Multiple Cisco Products Snort HTTP Detection Engine File Policy Bypass (cisco-sa-http-fp-bp-KfDdcQhc)

#TRUSTED 1c7bf40c68b0ee71da48b1720212e28aafe0b97dd097ceb654a6eb69cdc5ad33401376ef25277c006e6348e167b3c9e38f37431dbdf08c3267f2ae4b1046db7e9701751636dca5f7a82afe71a21af7a7cd02503367e231e7334d84c77eab10229b19b4ac196b4549dcdf126ff8259fa2cfa82f3659cf16733b131f7ede7b9fae03dc97e452424334bfc67a061c5d3d6f4908b7b8dad8c1a5e476d0881dc675b3a17e5a7bd26dcb55b6c7c9b15de3c2237007374a0f36bb0c358f77b3e8daadd4b06adac54c23df90c247c782031c9b5b828b76cabcc67f21e7178a4ba20d9be28dc2ac526bf6470fbfe660e033ab196465cf9069976a564168ceb69acdb12149bb5f4d2aaece7fe704a0f7165485fa31746748b06f43781b5f96fab044a40d2859975ac3f7be937a71bbca9d31ee070e1e6523f24e80c4d33a6c32cafc00dc9685038bd0a0992cd1020b1bc18d5013dcb9976d0c8b8a28887bd70d756d761363649faf482465e19c6aad5af1a587b82fb114c43c679e4d2bcb476a822d251f19ca0b4d2c7e3ec75ae97ead043c941750dc446af44f78b7ef61e322fe6a781bed7d218fcdd1fc92b037b50f9f0899e2d052cd1a317801b417dabd53bd10e2e12a963fb244705b0d7240923d76f17d1ec2508ddca506255af17b39adc5df081e4ec96d08ef1bb23966d974c638a20e3fae37855099fccb779ba03e7e7a3d7b2950
#TRUST-RSA-SHA256 a005cd1b26e81e0c352447a6a48bc540cdc92c614741e23d402def829ae96b435db587c67d53778cc236da8969335b083632f1d0446b5429e1edf220f7b4156889eb09adef0439fc4a809ac413e6f092966cb79523310121e52ea94f2f81124e382227f0cd46ce4d869b75f00bffb7b710cd54248d8acbf2310bf5ad080de20bf1a96391881f86d12a5aa6890297fe54dda8fbeb29c84aa5f5e74616941402f07db5358786709f9b5f469cd441104df1e41f50a3a1a08a5f7da156e4ae6ce70ec0eba0b068559fc5b730f66cbce7866a9af964533ad818925d247f88bf706022a068c6299a91b5e47c99c0e7e74137323a50af9f78751015a8db6ba00228470dd8a081abb2aed5f7623b37f74a60f35e199c79a4100460b7a71ed960ec2df8bc985635668be7c4dc52cd574e98d2647c2775531bf86bee113d8c3dc96f5a466895b74dd51ebd2626d738ebfc0b5caff88cdfb7c8ded3e74509f10bc23fe6d01225f1f688f464ff2339b4c0eaab26dd3260dc584b577153803a46284f47f525aa6a9ea67860f2f5ee5f8d0bfb02e603825789c940796e00818a732dd06fb40b67aa70fd7c9469be2b3dc0c2a187139f0bd3d8016bcc82a326e1ebc2cf33988212fd9377d20c77f953c9b7059c77e7b17b05405bcc44904ab9e8eaa92c4834c17c1ffb35fe5c6c3e878320b4152b994d73bd426222302caabc4e662e1b2d6835d5
#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
##

include('deprecated_nasl_level.inc');

include('compat.inc');

if (description)
{
  script_id(150058);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/03");

  script_cve_id("CVE-2021-1494", "CVE-2021-1495");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvv70864");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvw19272");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvw26645");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvw59055");
  script_xref(name:"IAVA", value:"2021-A-0249");
  script_xref(name:"CISCO-SA", value:"cisco-sa-http-fp-bp-KfDdcQhc");

  script_name(english:"Multiple Cisco Products Snort HTTP Detection Engine File Policy Bypass (cisco-sa-http-fp-bp-KfDdcQhc)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco IOS XE is affected by a vulnerability in the Snort 
  detection engine due to a flaw in the handling of HTTP header parameters. An unauthenticated, remote attacker can 
  exploit this by sending crafted HTTP packets through an affected device. A successful exploit could allow the attacker 
  to bypass a configured file policy for HTTP packets and deliver a malicious payload.

  Please see the included Cisco BIDs and Cisco Security Advisory for more information.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http-fp-bp-KfDdcQhc
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5d5152c8");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv70864");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvw19272");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvw26645");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvw59055");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco Advisory");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-1495");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_cwe_id(668, 693);

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/04/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2021/04/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2021/05/28");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_xe_version.nasl");
  script_require_keys("Host/Cisco/IOS-XE/Version");

  exit(0);
}

include('ccf.inc');
include('cisco_workarounds.inc');

var product_info, vuln_ranges, reporting, model, pattern;

product_info = cisco::get_product_info(name:'Cisco IOS XE Software');

# Affects Multiple Cisco Devices
model = toupper(product_info['model']);
# everything is checked via uppercase
pattern = "ISR[14][0-9]{3}|ISA[0-9]{3}|CATALYST 8[0-9]{2}V|CSR82[0-9]{2}|CATALYST 8[23][0-9]{2}|CATALYST 85[0-9]{2}[-]?L|CS1[0-9]{3}|C8[023][0-9]{2}";
if(!pgrep(pattern:pattern, string:model))
  audit(AUDIT_HOST_NOT, 'an affected model');

vuln_ranges = [
  {'min_ver' : '0.0.0',  'fix_ver': '16.12.5'},
  {'min_ver' : '17.1.0',  'fix_ver': '17.3.3'},
  {'min_ver' : '17.4.0',  'fix_ver': '17.4.1'}
];

var workarounds = make_list(CISCO_WORKAROUNDS['generic_workaround']);
var workaround_params = WORKAROUND_CONFIG['show_summary_snort'];

reporting = make_array(
  'port'     , product_info['port'], 
  'severity' , SECURITY_WARNING,
  'version'  , product_info['version'],
  'bug_id'   , 'CSCvv70864, CSCvw19272, CSCvw26645, CSCvw59055',
  'cmds'     , make_list('show summary')
);

cisco::check_and_report(
  product_info:product_info,
  workarounds  : workarounds,
  workaround_params:workaround_params,
  reporting:reporting,
  vuln_ranges:vuln_ranges
);