Vulnerabilities > CVE-2020-3119 - Out-of-bounds Write vulnerability in Cisco Nx-Os

047910
CVSS 8.8 - HIGH
Attack vector
ADJACENT_NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
low complexity
cisco
CWE-787
nessus

Summary

A vulnerability in the Cisco Discovery Protocol implementation for Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to execute arbitrary code or cause a reload on an affected device. The vulnerability exists because the Cisco Discovery Protocol parser does not properly validate input for certain fields in a Cisco Discovery Protocol message. An attacker could exploit this vulnerability by sending a malicious Cisco Discovery Protocol packet to an affected device. An successful exploit could allow the attacker to cause a stack overflow, which could allow the attacker to execute arbitrary code with administrative privileges on an affected device. Cisco Discovery Protocol is a Layer 2 protocol. To exploit this vulnerability, an attacker must be in the same broadcast domain as the affected device (Layer 2 adjacent).

Vulnerable Configurations

Part Description Count
OS
Cisco
787
Hardware
Cisco
81
Application
Cisco
4

Common Weakness Enumeration (CWE)

Nessus

NASL familyCISCO
NASL idCISCO-SA-20200205-NXOS-CDP-RCE.NASL
descriptionAccording to its self-reported version, the Cisco NX-OS System Software is affected by a remote code execution vulnerability within the Cisco Discovery Protocol due to improper validation of input. An unauthenticated, adjacent attacker can exploit this to bypass authentication and execute arbitrary commands with root privileges. Please see the included Cisco BIDs and Cisco Security Advisory for more information.
last seen2020-04-03
modified2020-02-10
plugin id133604
published2020-02-10
reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/133604
titleCisco NX-OS Software Cisco Discovery Protocol Remote Code Execution Vulnerability (cisco-sa-20200205-nxos-cdp-rce)
code
#TRUSTED 3a665e7a5a1559ceb9def750ecd3e3356678f36231a0ddf8380a2448957d210fbae0456a35d2fe9c5a627d945eb56d363ca374a1d4557dbfb277fc5e127868117131e0658e63d644935a098b7da2db7adc682eefa9cecdc422bbd56fc9700dc7e68fce806965bc4ea53e177ca385f186700dc947b54540b3cee899583230ae7acab6381c914e9a25e0c184141e668225d8c70dc56d9572808e14c6cb0811101ad493409f8e763cb3a876f623aca8c085721a45b05d07e3d3e11aedb20e32bb2703886de21b47273f21bd2585bdc666ea23438c413e0a34ec1b866c70f9980e1fe3ed44dab2fc332428aad89b143423d5cae02548c62ed7c4227f9c09e45e30e67e0973f5ecb20d73ca6dbb70ca0c0d303e6b60bc497a13fbb48b0111dbedbcb7f476783176268229240431f92025fccd2e715eda378b5e59280cdeebd1c0742c85ed59c7bac49ddaebd139599b4eb26f959a6178781435898f089c8145d9fbcdf82d0d80ec10fc8deb6f5ed3a190429f8177e38ba43e0a3793555d6b9f91aebde080093a47770157a6ae2858ec108afa6ee8b248aab69855a06470764aa2518352e2c344969f0ad7178d70ec21bda8241471c4603254c91bc6d5ed73ff51e87735be19006a86f93384a18d516744e5dd5f0f8c4a1131bcdc4106b2e65e397c713b33f7dc4660c8633033d303fc26c91772f33232386829a9997cefdf8bbdb976
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(133604);
  script_version("1.7");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/01");

  script_cve_id("CVE-2020-3119");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvr09175");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvr09531");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20200205-nxos-cdp-rce");
  script_xref(name:"IAVA", value:"2020-A-0068");

  script_name(english:"Cisco NX-OS Software Cisco Discovery Protocol Remote Code Execution Vulnerability (cisco-sa-20200205-nxos-cdp-rce)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, the Cisco NX-OS System Software is affected by a remote code execution
vulnerability within the Cisco Discovery Protocol due to improper validation of input. An unauthenticated, adjacent
attacker can exploit this to bypass authentication and execute arbitrary commands with root privileges.

Please see the included Cisco BIDs and Cisco Security Advisory for more information.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-nxos-cdp-rce
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9811503b");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr09175");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr09531");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvr09175 and/or CSCvr09531.");
  script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-3119");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/02/05");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/02/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/10");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:nx-os");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_nxos_version.nasl");
  script_require_keys("Host/Cisco/NX-OS/Version", "Host/Cisco/NX-OS/Model", "Host/Cisco/NX-OS/Device", "Settings/ParanoidReport");

  exit(0);
}

include('audit.inc');
include('cisco_workarounds.inc');
include('ccf.inc');

product_info = cisco::get_product_info(name:'Cisco NX-OS Software');



cbi = '';

if ('Nexus' >< product_info.device)
{
  if (product_info.model =~ "^3[0-9]{3}")
    cbi = 'CSCvr09175';
  else if (product_info.model =~ "^9[0-9]{3}")
    cbi = 'CSCvr09175, CSCvr09531';
}
if (empty_or_null(cbi))
  audit(AUDIT_HOST_NOT, 'an affected model');

if (report_paranoia < 2)
  audit(AUDIT_PARANOID);

version_list=make_list(
  '7.0(3)I7(1)',
  '7.0(3)I7(2)',
  '7.0(3)I7(3)',
  '7.0(3)I7(4)',
  '7.0(3)I7(5)',
  '7.0(3)I7(5a)',
  '7.0(3)I7(3z)',
  '7.0(3)I7(6)',
  '7.0(3)I7(6z)',
  '7.0(3)I7(7)',
  '7.0(3)IA7(1)',
  '7.0(3)IA7(2)',
  '7.0(3)IM7(2)',
  '9.2(1)',
  '9.2(2)',
  '9.2(2t)',
  '9.2(3)',
  '9.2(3y)',
  '9.2(4)',
  '9.2(2v)',
  '9.3(1)',
  '9.3(1z)',
  '14.0(1h)',
  '14.0(2c)',
  '14.0(3d)',
  '14.0(3c)',
  '14.1(1i)',
  '14.1(1j)',
  '14.1(1k)',
  '14.1(1l)',
  '14.1(2g)',
  '14.1(2m)',
  '14.1(2o)',
  '14.1(2s)',
  '14.1(2u)',
  '14.1(2w)',
  '14.2(1i)'
);

workarounds = make_list(CISCO_WORKAROUNDS['cdp']);
workaround_params = make_list();

reporting = make_array(
  'port'     , 0,
  'severity' , SECURITY_HOLE,
  'version'  , product_info.version,
  'bug_id'   , cbi
);

cisco::check_and_report(
  product_info:product_info,
  workarounds:workarounds,
  workaround_params:workaround_params,
  reporting:reporting,
  vuln_versions:version_list,
  switch_only:TRUE
);

The Hacker News

idTHN:A3840EA7CD9A7AFC6440CDAED21F07D8
last seen2020-02-05
modified2020-02-05
published2020-02-05
reporterThe Hacker News
sourcehttps://thehackernews.com/2020/02/cisco-cdp-vulnerabilities.html
title5 High Impact Flaws Affect Cisco Routers, Switches, IP Phones and Cameras