4.3 Medium
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
7.3 High
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
9.0%
According to its self-reported version, Cisco IOS XR is affected by a vulnerability.
Please see the included Cisco BIDs and Cisco Security Advisory for more information.
#TRUSTED 2337ee8bf17cbc4cefa89fd19b0aee37fa7b5f092db5649de1f5a3e2ce259ecac35e21f074b9aa4d15a596149c0be51c77cc689f813a39f5f2c01a6f7e9cc13c72c993baf27b1d5fdcca4650c4ce7ed2f9346028693afcab5dfec74c1339b15e6ee8bfb5c42bcc3769a6eb20099cd83ade63bdca769f4fd1ff851758b8db15349850e3a77e56174627ea62c446a8b9dfe496f555310c40817977b8d85760ee7ef6669209b10cbd884786478ad88db9616eb36b520837f0eac4bb61a7633e57e81984e63651b7070dcb0896615b0d64f4ad8890c2c6dcc8c05521301bb0842ece401d4ef67a46420ff242f3f7c2f5d18f487f6f5bb9e54c27af3b6fba687f82b001318934cabbfd506c282d2ec4068dde823e16ef4ce7e6d9a7f3c9ee0adb4d45f82a0081e00682fb4a98199abae9fc3929f2d0e70a24ff422a84b47a9e3e5f625e9b00e5c15e8740c9e2e80eb80f902cd2219c3575fbc796f476311bf25efa97628feaaa1f4d683fd1bdef54b8aaa2455f8c6937c81cf64de07d4d0b6ae0aa2282b9dd23bc221654da39ae659b843ae178e408ee850e55abee9047ec0e082635828ca6e2f7ae2a0a90887fc4913cbdd11d812f14e34072777fc8456c038f5bd0dfe81745c169d809cef2ffe97bb443dada71ff280d4437a015e78d5788fa3e741c6fb14c4a42eafc7197598573ff26854ebb53aa0ecaa57d961b423bc816d9cd
#TRUST-RSA-SHA256 9cd4408e60ffa2fb6deca0512970a58f17ad38539e64e90aee2e8220e7b5bfaac45d81378010c1846ad03469e96b664480bf8b60c587cb9b7a4f54f0b563f116619d3d2060f2768316f8798c7ec9c52efd63a3e91c3a27fc924615d3a6d6164d8d0e2839fb5eea143838b2f9ff9e329a93a753134578e3cdccd92f271ec4da60005a5a655305bce463c5170ecf7b1b71524bc7ac39926df74cb0c8694d6ccacef5a1dfa9713f92f34f4688f2adc8cc96fb35d96e018802c14dd876e11b7f70106ae515e71c1b3716eeb3d946528946600a295cced737c5989bf8013dc025dfebc49f6c81c63bc9524706ea8eaca460db2f16d0923e217b2962da18dc7e4534e97522475dfed8dc23b9729cedefc63480d477a98b6ae86a3e3e73db8e718913fbaf3331dc3bf06cd70d1c375974b6d67ca155ea6e125d84d8820a46f8bee83431546295a60ac33aca25181e4784d6f337d5bc294d96164adc439e520f180f765938299667761f1ead2c6e42b0474d8727755f95a7ab091415882f59bce78683d115456baa92198dc9bcafc656948c84b296f136c8fc5d8ed06aff7b6d241a0ac9fd5e7cb422b1887827c8e9940f67551f4482bfb085ffb45218a0c2f779f3ac0efb3a86fe1b81fa6183e58a80cb729b5d133479bc06f2431349c4474a79fe9e3f1f1e6bbafa5f0660283db75a36d9b9a33c703a32537758288fcca2e31d4efb50
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(194889);
script_version("1.0");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/01");
script_cve_id("CVE-2024-20319");
script_xref(name:"CISCO-BUG-ID", value:"CSCwh31469");
script_xref(name:"CISCO-SA", value:"cisco-sa-snmp-uhv6ZDeF");
script_xref(name:"IAVA", value:"2024-A-0169");
script_name(english:"Cisco IOS XR Software SNMP Management Plane Protection ACL Bypass (cisco-sa-snmp-uhv6ZDeF)");
script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco IOS XR is affected by a vulnerability.
- A vulnerability in the UDP forwarding code of Cisco IOS XR Software could allow an unauthenticated,
adjacent attacker to bypass configured management plane protection policies and access the Simple Network
Management Plane (SNMP) server of an affected device. This vulnerability is due to incorrect UDP
forwarding programming when using SNMP with management plane protection. An attacker could exploit this
vulnerability by attempting to perform an SNMP operation using broadcast as the destination address that
could be processed by an affected device that is configured with an SNMP server. A successful exploit
could allow the attacker to communicate to the device on the configured SNMP ports. Although an
unauthenticated attacker could send UDP datagrams to the configured SNMP port, only an authenticated user
can retrieve or modify data using SNMP requests. (CVE-2024-20319)
Please see the included Cisco BIDs and Cisco Security Advisory for more information.");
# https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-uhv6ZDeF
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?57a27675");
# https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-75299
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3206828a");
script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwh31469");
script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCwh31469");
script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:N/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-20319");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(284);
script_set_attribute(attribute:"vuln_publication_date", value:"2024/03/13");
script_set_attribute(attribute:"patch_publication_date", value:"2024/03/13");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/01");
script_set_attribute(attribute:"plugin_type", value:"combined");
script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xr");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CISCO");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("cisco_ios_xr_version.nasl");
script_require_keys("Host/Cisco/IOS-XR/Version");
exit(0);
}
include('cisco_workarounds.inc');
include('ccf.inc');
var product_info = cisco::get_product_info(name:'Cisco IOS XR');
var vuln_ranges = [
{'min_ver' : '0.0', 'fix_ver' : '7.12'},
{'min_ver' : '24.1', 'fix_ver' : '24.1.1'}
];
var workarounds = make_list(CISCO_WORKAROUNDS['generic_workaround']);
var workaround_params = [
WORKAROUND_CONFIG['management_plane'],
WORKAROUND_CONFIG['snmp-server_cmd'],
{'require_all_generic_workarounds': TRUE}
];
var fix = NULL;
// set the fixed display for version 7.11 and below
// since we can't do this by using version_max and fixed_display as we do with vcf.inc
if (product_info['version'] =~ "^[0-6]\.[0-9]{1,3}|7\.[0-9][01]")
{
fix = 'See vendor advisory';
var reporting = make_array(
'port' , product_info['port'],
'severity', SECURITY_NOTE,
'version' , product_info['version'],
'bug_id' , 'CSCwh31469',
'cmds' , make_list('show running-config control-plane management-plane', 'show running-config snmp-server'),
'fix' , fix
);
}
else
{
var reporting = make_array(
'port' , product_info['port'],
'severity', SECURITY_NOTE,
'version' , product_info['version'],
'bug_id' , 'CSCwh31469',
'cmds' , make_list('show running-config control-plane management-plane', 'show running-config snmp-server')
);
}
cisco::check_and_report(
product_info:product_info,
workarounds:workarounds,
workaround_params:workaround_params,
reporting:reporting,
vuln_ranges:vuln_ranges,
require_all_workarounds:TRUE
);
4.3 Medium
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
7.3 High
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
9.0%