| code | #TRUSTED 0740f53e6644ae22b6b415b24fc301c72d933b666e92cb722e08a78fdea91c0f8bbd2276954a8f482c61d6b32c1c91a7a31b5c72729f1f69be1860491da66f88507541342304ca4ae8a3d2379c21559b3fa9c5fd14e8711e598971fbea7a30394c95f3dc106886a7f8f141f599e923f30db672542ce1f697add1b181db015f344b96025590a842ef6a9a5cb2efec3ee80c76095cd68521203b7d344c53692443a3fc8bea42c9fa802604203c3c4ebd0e027af343d700aedbc1dda59e21727c04a4b5bb950a1c49b5e278a88e4abd53a62daadb32cc24e2ea891d5a8ae20e2ece3e165a5fa816d37dfdb7175e844dd12dc9385acdd7a3cfaf4a2cf171d5cb0f637c6cf12c06b60db2a9dd077c089a3f2002b4d83476986e26f1dc8fbcf6c36c01f1673c9e0a0547ac8241f77ba8642791ffa6b0f01ce943da1bb794dc029fcae5c4a845e3e6eb8165139f1707a86ff9b9609092d41836f2d9d2b3e997478824091648d40bc071fbb5c6296a9d2bc993a259886d881415638bdad171fe75914c47af16bee203dad4873dac492b6e478ed5b856e11646e82c6b3a7edc61f143220ac9d5e51601de91ad44ebc65cffdc13be781c30f87c4c0543a3a568f9603d386011e391b7029ae49ac76219acd9bd23e36b35a26640fdb82e35e55e34e961d2c63f0ff67a494d3b4a9b47fb00c1b1d1b7b3578228e36b7ad09921eef7b380ebd8
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(90527);
script_version("1.7");
script_cvs_date("Date: 2019/11/20");
script_cve_id("CVE-2016-1361");
script_xref(name:"CISCO-BUG-ID", value:"CSCuv17791");
script_xref(name:"CISCO-BUG-ID", value:"CSCuw56900");
script_xref(name:"CISCO-SA", value:"cisco-sa-20160311-gsr");
script_name(english:"Cisco IOS XR GSR 12000 Port Range BFD DoS (cisco-sa-20160311-gsr)");
script_summary(english:"Checks the IOS XR version.");
script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
script_set_attribute(attribute:"description", value:
"The remote Cisco IOS XR device is a Gigabit Switch Router (GSR)
12000 Series router model and is a version that is missing a
vendor-supplied security patch. It is, therefore, affected by a denial
of service vulnerability in the ASIC UDP ingress receive function due
to improper validation for the presence of a Bidirectional Forwarding
Detection (BFD) header on the UDP packet. An unauthenticated, remote
attacker can exploit this to cause a line-card to unexpectedly restart
by sending to the affected device a specially crafted UDP packet with
a specific UDP port range and Time-to-Live field.");
# https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160311-gsr
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?07a86a86");
script_set_attribute(attribute:"solution", value:
"Apply the relevant patch referenced in Cisco Security Advisory
cisco-sa-20160311-gsr.");
script_set_cvss_base_vector("CVSS2#AV:A/AC:H/Au:N/C:N/I:N/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-1361");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"vuln_publication_date", value:"2016/03/11");
script_set_attribute(attribute:"patch_publication_date", value:"2016/03/11");
script_set_attribute(attribute:"plugin_publication_date", value:"2016/04/14");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xr");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CISCO");
script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("cisco_ios_xr_version.nasl");
script_require_keys("Host/Cisco/IOS-XR/Version", "Host/Cisco/IOS-XR/Model");
exit(0);
}
include("audit.inc");
include("cisco_func.inc");
include("cisco_kb_cmd_func.inc");
flag = FALSE;
override = FALSE;
cbi = "CSCuv17791 / CSCuw56900";
version = get_kb_item_or_exit("Host/Cisco/IOS-XR/Version");
model = get_kb_item_or_exit("Host/Cisco/IOS-XR/Model");
if (model !~ "^12[0-9]{3}([^0-9])")
audit(AUDIT_HOST_NOT, "Cisco 12000 Series");
# Specific versions affected according to Cisco
if (
version =~ "^3\.3\.3([^0-9])" ||
version =~ "^3\.4\.[1-3]([^0-9])" ||
version =~ "^3\.5\.[2-4]([^0-9])" ||
version =~ "^3\.6\.[0-3]([^0-9])" ||
version =~ "^3\.7\.[0-1]([^0-9])" ||
version =~ "^3\.8\.[0-4]([^0-9])" ||
version =~ "^3\.9\.[0-2]([^0-9])" ||
version =~ "^4\.0\.[0-3]([^0-9])" ||
version =~ "^4\.1\.[0-2]([^0-9])" ||
version =~ "^4\.2\.[0-4]([^0-9])" ||
version =~ "^4\.3\.[0-2]([^0-9])"
) flag = TRUE;
if (!flag)
audit(AUDIT_INST_VER_NOT_VULN, "Cisco IOS XR", version);
if (flag && get_kb_item("Host/local_checks_enabled"))
{
# System has to contain serial network interfaces
buf = get_kb_item("Host/Cisco/show_ver");
if (!preg(multiline:TRUE, pattern:"^\d+\s+Serial network interface", string:buf))
flag = FALSE;
# Specifically bfd ipv6 checksum MUST be disabled to not be affected
buf = cisco_command_kb_item("Host/Cisco/Config/show_running-config", "show running-config");
if (flag && check_cisco_result(buf))
{
if(preg(multiline:TRUE, pattern:"^bfd ipv6 checksum disable", string:buf))
flag = FALSE;
}
else if (flag && cisco_needs_enable(buf))
{
flag = TRUE;
override = TRUE;
}
}
if (!flag)
audit(AUDIT_HOST_NOT, "affected");
# The fix is to have 4.3.2 plus a vendor supplied SMU
# so 4.3.2 doesn't necessarily mean that the issue isn't
# fixed
if (flag && version =~ "^4\.3\.2([^0-9])" && report_paranoia < 2)
audit(AUDIT_PARANOID);
report = "";
if (report_verbosity > 0)
{
order = make_list('Cisco bug ID', 'Installed release', 'Fixed version');
report = make_array(
order[0], cbi,
order[1], version,
order[2], '4.3.2 with Cisco SMU'
);
report = report_items_str(report_items:report, ordered_fields:order);
}
security_warning(port:0, extra:report+cisco_caveat(override));
|