Cisco NX-OS Software Label Distribution Protocol Message Vulnerability

2016-05-12T00:00:00
ID OPENVAS:1361412562310105715
Type openvas
Reporter This script is Copyright (C) 2016 Greenbone Networks GmbH
Modified 2017-03-28T00:00:00

Description

A vulnerability in the Label Distribution Protocol (LDP) message processing of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause an affected device to stop accepting valid LDP sessions during a 60-second period.

The vulnerability is due to how certain malformed LDP Hello messages are parsed. An attacker could exploit this vulnerability by sending malformed LDP Hello messages to an affected device. An exploit could allow the attacker to cause an affected device to stop accepting valid LDP sessions during a 60-second period.

Cisco has confirmed the vulnerability in a security notice; however, software updates are not available.

To exploit this vulnerability, an attacker would likely need access to trusted, internal networks to send LDP Hello messages to an affected device. This access requirement limits the possibility of a successful exploit.

Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.

                                        
                                            ###############################################################################
# OpenVAS Vulnerability Test
# $Id: gb_cisco_nx_os_Cisco-SA-20140123-CVE-2014-0677.nasl 5745 2017-03-28 09:01:00Z teissa $
#
# Cisco NX-OS Software Label Distribution Protocol Message Vulnerability
#
# Authors:
# Michael Meyer <michael.meyer@greenbone.net>
#
# Copyright:
# Copyright (c) 2016 Greenbone Networks GmbH
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

CPE = "cpe:/o:cisco:nx-os";

if (description)
{
 script_oid("1.3.6.1.4.1.25623.1.0.105715");
 script_cve_id("CVE-2014-0677");
 script_tag(name:"cvss_base", value:"5.0");
 script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:N/A:P");
 script_version ("$Revision: 5745 $");

 script_name("Cisco NX-OS Software Label Distribution Protocol Message Vulnerability");

 script_xref(name:"URL", value:"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/Cisco-SA-20140123-CVE-2014-0677");
 

 script_tag(name: "vuldetect" , value:"Check the version.");

 script_tag(name: "solution" , value:"See the referenced vendor advisory for a solution.");
 script_tag(name: "summary" , value:"A vulnerability in the Label Distribution Protocol (LDP) message processing of Cisco NX-OS Software
could allow an unauthenticated, remote attacker to cause an affected device to stop accepting valid
LDP sessions during a 60-second period.

The vulnerability is due to how certain malformed LDP Hello messages are parsed. An attacker could
exploit this vulnerability by sending malformed LDP Hello messages to an affected device. An exploit
could allow the attacker to cause an affected device to stop accepting valid LDP sessions during a
60-second period.

Cisco has confirmed the vulnerability in a security notice; however, software updates are not
available.


To exploit this vulnerability, an attacker would likely need access to trusted, internal networks to
send LDP Hello messages to an affected device. This access requirement limits the possibility of a
successful exploit.

Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not
known to be publicly available.");

 script_tag(name:"qod_type", value:"package");
 script_tag(name:"solution_type", value:"VendorFix");

 script_tag(name:"last_modification", value:"$Date: 2017-03-28 11:01:00 +0200 (Tue, 28 Mar 2017) $");
 script_tag(name:"creation_date", value:"2016-05-12 16:38:58 +0200 (Thu, 12 May 2016)");
 script_category(ACT_GATHER_INFO);
 script_family("CISCO");
 script_copyright("This script is Copyright (C) 2016 Greenbone Networks GmbH");
 script_dependencies("gb_cisco_nx_os_version.nasl");
 script_mandatory_keys("cisco_nx_os/version","cisco_nx_os/model","cisco_nx_os/device");

 exit(0);
}

include("host_details.inc");
include("version_func.inc");

if( ! version = get_app_version( cpe:CPE ) ) exit( 0 );

if( ! device = get_kb_item( "cisco_nx_os/device" ) ) exit( 0 );
if( "Nexus" >!< device ) exit( 0 );

if ( ! nx_model = get_kb_item( "cisco_nx_os/model" ) ) exit( 0 );

if( nx_model =~ "^7[0-9]+" )
{
  affected = make_list(
			"4.1.(2)",
			"4.1.(3)",
			"4.1.(4)",
			"4.1.(5)",
			"4.2(3)",
			"4.2(4)",
			"4.2(6)",
			"4.2(8)",
			"4.2.(2a)",
			"5.0(2a)",
			"5.0(3)",
			"5.0(5)",
			"5.1(1)",
			"5.1(1a)",
			"5.1(3)",
			"5.1(4)",
			"5.1(5)",
			"5.1(6)",
			"5.2(1)",
			"5.2(3a)",
			"5.2(4)",
			"5.2(5)",
			"5.2(7)",
			"5.2(9)",
			"6.0(1)",
			"6.0(2)",
			"6.0(3)",
			"6.0(4)",
			"6.1(1)",
			"6.1(2)",
			"6.1(3)",
			"6.1(4)",
			"6.1(4a)",
			"6.2(2)",
			"6.2(2a)"
		);
}


foreach af ( affected )
{
  if( version == af )
  {
    report = report_fixed_ver(  installed_version:version, fixed_version: "See advisory" );
    security_message( port:0, data:report );
    exit( 0 );
  }
}

exit( 99 );