Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.CISCO-SA-20200205-IOSXR-CDP-RCE.NASL
HistoryFeb 10, 2020 - 12:00 a.m.

Cisco IOS XR Software Cisco Discovery Protocol Remote Code Execution Vulnerability (cisco-sa-20200205-iosxr-cdp-rce)

2020-02-1000:00:00
This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
83

8.3 High

CVSS2

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:A/AC:L/Au:N/C:C/I:C/A:C

8.8 High

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.002 Low

EPSS

Percentile

60.1%

JSON

According to its self-reported version, the Cisco IOS XR Software is affected by a remote code execution vulnerability within the Cisco Discovery Protocol due to improper validation of string input. An unauthenticated, adjacent attacker can exploit this to bypass authentication and execute arbitrary commands with root privileges.

Please see the included Cisco BIDs and Cisco Security Advisory for more information

#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(133603);
  script_version("1.11");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/04/25");

  script_cve_id("CVE-2020-3118");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvr09190");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20200205-iosxr-cdp-rce");
  script_xref(name:"IAVA", value:"2020-A-0041-S");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/05/03");
  script_xref(name:"CEA-ID", value:"CEA-2020-0016");
  script_xref(name:"CEA-ID", value:"CEA-2020-0129");

  script_name(english:"Cisco IOS XR Software Cisco Discovery Protocol Remote Code Execution Vulnerability (cisco-sa-20200205-iosxr-cdp-rce)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, the Cisco IOS XR Software is affected by a remote code execution vulnerability
within the Cisco Discovery Protocol due to improper validation of string input. An unauthenticated, adjacent
attacker can exploit this to bypass authentication and execute arbitrary commands with root privileges.

Please see the included Cisco BIDs and Cisco Security Advisory for more information");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-iosxr-cdp-rce
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b9623904");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr09190");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug IDs CSCvr09190.");
  script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-3118");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/02/05");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/02/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/10");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xr");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_xr_version.nasl");
  script_require_keys("Host/Cisco/IOS-XR/Version");

  exit(0);
}

include('audit.inc');
include('cisco_workarounds.inc');
include('ccf.inc');

product_info = cisco::get_product_info(name:'Cisco IOS XR');

model = get_kb_item('CISCO/model');
if (empty_or_null(model))
  model = product_info['model'];
model = toupper(model);

if ('ASR9' >< model && 'X64' >!< model)
{
  pies = make_array(
    '6.4.2', 'asr9k-px-6.4.2.CSCvr78185',
    '6.5.3', 'asr9k-px-6.5.3.CSCvr78185'
  );
}
else if ('ASR9' >< model)
{
  pies = make_array(
    '6.5.3', 'asr9k-x64-6.5.3.CSCvr78185'
  );
}
else if ('NCS5500' >< model)
{
  pies = make_array(
    '6.5.3', 'ncs5500-6.5.3.CSCvr78185'
  );
}
else if ('NCS540' >< model && 'L' >!< model)
{
  pies = make_array(
    '6.5.3', 'ncs540-6.5.3.CSCvr78185'
  );
}
else if ('NCS6' >< model)
{
  pies = make_array(
    '5.2.5', ' ncs6k-5.2.5.CSCvr78185'
  );
}
else if ('XRV9' >< model || 'XRV 9' >< model)
{
  pies = make_array(
    '6.6.2', 'xrv9k-6.5.3.CSCvr78185'
  );
}
else if ('NCS560' >< model)
{
  pies = make_array(
    '6.6.25', 'ncs560-6.6.25.CSCvr78185'
  );
}
else if ('CRS-PX' >< model)
{
  pies = make_array(
    '6.4.2', 'hfr-px-6.4.2.CSCvr78185'
  );
}
else if ('NCS5k' >< model)
{
    pies = make_array(
    '6.5.3', 'ncs5k-6.5.3.CSCvr78185'
  );
}
else if ('White box' >< model)
{
    pies = make_array(
    '6.6.12', 'iosxrwbd-6.6.12.CSCvr78185'
  );
}
else if ('NCS540L' >< model)
{
    pies = make_array(
    '7.0.1', 'ncs540l-7.0.1.CSCvr78185'
  );
}

# Check for patches
version = product_info['version'];
if (!empty_or_null(pies) && !empty_or_null(pies[version]))
{
  fixed_ver = product_info['version'] + ' with patch ' + pies[version];
  if (get_kb_item('Host/local_checks_enabled'))
  {
    buf = cisco_command_kb_item('Host/Cisco/Config/show_install_package_all', 'show install package all');
    if (check_cisco_result(buf))
    {
      if (pies[version] >< buf)
        audit(AUDIT_HOST_NOT, 'affected since patch '+pies[version]+' is installed');
    }
  }
}

vuln_ranges = [
  {'min_ver' : '6.6.1', 'fix_ver' : '6.6.3'},
  {'min_ver' : '6.6.25', 'fix_ver' : '7.0.2'}
];

workarounds = make_list(CISCO_WORKAROUNDS['cdp']);
workaround_params = make_list();

if (!empty_or_null(fixed_ver))
  fixed_ver = fixed_ver + ' or upgrade to 6.6.3 / 7.0.2';
else
  fixed_ver = 'Upgrade to 6.6.3 / 7.0.2';

reporting = make_array(
  'port'     , product_info['port'],
  'severity' , SECURITY_HOLE,
  'version'  , product_info['version'],
  'bug_id'   , 'CSCvr09190',
  'fix'      , fixed_ver
);

cisco::check_and_report(
  product_info:product_info,
  workarounds:workarounds,
  workaround_params:workaround_params,
  reporting:reporting,
  vuln_ranges:vuln_ranges,
  router_only:TRUE
);
VendorProductVersionCPE
ciscoios_xrcpe:/o:cisco:ios_xr

Related

cvelist 1
threatpost 5
attackerkb 1
cve 1
cisa_kev 1
prion 1
cisco 1
nvd 1
thn 1
cert 1
qualysblog 1
ics 1
cvelist
cvelist
CVE-2020-3118 Cisco IOS XR Software Cisco Discovery Protocol Format String Vulnerability
2020-02-05 00:00:00
threatpost
threatpost
Millions of Unpatched IoT, OT Devices Threaten Critical Infrastructure
2020-12-15 16:43:27
High-Severity Cisco DoS Flaw Can Immobilize ASR Routers
2020-11-11 14:45:50
Critical Cisco β€˜CDPwn’ Flaws Affect Millions of Devices
2020-02-05 16:00:41
attackerkb
attackerkb
CVE-2020-3118 (AKA: CDPwn)
2020-02-05 00:00:00
cve
cve
CVE-2020-3118
2020-02-05 18:15:10
cisa_kev
cisa_kev
Cisco IOS XR Software Discovery Protocol Format String Vulnerability
2021-11-03 00:00:00
prion
prion
Design/Logic Flaw
2020-02-05 18:15:00
cisco
cisco
Cisco IOS XR Software Cisco Discovery Protocol Format String Vulnerability
2020-02-05 16:00:00
nvd
nvd
CVE-2020-3118
2020-02-05 18:15:10
thn
thn
5 High Impact Flaws Affect Cisco Routers, Switches, IP Phones and Cameras
2020-02-05 20:46:00
cert
cert
Cisco Discovery Protocol (CDP) enabled devices are vulnerable to denial-of-service and remote code execution
2020-02-05 00:00:00
qualysblog
qualysblog
NSA Alert: Chinese State-Sponsored Actors Exploit Known Vulnerabilities
2020-10-22 23:10:29
ics
ics
Potential for China Cyber Response to Heightened U.S.–China Tensions
2020-10-20 12:00:00

8.3 High

CVSS2

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:A/AC:L/Au:N/C:C/I:C/A:C

8.8 High

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.002 Low

EPSS

Percentile

60.1%

JSON
Related for CISCO-SA-20200205-IOSXR-CDP-RCE.NASL
cvelist1threatpost5attackerkb1cve1cisa_kev1prion1cisco1nvd1thn1cert1qualysblog1ics1