Cisco TelePresence CE and TC Software ICMP DoS Vulnerability (cisco-sa-20170503-ctp)

# SPDX-FileCopyrightText: 2017 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

CPE = "cpe:/a:cisco:telepresence_mcu_mse_series_software";

if (description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.811051");
  script_version("2023-07-25T05:05:58+0000");
  script_cve_id("CVE-2017-3825");
  script_tag(name:"cvss_base", value:"5.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_tag(name:"last_modification", value:"2023-07-25 05:05:58 +0000 (Tue, 25 Jul 2023)");
  script_tag(name:"severity_vector", value:"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_tag(name:"severity_origin", value:"NVD");
  script_tag(name:"severity_date", value:"2017-07-11 01:33:00 +0000 (Tue, 11 Jul 2017)");
  script_tag(name:"creation_date", value:"2017-05-23 12:24:36 +0530 (Tue, 23 May 2017)");
  script_tag(name:"qod_type", value:"remote_banner");
  script_name("Cisco TelePresence CE and TC Software ICMP DoS Vulnerability (cisco-sa-20170503-ctp)");

  script_tag(name:"summary", value:"Cisco TelePresence Endpoint is prone to a denial of service (DoS) vulnerability.");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");

  script_tag(name:"insight", value:"The vulnerability is due to incomplete
  input validation for the size of a received ICMP packet.");

  script_tag(name:"impact", value:"Successful exploitation will allow an
  unauthenticated, remote attacker to cause the TelePresence endpoint to
  reload unexpectedly, resulting in a denial of service (DoS) condition.");

  script_tag(name:"affected", value:"Cisco TelePresence products when running
  software release CE8.1.0, CE8.0.0, CE8.1.1, CE8.2.0, CE8.2.1, CE8.2.2,
  CE 8.3.0, or CE8.3.1. Also TC4.2 through TC4.2.4, TC5.1.11, TC5.1.13,
  TC6.0.2 through TC6.0.4, TC6.1.3, TC6.1.4, TC6.3.1 through TC6.3.5, TC7.3.6,
  TC7.3.7, TC7.1.1 through TC7.1.4 are affected. This vulnerability affects the
  following Cisco TelePresence products,
  Spark Room OS,
  TelePresence DX Series,
  TelePresence MX Series,
  TelePresence SX Quick Set Series, and
  TelePresence SX Series.");

  script_tag(name:"solution", value:"Upgrade to Cisco TelePresence Collaboration
  Endpoint (CE) Software release 8.3.2 or later.");

  script_tag(name:"solution_type", value:"VendorFix");
  script_xref(name:"URL", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb95396");
  script_xref(name:"URL", value:"http://www.securityfocus.com/bid/98293");
  script_xref(name:"URL", value:"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170503-ctp");
  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2017 Greenbone AG");
  script_family("CISCO");
  script_dependencies("gb_cisco_telepresence_detect_snmp.nasl", "gb_cisco_telepresence_detect_ftp.nasl");
  script_mandatory_keys("cisco/telepresence/version");
  exit(0);
}


include("host_details.inc");
include("version_func.inc");

if(!cisport = get_app_port(cpe:CPE)){
  exit(0);
}

if(!version = get_app_version(cpe:CPE, port:cisport)){
  exit(0);
}

if(!typ = get_kb_item("cisco/telepresence/typ" )) exit( 0 );

## TelePresence MX Series
## http://www.red-thread.com/products/telepresence-mx-series/
## typ !~ 'MX(2|3|7|8)00$' && typ !~ 'G2$' &&  typ !~ ' (42|52)/55$' && typ !~ ' (42|52)/55( Dual$)'
## TelePresence SX Quick Set Series and TelePresence SX Series
## https://blogs.cisco.com/ciscoit/b-c-07232014-cisco-sx-series-adding-tp-to-every-screen
## typ !~ 'SX(1|2|8)0$' && typ !~ 'SpeakerTrack$'
## TelePresence DX Series
## http://cdn2.hubspot.net/hub/160452/file-1411244501-pdf/docs/cisco_dx_series.pdf
## typ !~ 'DX(65|7|8)0$'

## Not covering Spark Room OS
if(typ !~ 'MX(2|3|7|8)00$' && typ !~ 'G2$' &&  typ !~ ' (42|52)/55$' && typ !~ ' (42|52)/55( Dual$)' &&
   typ !~ 'SX(1|2|8)0$' && typ !~ 'SpeakerTrack$' &&
   typ !~ 'DX(65|7|8)0$') {
  exit( 0 );
}

## TE and CE affected but pattern coming like this only
ciscoVer = eregmatch(pattern:"^T[CE]([^$]+$)", string:version, icase:TRUE);
if(isnull(ciscoVer[1])){
  exit(0);
}

verscat = ciscoVer[0];
vers = ciscoVer[1];

if(verscat =~ "^ce.")
{
  if(vers =~ "^8\.0\.0" || vers =~ "^8\.1\.0" || vers =~ "^8\.1\.1" ||
     vers =~ "^8\.2\.0" || vers =~ "^8\.2\.1" || vers =~ "^8\.2\.2" ||
     vers =~ "^8\.3\.0" || vers =~ "^8\.3\.1"){
    fix = "8.3.2";
  }
}

## TC is in maintenance mode, no new release will be made
else if(verscat =~ "^tc.")
{
  if(vers =~ "^4\.2\.[0-4]" || vers =~ "^5\.1\.(11|13)" || vers =~ "^6\.0\.[2-4]" ||
     vers =~ "^6\.1\.[3-4]" || vers =~ "^6\.3\.[1-5]" || vers =~ "^7\.3\.[6-7]" ||
     vers =~ "^7\.1\.[1-4]"){
    fix = "Apply patch from vendor or upgrade to CE8.3.2";
  }
}

if(fix)
{
  report = report_fixed_ver(installed_version:vers, fixed_version:fix);
  security_message( port:cisport, data:report);
  exit(0);
}