Vulnerabilities > CVE-2019-1601 - Improper Access Control vulnerability in Cisco Nx-Os

047910
CVSS 7.2 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
low complexity
cisco
CWE-284
nessus
NVD
Published: 2019-03-08
Updated: 2019-10-09

Summary

A vulnerability in the filesystem permissions of Cisco NX-OS Software could allow an authenticated, local attacker to gain read and write access to a critical configuration file. The vulnerability is due to a failure to impose strict filesystem permissions on the targeted device. An attacker could exploit this vulnerability by accessing and modifying restricted files. A successful exploit could allow an attacker to use the content of this configuration file to bypass authentication and log in as any user of the device. MDS 9000 Series Multilayer Switches are affected in versions prior to 6.2(25), 8.1(1b), and 8.3(1). Nexus 3000 Series Switches are affected in versions prior to 7.0(3)I4(9) and 7.0(3)I7(4). Nexus 3500 Platform Switches are affected in versions prior to 6.0(2)A8(10) and 7.0(3)I7(4). Nexus 3600 Platform Switches are affected in versions prior to 7.0(3)F3(5). Nexus 2000, 5500, 5600, and 6000 Series Switches are affected in versions prior to 7.1(5)N1(1b) and 7.3(3)N1(1). Nexus 7000 and 7700 Series Switches are affected in versions prior to 6.2(22), 7.3(3)D1(1), and 8.2(3). Nexus 9000 Series Switches-Standalone are affected in versions prior to 7.0(3)I4(9) and 7.0(3)I7(4). Nexus 9500 R-Series Line Cards and Fabric Modules are affected in versions prior to 7.0(3)F3(5).

Vulnerable Configurations

Part Description Count
OS
Cisco
350
Hardware
Cisco
12

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Embedding Scripts within Scripts
    An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing.
  • Signature Spoofing by Key Theft
    An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Nessus

  • NASL familyCISCO
    NASL idCISCO-SA-20190306-NXOS-FILE-ACCESS.NASL
    descriptionAccording to its self-reported version, Cisco NX-OS Software is affected by a vulnerability in the filesystem permissions of Cisco NX-OS Software could allow an authenticated, local attacker to gain read and write access to a critical configuration file. The vulnerability is due to a failure to impose strict filesystem permissions on the targeted device. An attacker could exploit this vulnerability by accessing and modifying restricted files. A successful exploit could allow an attacker to use the content of this configuration file to bypass authentication and log in as any user of the device. (CVE-2019-1601) Please see the included Cisco BIDs and Cisco Security Advisory for more information
    last seen2020-06-01
    modified2020-06-02
    plugin id127111
    published2019-07-30
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127111
    titleCisco NX-OS Software Unauthorized Filesystem Access Vulnerability
    code
    #TRUSTED 4b67089f2f859972e13c7fc548249cd9e2a30f598a5ba475cb57dd898021a3e85abd464141fcaa18cf3dddb140d2af0d9d8f5f04a72d13e0b5838008b1e0a2b4556957704bdb5d05b632fbeefe0a7fe83b4727eb330b91c295a4da8891e8340367172840be025c4d7cb7c788df5896c92d7d4f13d49beeed0048da2af8d366186fe6ac12209cd81df7d6cb5dee8450bb2b3acb3c091cc23f7a7b9b648ecfa78f9b42333489ff4669eafc714ffd7d30a072ea6d9dc756b7a154f5c268a0622a098d43e2bb548191b4c3f9a11155d1ac21f6e04028f09b19f721a8e6c4ca716ace1773b1ed20729010b65b7239e132c7134a81f98f4188f990673f2793f8aeccb5b372e1962db2fb4c5ef6a9d6dbff052d32d19263a07e9cbc2c6138a99cffdc47e25bbc7d70676be8fff414b4bd6ed67adb6a6c8900fc7ca373cf4ceefad064be0dba54e8617a9f2b7137dedd6c26914feaf16a894581ef32d8bd9f16c11579678d5916da2d2aa9e8db670891436017483a0da852d933536339ee9c1e610f767ec96384ef184e92744b7471e19d9be5596bbe17f7fd621e6f491597690084df59af12e39f236af280a5eeb89457182e23fe2c40cc51ef32ab963e7e0f8c0eb760ab3bc49a94df90f5972e1a4430e7b780bf3defe424279e78097862300d7c9aa28552107e085c4be61bb74991762742fda184454766b2876c504fd119c78caf60
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(127111);
  script_version("1.5");
  script_cvs_date("Date: 2019/12/20");

  script_cve_id("CVE-2019-1601");
  script_bugtraq_id(107404);
  script_xref(name:"CISCO-BUG-ID", value:"CSCvi42317");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvi42331");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvi96476");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvi96478");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvi96486");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20190306-nxos-file-access");

  script_name(english:"Cisco NX-OS Software Unauthorized Filesystem Access Vulnerability");
  script_summary(english:"Checks the version of Cisco NX-OS Software");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco NX-OS Software is affected by a vulnerability in the filesystem
permissions of Cisco NX-OS Software could allow an authenticated, local attacker to gain read and write access to a
critical configuration file. The vulnerability is due to a failure to impose strict filesystem permissions on the
targeted device. An attacker could exploit this vulnerability by accessing and modifying restricted files. A successful
exploit could allow an attacker to use the content of this configuration file to bypass authentication and log in as any
user of the device. (CVE-2019-1601)

Please see the included Cisco BIDs and Cisco Security Advisory for more information");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-nxos-file-access
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?fdaf1d8f");
  script_set_attribute(attribute:"see_also", value:"http://tools.cisco.com/security/center/viewErp.x?alertId=ERP-70757");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi42317");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi42331");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi96476");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi96478");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi96486");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvi42317, CSCvi42331, CSCvi96476, CSCvi96478,
and/or CSCvi96486");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1601");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_cwe_id(284);

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/03/06");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/03/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/30");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:nx-os");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_nxos_version.nasl");
  script_require_keys("Host/Cisco/NX-OS/Version", "Host/Cisco/NX-OS/Model", "Host/Cisco/NX-OS/Device");

  exit(0);
}

include('audit.inc');
include('cisco_workarounds.inc');
include('ccf.inc');

product_info = cisco::get_product_info(name:'Cisco NX-OS Software');

cbi = '';

if (product_info.device == 'MDS' && product_info.model =~ '^90[0-9][0-9]')
  cbi = 'CSCvi42331';

if (product_info.device == 'Nexus')
{
  if (product_info.model =~ '^(20|5[56]|60)[0-9][0-9]')
    cbi = 'CSCvi96478';
  if (product_info.model =~ '^(30|90)[0-9][0-9]')
    cbi = 'CSCvi42317';
  if (product_info.model =~ '^35[0-9][0-9]')
    cbi = 'CSCvi96476';
  if (product_info.model =~ '^(36|95)[0-9][0-9]')
    cbi = 'CSCvi96486';
  if (product_info.model =~ '^7[07][0-9][0-9]')
    cbi = 'CSCvi42331';
}

if (empty_or_null(cbi)) audit(AUDIT_HOST_NOT, 'affected');

version_list=make_list(
  '8.2(2)',
  '8.2(1)',
  '8.1(1a)',
  '8.1(1)',
  '8.0(1)',
  '7.3(2)N1(1)',
  '7.3(2)D1(3a)',
  '7.3(2)D1(3)',
  '7.3(2)D1(2)',
  '7.3(2)D1(1)',
  '7.3(1)N1(1)',
  '7.3(1)DY(1)',
  '7.3(1)D1(1)',
  '7.3(0)N1(1)',
  '7.3(0)DY(1)',
  '7.3(0)DX(1)',
  '7.3(0)D1(1)',
  '7.2(2)D1(2)',
  '7.2(2)D1(1)',
  '7.2(1)N1(1)',
  '7.2(1)D1(1)',
  '7.2(0)N1(1)',
  '7.2(0)D1(1)',
  '7.1(5)N1(1)',
  '7.1(4)N1(1)',
  '7.1(3)N1(2)',
  '7.1(3)N1(1)',
  '7.1(2)N1(1)',
  '7.1(1)N1(1)',
  '7.1(0)N1(1b)',
  '7.1(0)N1(1a)',
  '7.1(0)N1(1)',
  '7.0(8)N1(1)',
  '7.0(7)N1(1)',
  '7.0(6)N1(1)',
  '7.0(5)N1(1a)',
  '7.0(5)N1(1)',
  '7.0(4)N1(1)',
  '7.0(3)N1(1)',
  '7.0(3)IX1(2a)',
  '7.0(3)IX1(2)',
  '7.0(3)I7(3)',
  '7.0(3)I7(2)',
  '7.0(3)I7(1)',
  '7.0(3)I6(2)',
  '7.0(3)I6(1)',
  '7.0(3)I5(2)',
  '7.0(3)I5(1)',
  '7.0(3)I4(8z)',
  '7.0(3)I4(8b)',
  '7.0(3)I4(8a)',
  '7.0(3)I4(8)',
  '7.0(3)I4(7)',
  '7.0(3)I4(6)',
  '7.0(3)I4(5)',
  '7.0(3)I4(4)',
  '7.0(3)I4(3)',
  '7.0(3)I4(2)',
  '7.0(3)I4(1)',
  '7.0(3)I3(1)',
  '7.0(3)I2(5)',
  '7.0(3)I2(4)',
  '7.0(3)I2(3)',
  '7.0(3)I2(2e)',
  '7.0(3)I2(2d)',
  '7.0(3)I2(2c)',
  '7.0(3)I2(2b)',
  '7.0(3)I2(2a)',
  '7.0(3)I2(1)',
  '7.0(3)I1(3b)',
  '7.0(3)I1(3a)',
  '7.0(3)I1(3)',
  '7.0(3)I1(2)',
  '7.0(3)I1(1b)',
  '7.0(3)I1(1a)',
  '7.0(3)I1(1)',
  '7.0(3)F3(4)',
  '7.0(3)F3(3a)',
  '7.0(3)F3(3)',
  '7.0(3)F3(2)',
  '7.0(3)F3(1)',
  '7.0(3)F2(2)',
  '7.0(3)F2(1)',
  '7.0(3)F1(1)',
  '7.0(2)N1(1)',
  '7.0(1)N1(1)',
  '7.0(0)N1(1)',
  '6.2(9c)',
  '6.2(9b)',
  '6.2(9a)',
  '6.2(9)',
  '6.2(8b)',
  '6.2(8a)',
  '6.2(8)',
  '6.2(7)',
  '6.2(6b)',
  '6.2(6a)',
  '6.2(6)',
  '6.2(5b)',
  '6.2(5a)',
  '6.2(5)',
  '6.2(3)',
  '6.2(2a)',
  '6.2(23)',
  '6.2(21)',
  '6.2(20a)',
  '6.2(20)',
  '6.2(2)',
  '6.2(19)',
  '6.2(18)',
  '6.2(17)',
  '6.2(16)',
  '6.2(15)',
  '6.2(14)',
  '6.2(13b)',
  '6.2(13a)',
  '6.2(13)',
  '6.2(12)',
  '6.2(11e)',
  '6.2(11d)',
  '6.2(11c)',
  '6.2(11b)',
  '6.2(11)',
  '6.2(10)',
  '6.2(1)',
  '6.1(5a)',
  '6.1(5)',
  '6.1(4a)',
  '6.1(4)',
  '6.1(3)',
  '6.1(2)I3(5b)',
  '6.1(2)I3(5a)',
  '6.1(2)I3(5)',
  '6.1(2)I3(4e)',
  '6.1(2)I3(4d)',
  '6.1(2)I3(4c)',
  '6.1(2)I3(4b)',
  '6.1(2)I3(4a)',
  '6.1(2)I3(4)',
  '6.1(2)I3(3a)',
  '6.1(2)I3(3)',
  '6.1(2)I3(2)',
  '6.1(2)I3(1)',
  '6.1(2)I2(3)',
  '6.1(2)I2(2b)',
  '6.1(2)I2(2a)',
  '6.1(2)I2(2)',
  '6.1(2)I2(1)',
  '6.1(2)I1(3)',
  '6.1(2)I1(1)',
  '6.1(2)',
  '6.1(1)',
  '6.0(2)U6(9)',
  '6.0(2)U6(8)',
  '6.0(2)U6(7)',
  '6.0(2)U6(6)',
  '6.0(2)U6(5c)',
  '6.0(2)U6(5b)',
  '6.0(2)U6(5a)',
  '6.0(2)U6(5)',
  '6.0(2)U6(4a)',
  '6.0(2)U6(4)',
  '6.0(2)U6(3a)',
  '6.0(2)U6(3)',
  '6.0(2)U6(2a)',
  '6.0(2)U6(2)',
  '6.0(2)U6(1a)',
  '6.0(2)U6(10)',
  '6.0(2)U6(1)',
  '6.0(2)U5(4)',
  '6.0(2)U5(3)',
  '6.0(2)U5(2)',
  '6.0(2)U5(1)',
  '6.0(2)U4(4)',
  '6.0(2)U4(3)',
  '6.0(2)U4(2)',
  '6.0(2)U4(1)',
  '6.0(2)U3(9)',
  '6.0(2)U3(8)',
  '6.0(2)U3(7)',
  '6.0(2)U3(6)',
  '6.0(2)U3(5)',
  '6.0(2)U3(4)',
  '6.0(2)U3(3)',
  '6.0(2)U3(2)',
  '6.0(2)U3(1)',
  '6.0(2)U2(6)',
  '6.0(2)U2(5)',
  '6.0(2)U2(4)',
  '6.0(2)U2(3)',
  '6.0(2)U2(2)',
  '6.0(2)U2(1)',
  '6.0(2)U1(4)',
  '6.0(2)U1(3)',
  '6.0(2)U1(2)',
  '6.0(2)U1(1a)',
  '6.0(2)U1(1)',
  '6.0(2)N2(7)',
  '6.0(2)N2(6)',
  '6.0(2)N2(5a)',
  '6.0(2)N2(5)',
  '6.0(2)N2(4)',
  '6.0(2)N2(3)',
  '6.0(2)N2(2)',
  '6.0(2)N2(1b)',
  '6.0(2)N2(1)',
  '6.0(2)N1(2a)',
  '6.0(2)N1(2)',
  '6.0(2)N1(1a)',
  '6.0(2)N1(1)',
  '6.0(2)A8(9)',
  '6.0(2)A8(8)',
  '6.0(2)A8(7b)',
  '6.0(2)A8(7a)',
  '6.0(2)A8(7)',
  '6.0(2)A8(6)',
  '6.0(2)A8(5)',
  '6.0(2)A8(4a)',
  '6.0(2)A8(4)',
  '6.0(2)A8(3)',
  '6.0(2)A8(2)',
  '6.0(2)A8(1)',
  '6.0(2)A7(2a)',
  '6.0(2)A7(2)',
  '6.0(2)A7(1a)',
  '6.0(2)A7(1)',
  '6.0(2)A6(8)',
  '6.0(2)A6(7)',
  '6.0(2)A6(6)',
  '6.0(2)A6(5b)',
  '6.0(2)A6(5a)',
  '6.0(2)A6(5)',
  '6.0(2)A6(4a)',
  '6.0(2)A6(4)',
  '6.0(2)A6(3a)',
  '6.0(2)A6(3)',
  '6.0(2)A6(2a)',
  '6.0(2)A6(2)',
  '6.0(2)A6(1a)',
  '6.0(2)A6(1)',
  '6.0(2)A4(6)',
  '6.0(2)A4(5)',
  '6.0(2)A4(4)',
  '6.0(2)A4(3)',
  '6.0(2)A4(2)',
  '6.0(2)A4(1)',
  '6.0(2)A3(4)',
  '6.0(2)A3(2)',
  '6.0(2)A3(1)',
  '6.0(2)A1(2d)',
  '6.0(2)A1(1f)',
  '6.0(2)A1(1e)',
  '6.0(2)A1(1d)',
  '6.0(2)A1(1c)',
  '6.0(2)A1(1b)',
  '6.0(2)A1(1a)',
  '6.0(2)A1(1)',
  '5.2(9a)',
  '5.2(9)',
  '5.2(8i)',
  '5.2(8h)',
  '5.2(8g)',
  '5.2(8f)',
  '5.2(8e)',
  '5.2(8d)',
  '5.2(8c)',
  '5.2(8b)',
  '5.2(8a)',
  '5.2(8)',
  '5.2(7)',
  '5.2(6b)',
  '5.2(6a)',
  '5.2(6)',
  '5.2(5)',
  '5.2(4)',
  '5.2(3a)',
  '5.2(3)',
  '5.2(2s)',
  '5.2(2d)',
  '5.2(2a)',
  '5.2(2)',
  '5.2(1)N1(9b)',
  '5.2(1)N1(9a)',
  '5.2(1)N1(9)',
  '5.2(1)N1(8b)',
  '5.2(1)N1(8a)',
  '5.2(1)N1(8)',
  '5.2(1)N1(7)',
  '5.2(1)N1(6)',
  '5.2(1)N1(5)',
  '5.2(1)N1(4)',
  '5.2(1)N1(3)',
  '5.2(1)N1(2a)',
  '5.2(1)N1(2)',
  '5.2(1)N1(1b)',
  '5.2(1)N1(1a)',
  '5.2(1)N1(1)',
  '5.2(1)',
  '5.1(3)N2(1c)',
  '5.1(3)N2(1b)',
  '5.1(3)N2(1a)',
  '5.1(3)N2(1)',
  '5.1(3)N1(1a)',
  '5.1(3)N1(1)',
  '5.0(8a)',
  '5.0(8)',
  '5.0(7)',
  '5.0(4d)',
  '5.0(4c)',
  '5.0(4b)',
  '5.0(4)',
  '5.0(3)U5(1j)',
  '5.0(3)U5(1i)',
  '5.0(3)U5(1h)',
  '5.0(3)U5(1g)',
  '5.0(3)U5(1f)',
  '5.0(3)U5(1e)',
  '5.0(3)U5(1d)',
  '5.0(3)U5(1c)',
  '5.0(3)U5(1b)',
  '5.0(3)U5(1a)',
  '5.0(3)U5(1)',
  '5.0(3)U4(1)',
  '5.0(3)U3(2b)',
  '5.0(3)U3(2a)',
  '5.0(3)U3(2)',
  '5.0(3)U3(1)',
  '5.0(3)U2(2d)',
  '5.0(3)U2(2c)',
  '5.0(3)U2(2b)',
  '5.0(3)U2(2a)',
  '5.0(3)U2(2)',
  '5.0(3)U2(1)',
  '5.0(3)U1(2a)',
  '5.0(3)U1(2)',
  '5.0(3)U1(1d)',
  '5.0(3)U1(1c)',
  '5.0(3)U1(1b)',
  '5.0(3)U1(1a)',
  '5.0(3)U1(1)',
  '5.0(3)N2(2b)',
  '5.0(3)N2(2a)',
  '5.0(3)N2(2)',
  '5.0(3)N2(1)',
  '5.0(3)N1(1c)',
  '5.0(3)N1(1b)',
  '5.0(3)N1(1a)',
  '5.0(3)N1(1)',
  '5.0(3)A1(2a)',
  '5.0(3)A1(2)',
  '5.0(3)A1(1)',
  '5.0(2)N2(1a)',
  '5.0(2)N2(1)',
  '5.0(2)N1(1)',
  '5.0(1b)',
  '5.0(1a)',
  '4.2(1)N2(1a)',
  '4.2(1)N2(1)',
  '4.2(1)N1(1)'
);

workarounds = make_list(CISCO_WORKAROUNDS['no_workaround']);
workaround_params = make_list();


reporting = make_array(
  'port'     , 0,
  'severity' , SECURITY_HOLE,
  'version'  , product_info['version'],
  'bug_id'   , cbi
);

cisco::check_and_report(product_info:product_info, workarounds:workarounds, workaround_params:workaround_params, reporting:reporting, vuln_versions:version_list);
  • NASL familyJunos Local Security Checks
    NASL idJUNIPER_JSA10980.NASL
    descriptionAccording to its self-reported version number, the remote Juniper Junos device is affected by a vulnerability in the path computational element protocol daemon (pccd) process. An unauthenticated, remote attacker can exploit this issue, by sending malformed Path Computation Element Protocol (PCEP) packets to a Junos OS device serving as a Path Computation Client (PCC) in a PCEP environment in order to cause the pccd process to crash and generate a core file, thereby causing a Denial of Service (DoS) condition. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-03-18
    modified2020-01-20
    plugin id133088
    published2020-01-20
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133088
    titleJunos OS: pccd DoS (JSA10980)
    code
    #TRUSTED 9b5ab9e02d8b9d5b49f8cece58b1eed5f33e58eaaeec8111e926e8a3bd77b1244f50a8161f4407f2b0ed480e95ea62d19234fbf63b3bbb72f99eeeaa5090df91f665beb37975178ad614ed1ef19b475325fb738392907d0a9b21f9417655ef4505fcb2876c5f27654e1533703d93966226d5f157af91fe927a61e0ff13b1bbd58ddfcaae0d85f42533de7dc8fbcfe55cd15515839ef68218406c249d5efc26425bb819e63f01b8bbbaa43a39d8281c7cffe324c7a317e8c7ef88abbd37e5ebe2d2ffc8914e68b3bb975d6957a52b9729f2506b3a4f5b0fdacf7990e1fae2538d6fa4ae48de178756b784d6e7a853161f50b7cb5fe1e715376a06e26cede7428d1a5a4225d7e6e5fe8e917c137c68be8246561eb0999f9b71bd95b4685950dd494182f509e803b8aff69aa59c37188560149aebc0464a9c96b25a65d898649cc23dc3a6cdb448f4b420a94cab5d72437efb09d434a22009db12cffa8200d1383730162a759a9649098b8b4effd7223203a0ac2621ea29e2d9ab4d79bf541a6ad12645627587a683b6c2eed475f27beb28b326b0bbe4e6d3694c2881e52275796aab4154bf6ee52033ee819aacbf7ca54f4880f6d78c6743508bf1a02a9f04f9cf1f25c21d5bb6fab2137c12d265db3233e0bdaa966786ac74c22224d024d6c241c029a7579cd2792106f7b61c2050a26e126ee4cbab7487efb2c810a0a811c966
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(133088);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/01/20");

  script_cve_id("CVE-2020-1601");
  script_xref(name:"JSA", value:"JSA10980");
  script_xref(name:"IAVA", value:"2020-A-0012");

  script_name(english:"Junos OS: pccd DoS (JSA10980)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the remote Juniper Junos device is affected by a vulnerability in the
path computational element protocol daemon (pccd) process. An unauthenticated, remote attacker can exploit this issue,
by sending malformed Path Computation Element Protocol (PCEP) packets to a Junos OS device serving as a Path Computation
Client (PCC) in a PCEP environment in order to cause the pccd process to crash and generate a core file, thereby
causing a Denial of Service (DoS) condition.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10980");
  script_set_attribute(attribute:"solution", value:
"Apply the relevant Junos software release referenced in Juniper advisory JSA10980.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1601");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/01/15");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/01/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/20");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:juniper:junos");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Junos Local Security Checks");

  script_dependencies("junos_version.nasl");
  script_require_keys("Host/Juniper/JUNOS/Version");
  exit(0);
}

include('audit.inc');
include('junos.inc');
include('junos_kb_cmd_func.inc');

ver = get_kb_item_or_exit('Host/Juniper/JUNOS/Version');
model = get_kb_item('Host/Juniper/model');

fixes = make_array();

if ( model =~ '^SRX')
  fixes['15.1X49'] = '15.1X49-D180';

if (ver =~ "^17.2R([0-1])([^0-9]|$)")
  fixes['17.2'] = '17.2R1-S9';
else
  fixes['17.2'] = '17.2R3-S2';

fixes['15.1F'] = '15.1F6-S13';
fixes['15.1R'] = '15.1R7-S4';
# 15.1X53 versions prior to 15.1X53-D238, 15.1X53-D496, 15.1X53-D592;
fixes['15.1X53'] = '15.1X53-D238';
fixes['16.1'] = '16.1R7-S4';
fixes['16.2'] = '16.2R2-S9';
fixes['17.1'] = '17.1R2-S11';
fixes['17.3'] = '17.3R3-S3';
fixes['17.4'] = '17.4R2-S2';
fixes['18.1'] = '18.1R3-S2';
fixes['18.2X75'] = '18.2X75-D40';
fixes['18.2'] = '18.2R2-S6';
fixes['18.3'] = '18.3R2';
fixes['18.4'] = '18.4R1-S2';

fix = check_junos(ver:ver, fixes:fixes, exit_on_fail:TRUE);

override = TRUE;
buf = junos_command_kb_item(cmd:'show configuration | display set');
if (buf)
{
  override = FALSE;
  pattern = "^set protocols pcep pce .* destination-ipv4-address";
  if (!junos_check_config(buf:buf, pattern:pattern))
    audit(AUDIT_HOST_NOT, 'using a vulnerable configuration');
}

junos_report(ver:ver, fix:fix, override:override, severity:SECURITY_WARNING);

References