Vulnerabilities > CVE-2020-10136 - Authentication Bypass by Spoofing vulnerability in multiple products

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
cisco
digi
hp
treck
CWE-290
nessus
NVD
Published: 2020-06-02
Updated: 2020-07-29

Summary

Multiple products that implement the IP Encapsulation within IP standard (RFC 2003, STD 1) decapsulate and route IP-in-IP traffic without any validation, which could allow an unauthenticated remote attacker to route arbitrary traffic via an exposed network interface and lead to spoofing, access control bypass, and other unexpected network behaviors.

Vulnerable Configurations

Part Description Count
OS
Cisco
256
OS
Digi
1
OS
Hp
1
Hardware
Cisco
57
Hardware
Hp
1
Application
Cisco
2
Application
Treck
5

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Exploitation of Session Variables, Resource IDs and other Trusted Credentials
    Attacks on session IDs and resource IDs take advantage of the fact that some software accepts user input without verifying its authenticity. For example, a message queuing system that allows service requesters to post messages to its queue through an open channel (such as anonymous FTP), authorization is done through checking group or role membership contained in the posted message. However, there is no proof that the message itself, the information in the message (such group or role membership), or indeed the process that wrote the message to the queue are authentic and authorized to do so. Many server side processes are vulnerable to these attacks because the server to server communications have not been analyzed from a security perspective or the processes "trust" other systems because they are behind a firewall. In a similar way servers that use easy to guess or spoofable schemes for representing digital identity can also be vulnerable. Such systems frequently use schemes without cryptography and digital signatures (or with broken cryptography). Session IDs may be guessed due to insufficient randomness, poor protection (passed in the clear), lack of integrity (unsigned), or improperly correlation with access control policy enforcement points. Exposed configuration and properties files that contain system passwords, database connection strings, and such may also give an attacker an edge to identify these identifiers. The net result is that spoofing and impersonation is possible leading to an attacker's ability to break authentication, authorization, and audit controls on the system.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Creating a Rogue Certificate Authority Certificate
    An attacker exploits a weakness in the MD5 hash algorithm (weak collision resistance) to generate a certificate signing request (CSR) that contains collision blocks in the "to be signed" part. The attacker specially crafts two different, but valid X.509 certificates that when hashed with the MD5 algorithm would yield the same value. The attacker then sends the CSR for one of the certificates to the Certification Authority which uses the MD5 hashing algorithm. That request is completely valid and the Certificate Authority issues an X.509 certificate to the attacker which is signed with its private key. An attacker then takes that signed blob and inserts it into another X.509 certificate that the attacker generated. Due to the MD5 collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the attackers' second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority. To make the attack more interesting, the second certificate could be not just a regular certificate, but rather itself a signing certificate. Thus the attacker is able to start their own Certification Authority that is anchored in its root of trust in the legitimate Certification Authority that has signed the attackers' first X.509 certificate. If the original Certificate Authority was accepted by default by browsers, so will now the Certificate Authority set up by the attacker and of course any certificates that it signs. So the attacker is now able to generate any SSL certificates to impersonate any web server, and the user's browser will not issue any warning to the victim. This can be used to compromise HTTPS communications and other types of systems where PKI and X.509 certificates may be used (e.g., VPN, IPSec) .
  • Web Services API Signature Forgery Leveraging Hash Function Extension Weakness
    When web services require callees to authenticate, they sometimes issue a token / secret to the caller that the caller is to use to sign their web service calls. In one such scheme the caller when constructing a request would concatenate all of the parameters passed to the web service with the provided authentication token and then generate a hash of the concatenated string (e.g., MD5, SHA1, etc.). That hash then forms the signature that is passed to the web service which is used on the server side to verify the origin authenticity and integrity of the message. There is a practical attack against an authentication scheme of this nature that makes use of the hash function extension / padding weakness. Leveraging this weakness, an attacker, who does not know the secret token, is able to modify the parameters passed to the web service by generating their own call and still generate a legitimate signature hash. For instance, consider the message to be passed to the web service is M (this message includes the parameters passed to the web service concatenated with the secret token / key bytes). The message M is hashed and that hash is passed to the web service and is used for authentication. The attacker does not know M, but can see Hash (M) and Length (M). The attacker can then compute Hash (M || Padding (M) II M') for any M'. The attacker does not know the entire message M, specifically the attacker does not know the secret bytes, but that does not matter. The attacker is still able to sign their own message M' and make the called web service verify the integrity of the message without an error. Because of the iterative design of the hash function, it is possible, from only the hash of a message and its length, to compute the hash of longer messages that start with the initial message and include the padding required for the initial message to reach a multiple of 512 bits. It is important to note that the attack not limited to MD5 and will work just as well with another hash function like SHA1.
  • Signature Spoof
    An attacker generates a message or datablock that causes the recipient to believe that the message or datablock was generated and cryptographically signed by an authoritative or reputable source, misleading a victim or victim operating system into performing malicious actions.

Nessus

NASL familyCISCO
NASL idCISCO-SA-NXOS-IPIP-DOS-KCT9X4.NASL
descriptionAccording to its self-reported version, the Cisco NX-OS Software is affected by a denial of service vulnerability in the network stack due to the affected device unexpectedly decapsulating and processing IP in IP packets that are destined to a locally configured IP address. An unauthenticated, remote attacker can exploit this issue by sending a crafted IP in IP packet to an affected device, to bypass certain security boundaries or cause a denial of service condition on an affected device.
last seen2020-06-10
modified2020-06-05
plugin id137184
published2020-06-05
reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/137184
titleCisco NX-OS Software Unexpected IP in IP Packet Processing Vulnerability (cisco-sa-nxos-ipip-dos-kCT9X4)
code
#TRUSTED 574e88df1445565904ed2a4533ebeceb7cc475bb99e86b4a2aeea41a241c8f76458e841c5e0054d0fd34fafd5193862b5ef658b77a736203fd10a0e3bba7c7cebc2b1e1ec485499d95938820338d1425520c5240f04c9fe13fb7ab1d9c77cff9744e7fbb5433510603be7c6e6ef17ed59980e37add697c28b1bd8914451e3db95135577ea8bad5820380daa6fa17f45134f52cfdec240589a195258517969f4fa97eb041ab6f33e67de8a4a9688c75dbb1bc83c66d02eaaea523b8504c9e02b606aa3336fa7401bdcc0603718eedb271d743e25e03f1e0398271f9c7a4b55ade2c182ece8089f53632f1f60961831bfa5acfb22e133159b6b3020193f8293ae5da4be7d9a87d030fe1196434b1ef3a28d815db6de98e7347a17557b915056e16fcffecf1cf2629724d5092cc662a2f3a734e02bcea8fc4613f9b20684513a28d43854dde1d70b06ba9ffe63e493f0da71725c4cb3b9df0c9e62bd50542b0bf33673737bb083398c12b12f2335b7a13971accf39758cdd0d3d44853dfdafdcc454f930c703536b443bdcb3ddd9075a4d23183d2715772f6f25a72caa395bd336ad0dc48b462ea4d4bd0b3ff013c9700ce8ec6ffb31c35fdc8ac9baa055a3ce685668f4a730e3abc1ac77820b51af9c59ba928e91a2bcddf72e2223b21010b27b9be094a9d21e708114625b3bab615e7933cab515d0c2c04e413fe6a9fb6563396
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(137184);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/08");

  script_cve_id("CVE-2020-10136");
  script_xref(name:"CISCO-BUG-ID", value:"CSCun53663");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvt66624");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvt67738");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvt67739");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvt67740");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvu03158");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvu10050");
  script_xref(name:"CISCO-SA", value:"cisco-sa-nxos-ipip-dos-kCT9X4");
  script_xref(name:"IAVA", value:"2020-A-0233");

  script_name(english:"Cisco NX-OS Software Unexpected IP in IP Packet Processing Vulnerability (cisco-sa-nxos-ipip-dos-kCT9X4)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, the Cisco NX-OS Software is affected by a denial of service vulnerability in
the network stack due to the affected device unexpectedly decapsulating and processing IP in IP packets that are
destined to a locally configured IP address. An unauthenticated, remote attacker can exploit this issue by sending a
crafted IP in IP packet to an affected device, to bypass certain security boundaries or cause a denial of service
condition on an affected device.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-ipip-dos-kCT9X4
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0f50ed05");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCun53663");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt66624");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt67738");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt67739");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt67740");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu03158");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu10050");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version or apply the workaround referenced in Cisco bug IDs CSCun53663, CSCvt66624,
CSCvt67738, CSCvt67739, CSCvt67740, CSCvu03158 and CSCvu10050 or alternatively apply the workaround mentioned 
in the advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-10136");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/06/01");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/06/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/06/05");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:nx-os");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_nxos_version.nasl", "cisco_enum_smu.nasl");
  script_require_keys("Host/Cisco/NX-OS/Version", "Host/Cisco/NX-OS/Model", "Host/Cisco/NX-OS/Device");

  exit(0);
}

include('cisco_workarounds.inc');
include('ccf.inc');

product_info = cisco::get_product_info(name:'Cisco NX-OS Software');

cbi = '';

if ('Nexus' >< product_info.device)
{
  if (product_info.model =~ "^10[0-9][0-9]"){
    cbi = 'CSCvu10050, CSCvt67738';
    version_list = make_list(
      '5.2(1)SK3(1.1)',
      '5.2(1)SK3(2.1)',
      '5.2(1)SK3(2.1a)',
      '5.2(1)SK3(2.2)',
      '5.2(1)SK3(2.2b)',
      '5.2(1)SM1(5.1)',
      '5.2(1)SM1(5.2)',
      '5.2(1)SM1(5.2a)',
      '5.2(1)SM1(5.2b)',
      '5.2(1)SM1(5.2c)',
      '5.2(1)SM3(1.1)',
      '5.2(1)SM3(1.1a)',
      '5.2(1)SM3(1.1b)',
      '5.2(1)SM3(1.1c)',
      '5.2(1)SM3(2.1)',
      '5.2(1)SV3(1.1)',
      '5.2(1)SV3(1.10)',
      '5.2(1)SV3(1.15)',
      '5.2(1)SV3(1.2)',
      '5.2(1)SV3(1.3)',
      '5.2(1)SV3(1.4)',
      '5.2(1)SV3(1.4b)',
      '5.2(1)SV3(1.5a)',
      '5.2(1)SV3(1.5b)',
      '5.2(1)SV3(1.6)',
      '5.2(1)SV3(2.1)',
      '5.2(1)SV3(2.5)',
      '5.2(1)SV3(2.8)',
      '5.2(1)SV3(3.1)',
      '5.2(1)SV3(3.15)',
      '5.2(1)SV3(4.1)',
      '5.2(1)SV3(4.1a)',
      '5.2(1)SV3(4.1b)',
      '5.2(1)SV5(1.1)',
      '5.2(1)SV5(1.2)',
      '5.2(1)SV5(1.3)'
      );
  }

  if (product_info.model =~ "^3[0-9]{3}")
  {
    cbi = 'CSCun53663';
    version_list = make_list(
      '5.0(3)A1(1)',
      '5.0(3)A1(2)',
      '5.0(3)A1(2a)',
      '5.0(3)U1(1)',
      '5.0(3)U1(1a)',
      '5.0(3)U1(1b)',
      '5.0(3)U1(1c)',
      '5.0(3)U1(1d)',
      '5.0(3)U1(2)',
      '5.0(3)U1(2a)',
      '5.0(3)U2(1)',
      '5.0(3)U2(2)',
      '5.0(3)U2(2a)',
      '5.0(3)U2(2b)',
      '5.0(3)U2(2c)',
      '5.0(3)U2(2d)',
      '5.0(3)U3(1)',
      '5.0(3)U3(2)',
      '5.0(3)U3(2a)',
      '5.0(3)U3(2b)',
      '5.0(3)U4(1)',
      '5.0(3)U5(1)',
      '5.0(3)U5(1a)',
      '5.0(3)U5(1b)',
      '5.0(3)U5(1c)',
      '5.0(3)U5(1d)',
      '5.0(3)U5(1e)',
      '5.0(3)U5(1f)',
      '5.0(3)U5(1g)',
      '5.0(3)U5(1h)',
      '5.0(3)U5(1i)',
      '5.0(3)U5(1j)',
      '6.0(2)A1(1)',
      '6.0(2)A1(1a)',
      '6.0(2)A1(1b)',
      '6.0(2)A1(1c)',
      '6.0(2)A1(1d)',
      '6.0(2)A1(1e)',
      '6.0(2)A1(1f)',
      '6.0(2)A1(2d)',
      '6.0(2)A3(1)',
      '6.0(2)A3(2)',
      '6.0(2)A3(4)',
      '6.0(2)A4(1)',
      '6.0(2)A4(2)',
      '6.0(2)A4(3)',
      '6.0(2)A4(4)',
      '6.0(2)A4(5)',
      '6.0(2)A4(6)',
      '6.0(2)U1(1)',
      '6.0(2)U1(1a)',
      '6.0(2)U1(2)',
      '6.0(2)U1(3)',
      '6.0(2)U1(4)',
      '6.0(2)U2(1)',
      '6.0(2)U2(2)',
      '6.0(2)U2(3)',
      '6.0(2)U2(4)',
      '6.0(2)U2(5)',
      '6.0(2)U2(6)',
      '6.0(2)U3(1)',
      '6.0(2)U3(2)',
      '6.0(2)U3(3)',
      '6.0(2)U3(4)',
      '6.0(2)U3(5)',
      '6.0(2)U3(6)',
      '6.0(2)U3(7)',
      '6.0(2)U3(8)',
      '6.0(2)U3(9)',
      '6.0(2)U4(1)',
      '6.0(2)U4(2)',
      '6.0(2)U4(3)',
      '6.0(2)U4(4)',
      '6.1(2)I2(2a)',
      '6.1(2)I2(2b)',
      '6.1(2)I3(1)',
      '6.1(2)I3(2)',
      '6.1(2)I3(3)',
      '6.1(2)I3(3a)',
      '7.0(3)I1(1)',
      '7.0(3)I1(1a)',
      '7.0(3)I1(1b)',
      '7.0(3)I1(1z)'
    );
  }

  if (product_info.model =~ "^5[56][0-9][0-9]"){
    cbi = 'CSCvt67739';
    version_list = make_list(
      '5.2(1)N1(1)',
      '5.2(1)N1(1a)',
      '5.2(1)N1(1b)',
      '5.2(1)N1(2)',
      '5.2(1)N1(2a)',
      '5.2(1)N1(3)',
      '5.2(1)N1(4)',
      '5.2(1)N1(5)',
      '5.2(1)N1(6)',
      '5.2(1)N1(7)',
      '5.2(1)N1(8)',
      '5.2(1)N1(8a)',
      '5.2(1)N1(8b)',
      '5.2(1)N1(9)',
      '5.2(1)N1(9a)',
      '5.2(1)N1(9b)',
      '6.0(2)N1(1)',
      '6.0(2)N1(1a)',
      '6.0(2)N1(2)',
      '6.0(2)N1(2a)',
      '6.0(2)N2(1)',
      '6.0(2)N2(1b)',
      '6.0(2)N2(2)',
      '6.0(2)N2(3)',
      '6.0(2)N2(4)',
      '6.0(2)N2(5)',
      '6.0(2)N2(5a)',
      '6.0(2)N2(5b)',
      '6.0(2)N2(6)',
      '6.0(2)N2(7)',
      '7.0(0)N1(1)',
      '7.0(1)N1(1)',
      '7.0(2)N1(1)',
      '7.0(3)N1(1)',
      '7.0(4)N1(1)',
      '7.0(4)N1(1a)',
      '7.0(5)N1(1)',
      '7.0(5)N1(1a)',
      '7.0(6)N1(1)',
      '7.0(6)N1(2s)',
      '7.0(6)N1(3s)',
      '7.0(6)N1(4s)',
      '7.0(7)N1(1)',
      '7.0(7)N1(1a)',
      '7.0(7)N1(1b)',
      '7.0(8)N1(1)',
      '7.0(8)N1(1a)',
      '7.1(0)N1(1)',
      '7.1(0)N1(1a)',
      '7.1(0)N1(1b)',
      '7.1(1)N1(1)',
      '7.1(1)N1(1a)',
      '7.1(2)N1(1)',
      '7.1(2)N1(1a)',
      '7.1(3)N1(1)',
      '7.1(3)N1(2)',
      '7.1(3)N1(2a)',
      '7.1(3)N1(3)',
      '7.1(3)N1(4)',
      '7.1(3)N1(5)',
      '7.1(4)N1(1)',
      '7.1(4)N1(1a)',
      '7.1(4)N1(1c)',
      '7.1(4)N1(1d)',
      '7.1(5)N1(1)',
      '7.1(5)N1(1b)',
      '7.2(0)N1(1)',
      '7.2(1)N1(1)',
      '7.3(0)N1(1)',
      '7.3(0)N1(1a)',
      '7.3(0)N1(1b)',
      '7.3(1)N1(1)',
      '7.3(2)N1(1)',
      '7.3(2)N1(1b)',
      '7.3(2)N1(1c)',
      '7.3(3)N1(1)',
      '7.3(4)N1(1)',
      '7.3(4)N1(1a)',
      '7.3(5)N1(1)',
      '7.3(6)N1(1)',
      '7.3(6)N1(1a)',
      '7.3(7)N1(1)',
      '7.3(7)N1(1a)'
      );
  }

  if (product_info.model =~ "^60[0-9][0-9]"){
    cbi = 'CSCvt67739';
    version_list = make_list(
      '6.0(2)N1(1)',
      '6.0(2)N1(1a)',
      '6.0(2)N1(2)',
      '6.0(2)N1(2a)',
      '6.0(2)N2(1)',
      '6.0(2)N2(1b)',
      '6.0(2)N2(2)',
      '6.0(2)N2(3)',
      '6.0(2)N2(4)',
      '6.0(2)N2(5)',
      '6.0(2)N2(5a)',
      '6.0(2)N2(5b)',
      '6.0(2)N2(6)',
      '6.0(2)N2(7)',
      '7.0(0)N1(1)',
      '7.0(1)N1(1)',
      '7.0(2)N1(1)',
      '7.0(3)N1(1)',
      '7.0(4)N1(1)',
      '7.0(4)N1(1a)',
      '7.0(5)N1(1)',
      '7.0(5)N1(1a)',
      '7.0(6)N1(1)',
      '7.0(6)N1(2s)',
      '7.0(6)N1(3s)',
      '7.0(6)N1(4s)',
      '7.0(7)N1(1)',
      '7.0(7)N1(1a)',
      '7.0(7)N1(1b)',
      '7.0(8)N1(1)',
      '7.0(8)N1(1a)',
      '7.1(0)N1(1)',
      '7.1(0)N1(1a)',
      '7.1(0)N1(1b)',
      '7.1(1)N1(1)',
      '7.1(1)N1(1a)',
      '7.1(2)N1(1)',
      '7.1(2)N1(1a)',
      '7.1(3)N1(1)',
      '7.1(3)N1(2)',
      '7.1(3)N1(2a)',
      '7.1(3)N1(3)',
      '7.1(3)N1(4)',
      '7.1(3)N1(5)',
      '7.1(4)N1(1)',
      '7.1(4)N1(1a)',
      '7.1(4)N1(1c)',
      '7.1(4)N1(1d)',
      '7.1(5)N1(1)',
      '7.1(5)N1(1b)',
      '7.2(0)N1(1)',
      '7.2(1)N1(1)',
      '7.3(0)N1(1)',
      '7.3(0)N1(1a)',
      '7.3(0)N1(1b)',
      '7.3(1)N1(1)',
      '7.3(2)N1(1)',
      '7.3(2)N1(1b)',
      '7.3(2)N1(1c)',
      '7.3(3)N1(1)',
      '7.3(4)N1(1)',
      '7.3(4)N1(1a)',
      '7.3(5)N1(1)',
      '7.3(6)N1(1)',
      '7.3(6)N1(1a)',
      '7.3(7)N1(1)',
      '7.3(7)N1(1a)'
      );
  
  }

  if (product_info.model =~ "^70[0-9][0-9]")
  {
    cbi = 'CSCvt66624';
    smus['7.3(6)D1(1)'] = 'CSCvt66624';
    version_list = make_list(
      '5.2(1)',
      '5.2(3)',
      '5.2(3a)',
      '5.2(4)',
      '5.2(5)',
      '5.2(7)',
      '5.2(9)',
      '5.2(9a)',
      '6.2(10)',
      '6.2(12)',
      '6.2(14)',
      '6.2(14a)',
      '6.2(14b)',
      '6.2(16)',
      '6.2(18)',
      '6.2(2)',
      '6.2(20)',
      '6.2(20a)',
      '6.2(22)',
      '6.2(24)',
      '6.2(2a)',
      '6.2(6)',
      '6.2(6a)',
      '6.2(6b)',
      '6.2(8)',
      '6.2(8a)',
      '6.2(8b)',
      '7.2(0)D1(1)',
      '7.2(1)D1(1)',
      '7.2(2)D1(1)',
      '7.2(2)D1(2)',
      '7.2(2)D1(3)',
      '7.2(2)D1(4)',
      '7.3(0)D1(1)',
      '7.3(0)DX(1)',
      '7.3(1)D1(1)',
      '7.3(2)D1(1)',
      '7.3(2)D1(1d)',
      '7.3(2)D1(2)',
      '7.3(2)D1(3)',
      '7.3(2)D1(3a)',
      '7.3(3)D1(1)',
      '7.3(4)D1(1)',
      '7.3(5)D1(1)',
      '7.3(6)D1(1)'
    );
  }

  if (product_info.model =~ "^90[0-9][0-9]")
  {
    cbi = 'CSCun53663';
    version_list = make_list(
      '6.1(2)I1(2)',
      '6.1(2)I1(3)',
      '6.1(2)I2(1)',
      '6.1(2)I2(2)',
      '6.1(2)I2(2a)',
      '6.1(2)I2(2b)',
      '6.1(2)I2(3)',
      '6.1(2)I3(1)',
      '6.1(2)I3(2)',
      '6.1(2)I3(3)',
      '6.1(2)I3(3a)',
      '7.0(3)I1(1)',
      '7.0(3)I1(1a)',
      '7.0(3)I1(1b)',
      '7.0(3)I1(1z)'
    );
  }
}

if (empty_or_null(cbi)) audit(AUDIT_HOST_NOT, 'an affected model');

if (report_paranoia < 2)
  audit(AUDIT_PARANOID);

workarounds = make_list(CISCO_WORKAROUNDS['no_workaround']);
workaround_params = make_list();

reporting = make_array(
  'port'     , 0,
  'severity' , SECURITY_WARNING,
  'version'  , product_info.version,
  'bug_id'   , cbi
);

cisco::check_and_report(
  product_info:product_info,
  workarounds:workarounds,
  workaround_params:workaround_params,
  reporting:reporting,
  vuln_versions:version_list,
  switch_only:TRUE,
  smus:smus
);

References