Cisco NX-OS Software Label Distribution Protocol Message Vulnerability

2016-05-12T00:00:00
ID OPENVAS:1361412562310105715
Type openvas
Reporter This script is Copyright (C) 2016 Greenbone Networks GmbH
Modified 2018-11-12T00:00:00

Description

A vulnerability in the Label Distribution Protocol (LDP) message processing of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause an affected device to stop accepting valid LDP sessions during a 60-second period.

The vulnerability is due to how certain malformed LDP Hello messages are parsed. An attacker could exploit this vulnerability by sending malformed LDP Hello messages to an affected device. An exploit could allow the attacker to cause an affected device to stop accepting valid LDP sessions during a 60-second period.

Cisco has confirmed the vulnerability in a security notice. However, software updates are not available.

To exploit this vulnerability, an attacker would likely need access to trusted, internal networks to send LDP Hello messages to an affected device. This access requirement limits the possibility of a successful exploit.

Cisco indicates through the CVSS score that functional exploit code exists. However, the code is not known to be publicly available.

                                        
                                            ###############################################################################
# OpenVAS Vulnerability Test
# $Id: gb_cisco_nx_os_Cisco-SA-20140123-CVE-2014-0677.nasl 12313 2018-11-12 08:53:51Z asteins $
#
# Cisco NX-OS Software Label Distribution Protocol Message Vulnerability
#
# Authors:
# Michael Meyer <michael.meyer@greenbone.net>
#
# Copyright:
# Copyright (c) 2016 Greenbone Networks GmbH
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

CPE = "cpe:/o:cisco:nx-os";

if (description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.105715");
  script_cve_id("CVE-2014-0677");
  script_tag(name:"cvss_base", value:"5.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_version("$Revision: 12313 $");

  script_name("Cisco NX-OS Software Label Distribution Protocol Message Vulnerability");

  script_xref(name:"URL", value:"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/Cisco-SA-20140123-CVE-2014-0677");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");

  script_tag(name:"solution", value:"See the referenced vendor advisory for a solution.");
  script_tag(name:"summary", value:"A vulnerability in the Label Distribution Protocol (LDP) message processing of Cisco NX-OS Software
  could allow an unauthenticated, remote attacker to cause an affected device to stop accepting valid
  LDP sessions during a 60-second period.

  The vulnerability is due to how certain malformed LDP Hello messages are parsed. An attacker could
  exploit this vulnerability by sending malformed LDP Hello messages to an affected device. An exploit
  could allow the attacker to cause an affected device to stop accepting valid LDP sessions during a
  60-second period.

  Cisco has confirmed the vulnerability in a security notice. However, software updates are not
  available.

  To exploit this vulnerability, an attacker would likely need access to trusted, internal networks to
  send LDP Hello messages to an affected device. This access requirement limits the possibility of a
  successful exploit.

  Cisco indicates through the CVSS score that functional exploit code exists. However, the code is not
  known to be publicly available.");

  script_tag(name:"qod_type", value:"package");
  script_tag(name:"solution_type", value:"VendorFix");

  script_tag(name:"last_modification", value:"$Date: 2018-11-12 09:53:51 +0100 (Mon, 12 Nov 2018) $");
  script_tag(name:"creation_date", value:"2016-05-12 16:38:58 +0200 (Thu, 12 May 2016)");
  script_category(ACT_GATHER_INFO);
  script_family("CISCO");
  script_copyright("This script is Copyright (C) 2016 Greenbone Networks GmbH");
  script_dependencies("gb_cisco_nx_os_version.nasl");
  script_mandatory_keys("cisco_nx_os/version", "cisco_nx_os/model", "cisco_nx_os/device");

  exit(0);
}

include("host_details.inc");
include("version_func.inc");

if( ! version = get_app_version( cpe:CPE ) ) exit( 0 );

if( ! device = get_kb_item( "cisco_nx_os/device" ) ) exit( 0 );
if( "Nexus" >!< device ) exit( 0 );

if ( ! nx_model = get_kb_item( "cisco_nx_os/model" ) ) exit( 0 );

if( nx_model =~ "^7[0-9]+" )
{
  affected = make_list(
			"4.1.(2)",
			"4.1.(3)",
			"4.1.(4)",
			"4.1.(5)",
			"4.2(3)",
			"4.2(4)",
			"4.2(6)",
			"4.2(8)",
			"4.2.(2a)",
			"5.0(2a)",
			"5.0(3)",
			"5.0(5)",
			"5.1(1)",
			"5.1(1a)",
			"5.1(3)",
			"5.1(4)",
			"5.1(5)",
			"5.1(6)",
			"5.2(1)",
			"5.2(3a)",
			"5.2(4)",
			"5.2(5)",
			"5.2(7)",
			"5.2(9)",
			"6.0(1)",
			"6.0(2)",
			"6.0(3)",
			"6.0(4)",
			"6.1(1)",
			"6.1(2)",
			"6.1(3)",
			"6.1(4)",
			"6.1(4a)",
			"6.2(2)",
			"6.2(2a)"
		);
}


foreach af ( affected )
{
  if( version == af )
  {
    report = report_fixed_ver(  installed_version:version, fixed_version: "See advisory" );
    security_message( port:0, data:report );
    exit( 0 );
  }
}

exit( 99 );