
 script_family("CISCO");
 script_copyright("This script is Copyright (C) 2016 Greenbone Networks GmbH");
 script_dependencies("gb_cisco_nx_os_version.nasl");
 script_mandatory_keys("cisco_nx_os/version","cisco_nx_os/model","cisco_nx_os/device");

 exit(0);
}

include("host_details.inc");
include("version_func.inc");

if( ! version = get_app_version( cpe:CPE ) ) exit( 0 );

if( ! device = get_kb_item( "cisco_nx_os/device" ) ) exit( 0 );
if( "Nexus" >!< device ) exit( 0 );

if ( ! nx_model = get_kb_item( "cisco_nx_os/model" ) ) exit( 0 );

if( nx_model =~ "^7[0-9]+" )
{
  affected = make_list(
			"4.1.(2)",
			"4.1.(3)",
			"4.1.(4)",
			"4.1.(5)",
			"4.2(3)",
			"4.2(4)",
			"4.2(6)",
			"4.2(8)",
			"4.2.(2a)",
			"5.0(2a)",
			"5.0(3)",
			"5.0(5)",
			"5.1(1)",
			"5.1(1a)",
			"5.1(3)",
			"5.1(4)",
			"5.1(5)",
			"5.1(6)",
			"5.2(1)",
			"5.2(3a)",
			"5.2(4)",
			"5.2(5)",
			"5.2(7)",
			"5.2(9)",
			"6.0(1)",
			"6.0(2)",
			"6.0(3)",
			"6.0(4)",
			"6.1(1)",
			"6.1(2)",
			"6.1(3)",
			"6.1(4)",
			"6.1(4a)",
			"6.2(2)",
			"6.2(2a)"
		);
}


foreach af ( affected )
{
  if( version == af )
  {
    report = report_fixed_ver(  installed_version:version, fixed_version: "See advisory" );
    security_message( port:0, data:report );
    exit( 0 );
  }
}

exit( 99 );