Vulnerabilities > CVE-2020-3120 - Integer Overflow or Wraparound vulnerability in Cisco products

047910
CVSS 6.5 - MEDIUM
Attack vector
ADJACENT_NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
low complexity
cisco
CWE-190
nessus

Summary

A vulnerability in the Cisco Discovery Protocol implementation for Cisco FXOS Software, Cisco IOS XR Software, and Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to cause a reload of an affected device, resulting in a denial of service (DoS) condition. The vulnerability is due to a missing check when the affected software processes Cisco Discovery Protocol messages. An attacker could exploit this vulnerability by sending a malicious Cisco Discovery Protocol packet to an affected device. A successful exploit could allow the attacker to exhaust system memory, causing the device to reload. Cisco Discovery Protocol is a Layer 2 protocol. To exploit this vulnerability, an attacker must be in the same broadcast domain as the affected device (Layer 2 adjacent).

Vulnerable Configurations

Part Description Count
OS
Cisco
1071
Hardware
Cisco
140
Application
Cisco
5

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Forced Integer Overflow
    This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.

Nessus

  • NASL familyCISCO
    NASL idCISCO-SA-20200205-NXOS-CDP-DOS.NASL
    descriptionAccording to its self-reported version, the Cisco NX-OS Software is affected by a denial of service vulnerability within the Cisco Discovery Protocol due to missing a check when processing protocol messages. An unauthenticated, adjacent attacker can exploit this to cause the device to reboot. Please see the included Cisco BIDs and Cisco Security Advisory for more information
    last seen2020-06-05
    modified2020-02-14
    plugin id133722
    published2020-02-14
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133722
    titleCisco NX-OS Software Cisco Discovery Protocol Denial of Service Vulnerability (cisco-sa-20200205-fxnxos-iosxr-cdp-dos)
    code
    #TRUSTED 58a142931319cdf5a093a0d0866c685c9c011c33d42151ccdc4217b0873c9a510dfa8a070f17ff0bad1196dd8e4d31a2e1415cb223d9547be3166823c0499da452581431e7e7ea6271f1c605d21e03cc94f3ad6b2a8746a19f99236f179d35e1eb1f1d9575e0dcb7c7ed1e724bbaa97a2c11e66bc0e408af308a18826a8ce783611cbc70899f8b5e923c0a6a2cd06dd30c347115f6cc4b62ce63efac9375093acd2c78e9ff876a6f0e992d8567dd890e36a4cefad9749374e6629e77d0f9bdd19d7523d38773bd64ff512fb73beb63e02a9469d0e84066b864f1a1acc1baa281ad6b45cdffcea1d4e762a4e9df03d8aead9a511d45ecfd92e7f4200ef85d38f32568795aed919fa0c438f0868ff1b19be86d8a58cf2dc536952cdd850cb83fad4081d862593e48d73df4159c3ed1ae3d77bc878d6817e8fe74a2b316e4e717078184bcfa325455c502e6559dd3015070206db306628dc413ca1e0d6773408fd2e63ce58a3bc45762871c7d44d09793c102aac8f5f87927354f6be6723b8b0d3a0327e723db65a7b0d925e4d307df45de40bb4765ef61b5e4dfec4ee121584a68894fa973f47bdb931e5de8918a7ca2c69d5c7e768c2a1d290084c59eddbc56a19eb6c936645d33af980873fa6d575b477e360a190f932b147dd9a908d322dfb2c373cf3df155e291d02c8f5871575b35bdff692ffab29614943b8ace7eaf0c2a
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include('compat.inc');
    
    if (description)
    {
      script_id(133722);
      script_version("1.14");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2020-3120");
      script_xref(name:"CISCO-BUG-ID", value:"CSCvr14976");
      script_xref(name:"CISCO-BUG-ID", value:"CSCvr15072");
      script_xref(name:"CISCO-BUG-ID", value:"CSCvr15073");
      script_xref(name:"CISCO-BUG-ID", value:"CSCvr15078");
      script_xref(name:"CISCO-BUG-ID", value:"CSCvr15079");
      script_xref(name:"CISCO-BUG-ID", value:"CSCvr15082");
      script_xref(name:"CISCO-BUG-ID", value:"CSCvr15111");
      script_xref(name:"CISCO-SA", value:"cisco-sa-20200205-fxnxos-iosxr-cdp-dos");
      script_xref(name:"IAVA", value:"2020-A-0059");
    
      script_name(english:"Cisco NX-OS Software Cisco Discovery Protocol Denial of Service Vulnerability (cisco-sa-20200205-fxnxos-iosxr-cdp-dos)");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote device is missing a vendor-supplied security patch");
      script_set_attribute(attribute:"description", value:
    "According to its self-reported version, the Cisco NX-OS Software is affected by a denial of service vulnerability
    within the Cisco Discovery Protocol due to missing a check when processing protocol messages. An unauthenticated,
    adjacent attacker can exploit this to cause the device to reboot.
    
    Please see the included Cisco BIDs and Cisco Security Advisory for more information");
      # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-fxnxos-iosxr-cdp-dos
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3303b2ba");
      script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr14976");
      script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15072");
      script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15073");
      script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15078");
      script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15079");
      script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15082");
      script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15111");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to the relevant fixed version referenced in Cisco bug IDs CSCvr14976, CSCvr15072, CSCvr15073, CSCvr15078,
    CSCvr15079, CSCvr15082, and CSCvr15111.");
      script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-3120");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/02/05");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/02/05");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/14");
    
      script_set_attribute(attribute:"plugin_type", value:"combined");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:nx-os");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CISCO");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("cisco_nxos_version.nasl", "cisco_enum_smu.nasl");
      script_require_keys("Host/Cisco/NX-OS/Version", "Host/Cisco/NX-OS/Model", "Host/Cisco/NX-OS/Device");
    
      exit(0);
    }
    
    include('audit.inc');
    include('cisco_workarounds.inc');
    include('ccf.inc');
    
    product_info = cisco::get_product_info(name:'Cisco NX-OS Software');
    
    cbi = '';
    
    if ('Nexus' >< product_info.device)
    {
      if (product_info.model =~ "^10[0-9][0-9]V")
        cbi = 'CSCvr15078';
      if (product_info.model =~ "^10[0-9][0-9]" && 'SV' >< toupper(product_info.model))
        cbi = 'CSCvr15078';
      if (product_info.model =~ "^3[0-9]{3}")
      {
        cbi = 'CSCvr14976';
        smus['7.0(3)I7(5a)'] = 'CSCvr09175-n9k_ALL-1.0.0';
        smus['7.0(3)I7(6)'] = 'CSCvr09175-n9k_ALL-1.0.0';
        smus['7.0(3)I7(7)'] = 'CSCvr09175-n9k_ALL-1.0.0';
      }
      if (product_info.model =~ "^9[0-9]{3}")
      {
        cbi = 'CSCvr14976, CSCvr15072';
        smus['7.0(3)I7(5a)'] = 'CSCvr09175-n9k_ALL-1.0.0';
        smus['7.0(3)I7(6)'] = 'CSCvr09175-n9k_ALL-1.0.0';
        smus['7.0(3)I7(7)'] = 'CSCvr09175-n9k_ALL-1.0.0';
      }
      if (product_info.model =~ "^(5[56]|60)[0-9][0-9]")
        cbi = 'CSCvr15079';
      if (product_info.model =~ "^70[0-9][0-9]")
      {
        cbi = 'CSCvr15073';
        smus['8.4(1)'] = 'CSCvs27997';
      }
    }
    else if ('UCS' >< product_info.device)
    {
      if (product_info.model =~ "^6[234][0-9][0-9]")
        cbi = 'CSCvr15082, CSCvr15111';
    }
    else if ('MDS' >< product_info.device)
    {
      if (product_info.model =~ "^90[0-9][0-9]")
        cbi = 'CSCvr15073';
    }
    
    if (empty_or_null(cbi)) audit(AUDIT_HOST_NOT, 'an affected model');
    
    version_list=make_list(
      '5.0(1a)',
      '5.0(1b)',
      '5.0(4)',
      '5.0(4b)',
      '5.0(4c)',
      '5.0(4d)',
      '5.0(7)',
      '5.0(8)',
      '5.0(8a)',
      '5.2(1)',
      '5.2(3a)',
      '5.2(4)',
      '5.2(5)',
      '5.2(7)',
      '5.2(9)',
      '5.2(3)',
      '5.2(9a)',
      '5.2(2)',
      '5.2(2a)',
      '5.2(2d)',
      '5.2(2s)',
      '5.2(6)',
      '5.2(6b)',
      '5.2(8)',
      '5.2(8a)',
      '5.2(6a)',
      '5.2(8b)',
      '5.2(8c)',
      '5.2(8d)',
      '5.2(8e)',
      '5.2(8f)',
      '5.2(8g)',
      '5.2(8h)',
      '5.2(8i)',
      '6.1(1)',
      '6.1(2)',
      '6.1(3)',
      '6.1(4)',
      '6.1(4a)',
      '6.1(5)',
      '6.1(5a)',
      '4.2(1)SV1(4)',
      '4.2(1)SV1(4a)',
      '4.2(1)SV1(4b)',
      '4.2(1)SV1(5.1)',
      '4.2(1)SV1(5.1a)',
      '4.2(1)SV1(5.2)',
      '4.2(1)SV1(5.2b)',
      '4.2(1)SV2(1.1)',
      '4.2(1)SV2(1.1a)',
      '4.2(1)SV2(2.1)',
      '4.2(1)SV2(2.1a)',
      '4.2(1)SV2(2.2)',
      '4.2(1)SV2(2.3)',
      '5.0(2)N1(1)',
      '5.0(2)N2(1)',
      '5.0(2)N2(1a)',
      '5.0(3)A1(1)',
      '5.0(3)A1(2)',
      '5.0(3)A1(2a)',
      '5.0(3)N1(1c)',
      '5.0(3)N1(1)',
      '5.0(3)N1(1a)',
      '5.0(3)N1(1b)',
      '5.0(3)N2(1)',
      '5.0(3)N2(2)',
      '5.0(3)N2(2a)',
      '5.0(3)N2(2b)',
      '5.0(3)U1(1)',
      '5.0(3)U1(1a)',
      '5.0(3)U1(1b)',
      '5.0(3)U1(1d)',
      '5.0(3)U1(2)',
      '5.0(3)U1(2a)',
      '5.0(3)U1(1c)',
      '5.0(3)U2(1)',
      '5.0(3)U2(2)',
      '5.0(3)U2(2a)',
      '5.0(3)U2(2b)',
      '5.0(3)U2(2c)',
      '5.0(3)U2(2d)',
      '5.0(3)U3(1)',
      '5.0(3)U3(2)',
      '5.0(3)U3(2a)',
      '5.0(3)U3(2b)',
      '5.0(3)U4(1)',
      '5.0(3)U5(1)',
      '5.0(3)U5(1a)',
      '5.0(3)U5(1b)',
      '5.0(3)U5(1c)',
      '5.0(3)U5(1d)',
      '5.0(3)U5(1e)',
      '5.0(3)U5(1f)',
      '5.0(3)U5(1g)',
      '5.0(3)U5(1h)',
      '5.0(3)U5(1i)',
      '5.0(3)U5(1j)',
      '5.1(3)N1(1)',
      '5.1(3)N1(1a)',
      '5.1(3)N2(1)',
      '5.1(3)N2(1a)',
      '5.1(3)N2(1b)',
      '5.1(3)N2(1c)',
      '5.2(1)N1(1)',
      '5.2(1)N1(1a)',
      '5.2(1)N1(1b)',
      '5.2(1)N1(2)',
      '5.2(1)N1(2a)',
      '5.2(1)N1(3)',
      '5.2(1)N1(4)',
      '5.2(1)N1(5)',
      '5.2(1)N1(6)',
      '5.2(1)N1(7)',
      '5.2(1)N1(8a)',
      '5.2(1)N1(8)',
      '5.2(1)N1(8b)',
      '5.2(1)N1(9)',
      '5.2(1)N1(9a)',
      '5.2(1)N1(9b)',
      '5.2(1)SM1(5.1)',
      '5.2(1)SM1(5.2)',
      '5.2(1)SM1(5.2a)',
      '5.2(1)SM1(5.2b)',
      '5.2(1)SM1(5.2c)',
      '5.2(1)SM3(1.1)',
      '5.2(1)SM3(1.1a)',
      '5.2(1)SM3(1.1b)',
      '5.2(1)SM3(1.1c)',
      '5.2(1)SM3(2.1)',
      '5.2(1)SV3(1.4)',
      '5.2(1)SV3(1.1)',
      '5.2(1)SV3(1.3)',
      '5.2(1)SV3(1.5a)',
      '5.2(1)SV3(1.5b)',
      '5.2(1)SV3(1.6)',
      '5.2(1)SV3(1.10)',
      '5.2(1)SV3(1.15)',
      '5.2(1)SV3(2.1)',
      '5.2(1)SV3(2.5)',
      '5.2(1)SV3(2.8)',
      '5.2(1)SV3(3.1)',
      '5.2(1)SV3(1.2)',
      '5.2(1)SV3(1.4b)',
      '5.2(1)SV3(3.15)',
      '5.2(1)SV3(4.1)',
      '5.2(1)SV3(4.1a)',
      '6.0(2)A1(1)',
      '6.0(2)A1(1a)',
      '6.0(2)A1(1b)',
      '6.0(2)A1(1c)',
      '6.0(2)A1(1d)',
      '6.0(2)A1(1e)',
      '6.0(2)A1(1f)',
      '6.0(2)A1(2d)',
      '6.0(2)A3(1)',
      '6.0(2)A3(2)',
      '6.0(2)A3(4)',
      '6.0(2)A4(1)',
      '6.0(2)A4(2)',
      '6.0(2)A4(3)',
      '6.0(2)A4(4)',
      '6.0(2)A4(5)',
      '6.0(2)A4(6)',
      '6.0(2)A6(1)',
      '6.0(2)A6(1a)',
      '6.0(2)A6(2)',
      '6.0(2)A6(2a)',
      '6.0(2)A6(3)',
      '6.0(2)A6(3a)',
      '6.0(2)A6(4)',
      '6.0(2)A6(4a)',
      '6.0(2)A6(5)',
      '6.0(2)A6(5a)',
      '6.0(2)A6(5b)',
      '6.0(2)A6(6)',
      '6.0(2)A6(7)',
      '6.0(2)A6(8)',
      '6.0(2)A7(1)',
      '6.0(2)A7(1a)',
      '6.0(2)A7(2)',
      '6.0(2)A7(2a)',
      '6.0(2)A8(1)',
      '6.0(2)A8(2)',
      '6.0(2)A8(3)',
      '6.0(2)A8(4)',
      '6.0(2)A8(4a)',
      '6.0(2)A8(5)',
      '6.0(2)A8(6)',
      '6.0(2)A8(7)',
      '6.0(2)A8(7a)',
      '6.0(2)A8(7b)',
      '6.0(2)A8(8)',
      '6.0(2)A8(9)',
      '6.0(2)A8(10a)',
      '6.0(2)A8(10)',
      '6.0(2)A8(11)',
      '6.0(2)A8(11a)',
      '6.0(2)A8(11b)',
      '6.0(2)N1(1)',
      '6.0(2)N1(2)',
      '6.0(2)N1(2a)',
      '6.0(2)N1(1a)',
      '6.0(2)N2(1)',
      '6.0(2)N2(1b)',
      '6.0(2)N2(2)',
      '6.0(2)N2(3)',
      '6.0(2)N2(4)',
      '6.0(2)N2(5)',
      '6.0(2)N2(5a)',
      '6.0(2)N2(6)',
      '6.0(2)N2(7)',
      '6.0(2)N2(5b)',
      '6.0(2)U1(1)',
      '6.0(2)U1(2)',
      '6.0(2)U1(1a)',
      '6.0(2)U1(3)',
      '6.0(2)U1(4)',
      '6.0(2)U2(1)',
      '6.0(2)U2(2)',
      '6.0(2)U2(3)',
      '6.0(2)U2(4)',
      '6.0(2)U2(5)',
      '6.0(2)U2(6)',
      '6.0(2)U3(1)',
      '6.0(2)U3(2)',
      '6.0(2)U3(3)',
      '6.0(2)U3(4)',
      '6.0(2)U3(5)',
      '6.0(2)U3(6)',
      '6.0(2)U3(7)',
      '6.0(2)U3(8)',
      '6.0(2)U3(9)',
      '6.0(2)U4(1)',
      '6.0(2)U4(2)',
      '6.0(2)U4(3)',
      '6.0(2)U4(4)',
      '6.0(2)U5(1)',
      '6.0(2)U5(2)',
      '6.0(2)U5(3)',
      '6.0(2)U5(4)',
      '6.0(2)U6(1)',
      '6.0(2)U6(2)',
      '6.0(2)U6(3)',
      '6.0(2)U6(4)',
      '6.0(2)U6(5)',
      '6.0(2)U6(6)',
      '6.0(2)U6(7)',
      '6.0(2)U6(8)',
      '6.0(2)U6(1a)',
      '6.0(2)U6(2a)',
      '6.0(2)U6(3a)',
      '6.0(2)U6(4a)',
      '6.0(2)U6(5a)',
      '6.0(2)U6(5b)',
      '6.0(2)U6(5c)',
      '6.0(2)U6(9)',
      '6.0(2)U6(10)',
      '6.1(2)I1(3)',
      '6.1(2)I1(2)',
      '6.1(2)I2(1)',
      '6.1(2)I2(2)',
      '6.1(2)I2(2a)',
      '6.1(2)I2(3)',
      '6.1(2)I2(2b)',
      '6.1(2)I3(1)',
      '6.1(2)I3(2)',
      '6.1(2)I3(3)',
      '6.1(2)I3(4)',
      '6.1(2)I3(3a)',
      '6.1(2)I3(4a)',
      '6.1(2)I3(4b)',
      '6.1(2)I3(4c)',
      '6.1(2)I3(4d)',
      '6.1(2)I3(4e)',
      '6.1(2)I3(5)',
      '6.1(2)I3(5a)',
      '6.1(2)I3(5b)',
      '6.2(2)',
      '6.2(2a)',
      '6.2(6)',
      '6.2(6b)',
      '6.2(8)',
      '6.2(8a)',
      '6.2(8b)',
      '6.2(10)',
      '6.2(12)',
      '6.2(18)',
      '6.2(16)',
      '6.2(14b)',
      '6.2(14)',
      '6.2(14a)',
      '6.2(6a)',
      '6.2(20)',
      '6.2(1)',
      '6.2(3)',
      '6.2(5)',
      '6.2(5a)',
      '6.2(5b)',
      '6.2(7)',
      '6.2(9)',
      '6.2(9a)',
      '6.2(9b)',
      '6.2(9c)',
      '6.2(11)',
      '6.2(11b)',
      '6.2(11c)',
      '6.2(11d)',
      '6.2(11e)',
      '6.2(13)',
      '6.2(13a)',
      '6.2(13b)',
      '6.2(15)',
      '6.2(17)',
      '6.2(19)',
      '6.2(21)',
      '6.2(23)',
      '6.2(20a)',
      '6.2(25)',
      '6.2(17a)',
      '6.2(22)',
      '6.2(27)',
      '7.0(0)N1(1)',
      '7.0(1)N1(1)',
      '7.0(2)N1(1)',
      '7.0(3)F1(1)',
      '7.0(3)F2(1)',
      '7.0(3)F2(2)',
      '7.0(3)F3(1)',
      '7.0(3)F3(2)',
      '7.0(3)F3(3)',
      '7.0(3)F3(3a)',
      '7.0(3)F3(4)',
      '7.0(3)F3(3c)',
      '7.0(3)F3(5)',
      '7.0(3)I1(1)',
      '7.0(3)I1(1a)',
      '7.0(3)I1(1b)',
      '7.0(3)I1(2)',
      '7.0(3)I1(3)',
      '7.0(3)I1(3a)',
      '7.0(3)I1(3b)',
      '7.0(3)I1(1z)',
      '7.0(3)I2(2a)',
      '7.0(3)I2(2b)',
      '7.0(3)I2(2c)',
      '7.0(3)I2(2d)',
      '7.0(3)I2(2e)',
      '7.0(3)I2(3)',
      '7.0(3)I2(4)',
      '7.0(3)I2(5)',
      '7.0(3)I2(1)',
      '7.0(3)I2(1a)',
      '7.0(3)I2(2)',
      '7.0(3)I2(2r)',
      '7.0(3)I2(2s)',
      '7.0(3)I2(2v)',
      '7.0(3)I2(2w)',
      '7.0(3)I2(2x)',
      '7.0(3)I2(2y)',
      '7.0(3)I3(1)',
      '7.0(3)I4(1)',
      '7.0(3)I4(2)',
      '7.0(3)I4(3)',
      '7.0(3)I4(4)',
      '7.0(3)I4(5)',
      '7.0(3)I4(6)',
      '7.0(3)I4(7)',
      '7.0(3)I4(8)',
      '7.0(3)I4(8a)',
      '7.0(3)I4(8b)',
      '7.0(3)I4(8z)',
      '7.0(3)I4(1t)',
      '7.0(3)I4(6t)',
      '7.0(3)I4(9)',
      '7.0(3)I5(1)',
      '7.0(3)I5(2)',
      '7.0(3)I5(3)',
      '7.0(3)I5(3a)',
      '7.0(3)I5(3b)',
      '7.0(3)I6(1)',
      '7.0(3)I6(2)',
      '7.0(3)I7(1)',
      '7.0(3)I7(2)',
      '7.0(3)I7(3)',
      '7.0(3)I7(4)',
      '7.0(3)I7(5)',
      '7.0(3)I7(5a)',
      '7.0(3)I7(3z)',
      '7.0(3)I7(6)',
      '7.0(3)I7(6z)',
      '7.0(3)I7(7)',
      '7.0(3)IX1(2)',
      '7.0(3)IX1(2a)',
      '7.0(3)N1(1)',
      '7.0(4)N1(1)',
      '7.0(4)N1(1a)',
      '7.0(5)N1(1)',
      '7.0(5)N1(1a)',
      '7.0(6)N1(1)',
      '7.0(6)N1(4s)',
      '7.0(6)N1(3s)',
      '7.0(6)N1(2s)',
      '7.0(7)N1(1)',
      '7.0(7)N1(1b)',
      '7.0(7)N1(1a)',
      '7.0(8)N1(1)',
      '7.0(8)N1(1a)',
      '7.1(0)N1(1a)',
      '7.1(0)N1(1b)',
      '7.1(0)N1(1)',
      '7.1(1)N1(1)',
      '7.1(1)N1(1a)',
      '7.1(2)N1(1)',
      '7.1(2)N1(1a)',
      '7.1(3)N1(1)',
      '7.1(3)N1(2)',
      '7.1(3)N1(5)',
      '7.1(3)N1(4)',
      '7.1(3)N1(3)',
      '7.1(3)N1(2a)',
      '7.1(4)N1(1)',
      '7.1(4)N1(1d)',
      '7.1(4)N1(1c)',
      '7.1(4)N1(1a)',
      '7.1(5)N1(1)',
      '7.1(5)N1(1b)',
      '7.2(0)D1(1)',
      '7.2(0)N1(1)',
      '7.2(1)D1(1)',
      '7.2(1)N1(1)',
      '7.2(2)D1(2)',
      '7.2(2)D1(1)',
      '7.2(2)D1(3)',
      '7.2(2)D1(4)',
      '7.3(0)D1(1)',
      '7.3(0)DX(1)',
      '7.3(0)DY(1)',
      '7.3(0)N1(1)',
      '7.3(0)N1(1b)',
      '7.3(0)N1(1a)',
      '7.3(1)D1(1)',
      '7.3(1)DY(1)',
      '7.3(1)N1(1)',
      '7.3(2)D1(1)',
      '7.3(2)D1(2)',
      '7.3(2)D1(3)',
      '7.3(2)D1(3a)',
      '7.3(2)D1(1d)',
      '7.3(2)N1(1)',
      '7.3(2)N1(1b)',
      '7.3(2)N1(1c)',
      '7.3(3)N1(1)',
      '8.0(1)',
      '8.1(1)',
      '8.1(2)',
      '8.1(2a)',
      '8.1(1a)',
      '8.1(1b)',
      '8.2(1)',
      '8.2(2)',
      '8.2(3)',
      '8.2(4)',
      '8.3(1)',
      '8.3(2)',
      '9.2(1)',
      '9.2(2)',
      '9.2(2t)',
      '9.2(3)',
      '9.2(3y)',
      '9.2(4)',
      '9.2(2v)',
      '7.3(4)N1(1)',
      '7.3(4)N1(1a)',
      '7.3(3)D1(1)',
      '7.0(3)IA7(1)',
      '7.0(3)IA7(2)',
      '7.0(3)IC4(4)',
      '7.0(3)IM3(1)',
      '7.0(3)IM3(2)',
      '7.0(3)IM3(2a)',
      '7.0(3)IM3(2b)',
      '7.0(3)IM3(3)',
      '7.0(3)IM7(2)',
      '7.3(4)D1(1)',
      '7.3(5)N1(1)',
      '5.2(1)SK3(1.1)',
      '5.2(1)SK3(2.1)',
      '5.2(1)SK3(2.2)',
      '5.2(1)SK3(2.2b)',
      '5.2(1)SK3(2.1a)',
      '5.2(1)SV5(1.1)',
      '5.2(1)SV5(1.2)',
      '8.4(1)',
      '9.3(1)',
      '9.3(1z)'
    );
    
    workarounds = make_list(CISCO_WORKAROUNDS['nxos_cdp']);
    workaround_params = make_list();
    
    reporting = make_array(
      'port'     , 0,
      'severity' , SECURITY_HOLE,
      'version'  , product_info.version,
      'bug_id'   , cbi
    );
    
    cisco::check_and_report(
      product_info:product_info,
      workarounds:workarounds,
      workaround_params:workaround_params,
      reporting:reporting,
      vuln_versions:version_list,
      switch_only:TRUE,
      smus:smus
    );
    
    
  • NASL familyCISCO
    NASL idCISCO-SA-20200205-FXOS-CDP-DOS.NASL
    descriptionAccording to its self-reported version, Cisco FXOS Software is affected by a denial of service vulnerability within the Cisco Discovery Protocol due to missing a check when processing protocol messages. An unauthenticated, adjacent attacker can exploit this to cause the device to reboot. Please see the included Cisco BIDs and Cisco Security Advisory for more information
    last seen2020-03-17
    modified2020-02-14
    plugin id133720
    published2020-02-14
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133720
    titleCisco FXOS Software Cisco Discovery Protocol Denial of Service Vulnerability (cisco-sa-20200205-fxnxos-iosxr-cdp-dos)
    code
    #TRUSTED 6169d38be1654233a704ae15844de0a33fc833764be3c32264d3b8750905b30e59db1172d2012e54fc1ee7f2dfa974f0ffada0de60d98b67b8a69946c549d9209e19e27c1d1172af336838fe331eeb8f0f6417b6eed4a4357ffb4400846e208f20710f5e9360009acf5225f84b1e6d69fe85af305de147f29a5db4fa351d7201cf20091126a695ec9c3d1dbd5a8b5ca4c2f64ed1e12268eca1ecc597cfbf6e6275224dc8944fd5ce0b8a4b5531094ade73e20eac5c9da970ba64ff0d685636cbb40c67fbbfc23f98c9cde80a8f966a9166c4cba346d3b77e2f4d350d19c1910c7f0488b7cac08b849c69ad87f03e89eda7d1ed82bf6daf2714d5d23d114569a81217348daa349749704c06a70f5ca08ad6054bd945ce1a0a13b95d2d29c9591c7145a4a8ab429ab09403b37e80a0a9b0b02e4069ad18e02a4bb1fd8fff00ea0dd70b3fbd17b8bfd98a2340cdfac4890b7883c4e5ce05f25cbac37e3a3ccf30ac8caeebcb22ec9c9ca8f6990ea04836dee1319629b8e8b8c2d6e1e61e524276cd0dd21ac0ebe1649e3e1943e14b65ee3ec37eb33420935c2eafa1ae3f9f06accf1983db322cf5601c0f2314247d3f3bad61a03f9bfd23250e6832eaf41c52c4a8ebb9190e22037f253eb18273580a5c9b13781d0a6dc72f86bd9f43ba0610644e3230b7b700ead540fbb29cf5de2955186eb15919e652a2c0c7d7a023b0b9b3dd
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include('compat.inc');
    
    if (description)
    {
      script_id(133720);
      script_version("1.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/18");
    
      script_cve_id("CVE-2020-3120");
      script_xref(name:"CISCO-BUG-ID", value:"CSCvr15083");
      script_xref(name:"CISCO-SA", value:"cisco-sa-20200205-fxnxos-iosxr-cdp-dos");
      script_xref(name:"IAVA", value:"2020-A-0059");
    
      script_name(english:"Cisco FXOS Software Cisco Discovery Protocol Denial of Service Vulnerability (cisco-sa-20200205-fxnxos-iosxr-cdp-dos)");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote device is missing a vendor-supplied security patch");
      script_set_attribute(attribute:"description", value:
    "According to its self-reported version, Cisco FXOS Software is affected by a denial of service vulnerability
    within the Cisco Discovery Protocol due to missing a check when processing protocol messages. An unauthenticated,
    adjacent attacker can exploit this to cause the device to reboot.
    
    Please see the included Cisco BIDs and Cisco Security Advisory for more information");
      # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-fxnxos-iosxr-cdp-dos
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3303b2ba");
      script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15083");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to the relevant fixed version referenced in Cisco bug IDs CSCvr15083.");
      script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-3120");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/02/05");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/02/05");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/14");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:fxos");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CISCO");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("cisco_enumerate_firepower.nbin", "cisco_asa_firepower_version.nasl");
      script_require_keys("installed_sw/FXOS");
    
      exit(0);
    }
    
    include('vcf.inc');
    include('audit.inc');
    include('cisco_workarounds.inc');
    include('ccf.inc');
    
    app_info = vcf::get_app_info(app:'FXOS');
    product_info = make_array('model' , app_info['Model'], 'version' , app_info['version'], 'name', 'FXOS');
    
    if(
      isnull(product_info['model']) ||
      product_info['model'] !~ "^(41|93)[0-9]{2}$"
    )
      audit(AUDIT_HOST_NOT, 'affected');
    
    vuln_ranges = [
      {'min_ver' : '0.0',  'fix_ver': '2.3.1.173'},
      {'min_ver' : '2.4',  'fix_ver': '2.5'},
      {'min_ver' : '2.6',  'fix_ver': '2.6.1.187'},
      {'min_ver' : '2.7',  'fix_ver': '2.7.1.106'}
    ];
    
    workarounds = make_list(CISCO_WORKAROUNDS['no_workaround']);
    workaround_params = make_list();
    
    reporting = make_array(
      'port'     , 0,
      'severity' , SECURITY_HOLE,
      'version'  , product_info['version'],
      'bug_id'   , 'CSCvr15083'
    );
    
    cisco::check_and_report(
      product_info:product_info,
      workarounds:workarounds,
      workaround_params:workaround_params,
      reporting:reporting,
      vuln_ranges:vuln_ranges
    );
    
  • NASL familyCISCO
    NASL idCISCO-SA-20200205-IOSXR-CDP-DOS.NASL
    descriptionAccording to its self-reported version, the Cisco IOS XR Software is affected by a denial of service vulnerability within the Cisco Discovery Protocol due to missing a check when processing protocol messages. An unauthenticated, adjacent attacker can exploit this to cause the device to reboot. Please see the included Cisco BIDs and Cisco Security Advisory for more information
    last seen2020-05-21
    modified2020-02-14
    plugin id133721
    published2020-02-14
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133721
    titleCisco IOS XR Software Cisco Discovery Protocol Denial of Service Vulnerability (cisco-sa-20200205-fxnxos-iosxr-cdp-dos)
    code
    #TRUSTED 9f0394639ca4d55d086f9992c71ee96acd0d842594126cd69dbcb9c19a1f1f56f08ef9d0a3331efeacd7db03ad632e0ec677306c1ac712695ab4fba8505fd4a2c96b40d1060ba4e8283d1ee808f77c209e37b5487b25f70a569dd3f3ff5707c25fd6675302f33d9a731e60024131b51986738f3323cf0a33433391928eb0d634aa56ace9b707d54c1079dee2108df288918a65c8353430d868d328262e5b5c9add5596456c3a6cc9219cd8a543c005463009b29e4af9886e6f7985a6c0bf6df8df2b1e3d7106ca47546113da78d2b71347518304c15371ddca459f05074bb92ee92c103c1442fe6071166c2b9c4ed7f8f2b7ee305a0d325cae05006394a0ee9cb53c90bd73372421fdc93dd83440227bce9b28e0a0dcbc4c8b68b40667076eca8552a69515426974c5a5bd2084a19b2570978ba55eb2957972c06e65a306c34a0e70a264fed55f8c2c32773a28d8e71ee4db9960f7b58ff734ca3c935c3589db4abb6577439d780deac720736a6d820240b0a1d181f1964d7f11c1ee28f9cef29699a9c5d44768d4bd351f642e5e67a31e7d753f2fec771cafb8178ef8f602e4190e144c1c17543fc48573885afb3cfa06f2a038a4b819706bd179a8e5bcef3bd87b9d4e237742c1d0e785c5dcb3019a1fb56b8923860b95b0bf679073dae22725a3b9dce2ac4d144269f91f580bbe5e1c18cb1379ffb83d7ae731a3b89825ff
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include('compat.inc');
    
    if (description)
    {
      script_id(133721);
      script_version("1.6");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/20");
    
      script_cve_id("CVE-2020-3120");
      script_xref(name:"CISCO-BUG-ID", value:"CSCvr15024");
      script_xref(name:"CISCO-SA", value:"cisco-sa-20200205-fxnxos-iosxr-cdp-dos");
      script_xref(name:"IAVA", value:"2020-A-0059");
    
      script_name(english:"Cisco IOS XR Software Cisco Discovery Protocol Denial of Service Vulnerability (cisco-sa-20200205-fxnxos-iosxr-cdp-dos)");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote device is missing a vendor-supplied security patch");
      script_set_attribute(attribute:"description", value:
    "According to its self-reported version, the Cisco IOS XR Software is affected by a denial of service vulnerability
    within the Cisco Discovery Protocol due to missing a check when processing protocol messages. An unauthenticated,
    adjacent attacker can exploit this to cause the device to reboot.
    
    Please see the included Cisco BIDs and Cisco Security Advisory for more information");
      # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-fxnxos-iosxr-cdp-dos
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3303b2ba");
      script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr15024");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to the relevant fixed version referenced in Cisco bug IDs CSCvr15024.");
      script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-3120");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/02/05");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/02/05");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/14");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xr");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CISCO");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("cisco_ios_xr_version.nasl", "cisco_enum_smu.nasl");
      script_require_keys("Host/Cisco/IOS-XR/Version");
    
      exit(0);
    }
    
    include('audit.inc');
    include('cisco_workarounds.inc');
    include('ccf.inc');
    
    product_info = cisco::get_product_info(name:'Cisco IOS XR');
    
    model = get_kb_item('CISCO/model');
    if (empty_or_null(model))
      model = product_info['model'];
    model = toupper(model);
    
    if ('ASR9' >< model && 'X64' >!< model)
    {
      smus['6.4.2'] = 'CSCvr78185';
      smus['6.5.3'] = 'CSCvr78185';
    }
    else if ('ASR9' >< model)
    {
      smus['6.5.3'] = 'CSCvr78185';
    }
    else if ('NCS5500' >< model)
    {
      smus['6.5.3'] = 'CSCvr78185';
    }
    else if ('NCS540' >< model && 'L' >!< model)
    {
      smus['6.5.3'] = 'CSCvr78185';
    }
    else if ('NCS6' >< model)
    {
      smus['5.2.5'] = 'CSCvr78185';
    }
    else if ('XRV9' >< model || 'XRV 9' >< model)
    {
      smus['6.6.2'] = 'CSCvr78185';
    }
    else if ('NCS560' >< model)
    {
      smus['6.6.25'] = 'CSCvr78185';
    }
    else if ('CRS-PX' >< model)
    {
      smus['6.4.2'] = 'CSCvr78185';
    }
    else if ('NCS5k' >< model)
    {
      smus['6.5.3'] = 'CSCvr78185';
    }
    else if ('White box' >< model)
    {
      smus['6.6.12'] = 'CSCvr78185';
    }
    else if ('NCS540L' >< model)
    {
      smus['7.0.1'] = 'CSCvr78185';
    }
    
    vuln_ranges = [
      {'min_ver' : '0', 'fix_ver' : '6.6.3'},
      {'min_ver' : '6.6.12', 'fix_ver' : '6.6.13'},
      {'min_ver' : '6.6.25', 'fix_ver' : '6.6.26'},
      {'min_ver' : '7.0.0', 'fix_ver' : '7.0.2'}
    ];
    
    workarounds = make_list(CISCO_WORKAROUNDS['cdp']);
    workaround_params = make_list();
    
    reporting = make_array(
      'port'     , 0,
      'severity' , SECURITY_HOLE,
      'version'  , product_info['version'],
      'bug_id'   , 'CSCvr15024'
    );
    
    cisco::check_and_report(
      product_info:product_info,
      workarounds:workarounds,
      workaround_params:workaround_params,
      reporting:reporting,
      vuln_ranges:vuln_ranges,
      smus:smus,
      router_only:TRUE
    );
    

The Hacker News

idTHN:A3840EA7CD9A7AFC6440CDAED21F07D8
last seen2020-02-05
modified2020-02-05
published2020-02-05
reporterThe Hacker News
sourcehttps://thehackernews.com/2020/02/cisco-cdp-vulnerabilities.html
title5 High Impact Flaws Affect Cisco Routers, Switches, IP Phones and Cameras