Vulnerabilities > CVE-2018-0136 - Unspecified vulnerability in Cisco IOS XR 5.3.4

#TRUSTED 3c068340cf005db76f35d8b6656a945449b040137ef0bd30a5fd34ec74630b6bcfa18c3363b0110966d130435b2c5716f5fb4d308c3145756b886802a44ab7ca98eda100033b671a57f75447287c57faa41daae40fad6f24ee71bcfeff69c7246cdccb51d9b8e328a2958ef610867a57742e00d9980dd87bf294feaa603d2f2fa27b52815ee0d50bb67d890a536a1a563a1444f9b894441f8331f8cf790d5db5f4c423b4a6dbcfd1182f99ee85eb0641edede322bfe1fa2d2df6c1b03ce3feb9b96b31aea8408ec255da55b066547b1d85806b43f6c1711cb5e5a6f463cdebea50e287d83de34519f6cd2429bedf573a2317ab080b8353b0f34d484a62b9d4ee7d65ddc9656ae25762cde8b65d91acf86cc56a849539de8d952e2d79de939fc67c4be1be81985cb032754ac8e4f73c23caa4cc7ed4961e06e50070c04342878cdc6cf62a1793defd76ab4c6bfa0b8874825950263b913cf32c416056a513686293cc13b9070f85a37f7c4eefb8523c146d84331acad5eae7d371c031102bc3c177846ae5111559d5dcf256db9718dfe50161b5658e4efa54af5883d5d7f3f85c8d8080fff4527f7e8320229c25ff39a72f17d764cddff3ffc63d2047f988b70dca79b1b202a0c5c7dc11a857d6a056ba2717c384b7b693592b4791fe5b3adcb79d7213ae06779541b1a12ba50590c4bae82c641be5ab0ba4c820fecf8963c26e
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(133861);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");

  script_cve_id("CVE-2018-0136");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvg46800");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20180131-ipv6");

  script_name(english:"Cisco Aggregation Services Router 9000 Series IPv6 Fragment Header DoS (cisco-sa-20180131-ipv6)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco IOS XR Software is affected by a denial of service (DoS) vulnerability
in the IPv6 subsystem due to incorrect handling of IPv6 packets with a fragment header extension. An unauthenticated,
remote attacker can exploit this, by sending IPv6 packets designed to trigger the issue either to or through the
Trident-based line card, in order to trigger a reload of Trident-based line cards and cause a denial of service. This
vulnerability affects only Cisco Aggregation Services Router (ASR) 9000 Series devices.

Please see the included Cisco BIDs and Cisco Security Advisory for more information");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180131-ipv6
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ae7d2a6f");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg46800");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvg46800.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-0136");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/01/31");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/01/31");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/21");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xr");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_xr_version.nasl", "cisco_enum_smu.nasl");
  script_require_keys("Host/Cisco/IOS-XR/Version", "Host/Cisco/IOS-XR/Model");

  exit(0);
}

include('audit.inc');
include('cisco_workarounds.inc');
include('ccf.inc');

product_info = cisco::get_product_info(name:'Cisco IOS XR');

if (cisco::cisco_is_switch())
  audit(AUDIT_HOST_NOT, "an affected Cisco router");

model = toupper(get_kb_item('CISCO/model'));
if (empty_or_null(model))
  model = product_info['model'];

if ('ASR9' >!< model)
  audit(AUDIT_HOST_NOT, 'an affected model');

version_list = make_list('5.3.4');

vuln_line_cards = make_list(
  "^\s*PID:\s+A9K-40GE-L",
  "^\s*PID:\s+A9K-40GE-B",
  "^\s*PID:\s+A9K-40GE-E",
  "^\s*PID:\s+A9K-4T-L",
  "^\s*PID:\s+A9K-4T-B",
  "^\s*PID:\s+A9K-4T-E",
  "^\s*PID:\s+A9K-8T/4-L",
  "^\s*PID:\s+A9K-8T/4-B",
  "^\s*PID:\s+A9K-8T/4-E",
  "^\s*PID:\s+A9K-2T20GE-L",
  "^\s*PID:\s+A9K-2T20GE-B",
  "^\s*PID:\s+A9K-2T20GE-E",
  "^\s*PID:\s+A9K-8T-L",
  "^\s*PID:\s+A9K-8T-B",
  "^\s*PID:\s+A9K-8T-E",
  "^\s*PID:\s+A9K-16/8T-B"
);

smus['5.3.4'] = make_list('CSCvg46800', 'asr9k-px.5.3.4.sp7');

workarounds = make_list(CISCO_WORKAROUNDS['ios_xr_line_cards'], CISCO_WORKAROUNDS['ios_xr_ipv6']);
workaround_params = make_array('vuln_line_cards', vuln_line_cards);

reporting = make_array(
  'port'     , 0,
  'severity' , SECURITY_HOLE,
  'version'  , product_info['version'],
  'bug_id'   , 'CSCvg46800',
  'cmds'     , make_list('show diag', 'show ipv6 interface brief', 'show ipv6 vrf all interface')
);
cisco::check_and_report(
  product_info:product_info,
  workarounds:workarounds,
  workaround_params:workaround_params,
  reporting:reporting,
  vuln_versions:version_list,
  smus:smus,
  require_all_workarounds:TRUE
);