Cisco IOS XE Software NETCONF/RESTCONF IPv4 Access Control List Bypass (cisco-sa-dmi-acl-bypass-Xv8FO8Vz)

#TRUSTED 8fad9f8fef8af15934b99457d8c31cbd14e4da45d143113aa3efb2266f8b14c8d8de9c4bacbb3dc7a3796f0b077e5e4892d1fc9d6e367f7b36bf25ba4b3535191172265e74fe3c0747d80157edd974895ba3cd8975c964a30a65d5ebc120c3cf9f0e67efe7c9247c117053d2343fac47f5b9973221595a46373cf506dae99108ea050a4e3a6f4964065af1a97883ba003606a0ea960ce99f1110db38ef8daa35bf0d41d993784d7f134f4d75da286abb9d483e31117a97c46879a1c30cb3c09182dd8616c490798197201fadc62b890215dfed27064d9690ab9192adde55c20b0045e8b49eef5602815adc6c74daf6e1ea53823b9b0c18d0288c2e5729a091b60eb3ac52517eafeaee7b7c01f6420b37b9288a0fa1675f10281fc841f9ed058fa006e7c58b25194bf2fdbd5b95ff958b20e15fb2487f359e8eee07218ac670e077ef3a78b2dcf6bf980568ef99061becbd2e121cf20e875a9ed18b45e4795d6b135c06e7c16d5b5e0123457ed968fa44b3f1bd2c71a63ca8033ea6b859b8d7024fcc7a0a8bbe2f1b79a99fdd1a08776d98724a6b5ec95d245e371df9454e073f10336486275803b5eb23b18a6cea418c401f69770d844bc9b92d0f38cfad011c2a508123b38dea61252209fe66694583ae318ad5b5481fd67e4e4a1066edeb6ac48333c026c6f6a1220981dd922ef9547603c50c7cf66902a151316773261437
#TRUST-RSA-SHA256 845b299873a834c39a48e6dd34efebc4e1e3567441eeb6e818b6e4ea0b8f889ce13ac96fac64b22fa172f08104b0ef921e22e4b66fad554979aaefc6d54fd6373ac42223057b544a679de91ad4d157f4152aaf8b09f01b06989c2a10d197cdaf99c3e7619381626cbda0412540486ba65442ab6156395822094ee7fc6812c683a12b3c42897509dddb2057ca786a30297e31cfcfb1fb91be5c898582679a936c5c8474b81e2483fe4df4152c777e36d3297ffd508f40328f722a70f4f6df43fea7a2a7fa4333b0106180c91d3c0238c52d81403865c6f7c2f394bbb1f70d1c6794cacbfbbaa2909850243497a36e0f1839a5468d1f679e037137ecf4276a1d0cb6e2a7ff339e3589847a483ed995d4226eae212e2dcd3949a4651aae446d375a73ba30cfc2ca08e374143f0f1ebd72367cc95d22edf5e4db479a96da444a19b7b3b0245772a6c8e10536189b733dcb2ac35d5afae1bc21d4f4fa5c2e821ce0ac028b4a347840af8aad24b636aa3efcb40c6903106ae95504d44c5182c5c11d3144b99ac291d4d80f1059f11930f929ecb0772130d114919154a93bebe1ca420039e49ff05b583582e8a7dd89717fd88c160529c4931412ae5661cde5a349193cd33fe65eda94e153ab0057198bda312d2c9a7bc00b108ecf543257b9ee55d2e2aac3401e0498daea2e5f46af97591074655879c883d57fe882557e4cc8c26a97
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(192655);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/05");

  script_cve_id("CVE-2024-20316");
  script_xref(name:"CISCO-BUG-ID", value:"CSCwe12169");
  script_xref(name:"CISCO-BUG-ID", value:"CSCwf92391");
  script_xref(name:"CISCO-SA", value:"cisco-sa-dmi-acl-bypass-Xv8FO8Vz");
  script_xref(name:"IAVA", value:"2024-A-0188");

  script_name(english:"Cisco IOS XE Software NETCONF/RESTCONF IPv4 Access Control List Bypass (cisco-sa-dmi-acl-bypass-Xv8FO8Vz)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco IOS-XE Software is affected by a vulnerability.

  - A vulnerability in the data model interface (DMI) services of Cisco IOS XE Software could allow an
    unauthenticated, remote attacker to access resources that should have been protected by a configured IPv4
    access control list (ACL). This vulnerability is due to improper handling of error conditions when a
    successfully authorized device administrator updates an IPv4 ACL using the NETCONF or RESTCONF protocol,
    and the update would reorder access control entries (ACEs) in the updated ACL. An attacker could exploit
    this vulnerability by accessing resources that should have been protected across an affected device.
    (CVE-2024-20316)

Please see the included Cisco BIDs and Cisco Security Advisory for more information.");
  # https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dmi-acl-bypass-Xv8FO8Vz
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?af639aa5");
  # https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-75056
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a1da659d");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwe12169");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwf92391");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug IDs CSCwe12169, CSCwf92391");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-20316");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(390);

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/03/27");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/03/27");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/03/28");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_xe_version.nasl");
  script_require_keys("Host/Cisco/IOS-XE/Version");

  exit(0);
}

include('cisco_workarounds.inc');
include('ccf.inc');

var product_info = cisco::get_product_info(name:'Cisco IOS XE Software');

var version_list=make_list(
  '16.3.1',
  '16.3.1a',
  '16.3.2',
  '16.3.3',
  '16.3.4',
  '16.3.5',
  '16.3.5b',
  '16.3.6',
  '16.3.7',
  '16.3.8',
  '16.3.9',
  '16.3.10',
  '16.3.11',
  '16.4.1',
  '16.4.2',
  '16.4.3',
  '16.5.1',
  '16.5.1a',
  '16.5.1b',
  '16.5.2',
  '16.5.3',
  '16.6.1',
  '16.6.2',
  '16.6.3',
  '16.6.4',
  '16.6.4a',
  '16.6.4s',
  '16.6.5',
  '16.6.5a',
  '16.6.5b',
  '16.6.6',
  '16.6.7',
  '16.6.7a',
  '16.6.8',
  '16.6.9',
  '16.6.10',
  '16.7.1',
  '16.7.2',
  '16.7.3',
  '16.8.1',
  '16.8.1a',
  '16.8.1b',
  '16.8.1c',
  '16.8.1s',
  '16.8.2',
  '16.8.3',
  '16.9.1',
  '16.9.1a',
  '16.9.1b',
  '16.9.1c',
  '16.9.1d',
  '16.9.1s',
  '16.9.2',
  '16.9.2a',
  '16.9.2s',
  '16.9.3',
  '16.9.3a',
  '16.9.3h',
  '16.9.3s',
  '16.9.4',
  '16.9.4c',
  '16.9.5',
  '16.9.5f',
  '16.9.6',
  '16.9.7',
  '16.9.8',
  '16.9.8a',
  '16.9.8b',
  '16.9.8c',
  '16.10.1',
  '16.10.1a',
  '16.10.1b',
  '16.10.1e',
  '16.10.1s',
  '16.10.2',
  '16.10.3',
  '16.11.1',
  '16.11.1a',
  '16.11.1b',
  '16.11.1c',
  '16.11.1s',
  '16.11.2',
  '16.12.1',
  '16.12.1a',
  '16.12.1c',
  '16.12.1s',
  '16.12.1t',
  '16.12.2',
  '16.12.2a',
  '16.12.2s',
  '16.12.2t',
  '16.12.3',
  '16.12.3a',
  '16.12.3s',
  '16.12.4',
  '16.12.4a',
  '16.12.5',
  '16.12.5a',
  '16.12.5b',
  '16.12.6',
  '16.12.6a',
  '16.12.7',
  '16.12.8',
  '16.12.9',
  '16.12.10',
  '16.12.10a',
  '16.12.11',
  '17.1.1',
  '17.1.1a',
  '17.1.1s',
  '17.1.1t',
  '17.1.2',
  '17.1.3',
  '17.2.1',
  '17.2.1a',
  '17.2.1r',
  '17.2.1v',
  '17.2.2',
  '17.2.3',
  '17.3.1',
  '17.3.1a',
  '17.3.2',
  '17.3.2a',
  '17.3.3',
  '17.3.3a',
  '17.3.4',
  '17.3.4a',
  '17.3.4b',
  '17.3.4c',
  '17.3.5',
  '17.3.5a',
  '17.3.5b',
  '17.3.6',
  '17.3.7',
  '17.3.8',
  '17.3.8a',
  '17.4.1',
  '17.4.1a',
  '17.4.1b',
  '17.4.1c',
  '17.4.2',
  '17.4.2a',
  '17.5.1',
  '17.5.1a',
  '17.5.1b',
  '17.5.1c',
  '17.6.1',
  '17.6.1a',
  '17.6.2',
  '17.6.3',
  '17.6.3a',
  '17.6.4',
  '17.6.5',
  '17.6.5a',
  '17.6.6',
  '17.6.6a',
  '17.7.1',
  '17.7.1a',
  '17.7.1b',
  '17.7.2',
  '17.8.1',
  '17.8.1a',
  '17.9.1',
  '17.9.1a',
  '17.9.2',
  '17.9.2a',
  '17.9.3',
  '17.9.3a',
  '17.9.4',
  '17.9.4a',
  '17.10.1',
  '17.10.1a',
  '17.10.1b',
  '17.11.1',
  '17.11.1a',
  '17.11.99SW',
  '17.12.1',
  '17.12.1a',
  '17.12.2',
  '17.12.2a'
);

var workarounds = make_list(CISCO_WORKAROUNDS['generic_workaround']);
var workaround_params = [
  WORKAROUND_CONFIG['netconf'],
  WORKAROUND_CONFIG['netconf_or_restconf']
];

var reporting = make_array(
  'port'    , product_info['port'],
  'severity', SECURITY_WARNING,
  'version' , product_info['version'],
  'bug_id'  , 'CSCwe12169, CSCwf92391'
);

cisco::check_and_report(
  product_info:product_info,
  workarounds:workarounds,
  workaround_params:workaround_params,
  reporting:reporting,
  vuln_versions:version_list
);