Cisco IOS XR Software SNMP Management Plane Protection ACL Bypass (cisco-sa-snmp-uhv6ZDeF)

#TRUSTED 2337ee8bf17cbc4cefa89fd19b0aee37fa7b5f092db5649de1f5a3e2ce259ecac35e21f074b9aa4d15a596149c0be51c77cc689f813a39f5f2c01a6f7e9cc13c72c993baf27b1d5fdcca4650c4ce7ed2f9346028693afcab5dfec74c1339b15e6ee8bfb5c42bcc3769a6eb20099cd83ade63bdca769f4fd1ff851758b8db15349850e3a77e56174627ea62c446a8b9dfe496f555310c40817977b8d85760ee7ef6669209b10cbd884786478ad88db9616eb36b520837f0eac4bb61a7633e57e81984e63651b7070dcb0896615b0d64f4ad8890c2c6dcc8c05521301bb0842ece401d4ef67a46420ff242f3f7c2f5d18f487f6f5bb9e54c27af3b6fba687f82b001318934cabbfd506c282d2ec4068dde823e16ef4ce7e6d9a7f3c9ee0adb4d45f82a0081e00682fb4a98199abae9fc3929f2d0e70a24ff422a84b47a9e3e5f625e9b00e5c15e8740c9e2e80eb80f902cd2219c3575fbc796f476311bf25efa97628feaaa1f4d683fd1bdef54b8aaa2455f8c6937c81cf64de07d4d0b6ae0aa2282b9dd23bc221654da39ae659b843ae178e408ee850e55abee9047ec0e082635828ca6e2f7ae2a0a90887fc4913cbdd11d812f14e34072777fc8456c038f5bd0dfe81745c169d809cef2ffe97bb443dada71ff280d4437a015e78d5788fa3e741c6fb14c4a42eafc7197598573ff26854ebb53aa0ecaa57d961b423bc816d9cd
#TRUST-RSA-SHA256 9cd4408e60ffa2fb6deca0512970a58f17ad38539e64e90aee2e8220e7b5bfaac45d81378010c1846ad03469e96b664480bf8b60c587cb9b7a4f54f0b563f116619d3d2060f2768316f8798c7ec9c52efd63a3e91c3a27fc924615d3a6d6164d8d0e2839fb5eea143838b2f9ff9e329a93a753134578e3cdccd92f271ec4da60005a5a655305bce463c5170ecf7b1b71524bc7ac39926df74cb0c8694d6ccacef5a1dfa9713f92f34f4688f2adc8cc96fb35d96e018802c14dd876e11b7f70106ae515e71c1b3716eeb3d946528946600a295cced737c5989bf8013dc025dfebc49f6c81c63bc9524706ea8eaca460db2f16d0923e217b2962da18dc7e4534e97522475dfed8dc23b9729cedefc63480d477a98b6ae86a3e3e73db8e718913fbaf3331dc3bf06cd70d1c375974b6d67ca155ea6e125d84d8820a46f8bee83431546295a60ac33aca25181e4784d6f337d5bc294d96164adc439e520f180f765938299667761f1ead2c6e42b0474d8727755f95a7ab091415882f59bce78683d115456baa92198dc9bcafc656948c84b296f136c8fc5d8ed06aff7b6d241a0ac9fd5e7cb422b1887827c8e9940f67551f4482bfb085ffb45218a0c2f779f3ac0efb3a86fe1b81fa6183e58a80cb729b5d133479bc06f2431349c4474a79fe9e3f1f1e6bbafa5f0660283db75a36d9b9a33c703a32537758288fcca2e31d4efb50
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(194889);
  script_version("1.0");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/01");

  script_cve_id("CVE-2024-20319");
  script_xref(name:"CISCO-BUG-ID", value:"CSCwh31469");
  script_xref(name:"CISCO-SA", value:"cisco-sa-snmp-uhv6ZDeF");
  script_xref(name:"IAVA", value:"2024-A-0169");

  script_name(english:"Cisco IOS XR Software SNMP Management Plane Protection ACL Bypass (cisco-sa-snmp-uhv6ZDeF)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco IOS XR is affected by a vulnerability.

  - A vulnerability in the UDP forwarding code of Cisco IOS XR Software could allow an unauthenticated,
    adjacent attacker to bypass configured management plane protection policies and access the Simple Network
    Management Plane (SNMP) server of an affected device. This vulnerability is due to incorrect UDP
    forwarding programming when using SNMP with management plane protection. An attacker could exploit this
    vulnerability by attempting to perform an SNMP operation using broadcast as the destination address that
    could be processed by an affected device that is configured with an SNMP server. A successful exploit
    could allow the attacker to communicate to the device on the configured SNMP ports. Although an
    unauthenticated attacker could send UDP datagrams to the configured SNMP port, only an authenticated user
    can retrieve or modify data using SNMP requests. (CVE-2024-20319)

Please see the included Cisco BIDs and Cisco Security Advisory for more information.");
  # https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-uhv6ZDeF
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?57a27675");
  # https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-75299
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3206828a");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwh31469");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCwh31469");
  script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-20319");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(284);

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/03/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/03/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/01");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xr");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_xr_version.nasl");
  script_require_keys("Host/Cisco/IOS-XR/Version");

  exit(0);
}

include('cisco_workarounds.inc');
include('ccf.inc');

var product_info = cisco::get_product_info(name:'Cisco IOS XR');

var vuln_ranges = [ 
  {'min_ver' : '0.0',   'fix_ver' : '7.12'},
  {'min_ver' : '24.1',   'fix_ver' : '24.1.1'} 
];

var workarounds = make_list(CISCO_WORKAROUNDS['generic_workaround']);
var workaround_params = [
  WORKAROUND_CONFIG['management_plane'],
  WORKAROUND_CONFIG['snmp-server_cmd'],
  {'require_all_generic_workarounds': TRUE}
];

var fix = NULL;
// set the fixed display for version 7.11 and below
// since we can't do this by using version_max and fixed_display as we do with vcf.inc
if (product_info['version'] =~ "^[0-6]\.[0-9]{1,3}|7\.[0-9][01]") 
{
  fix = 'See vendor advisory';

  var reporting = make_array(
    'port'    , product_info['port'],
    'severity', SECURITY_NOTE,
    'version' , product_info['version'],
    'bug_id'  , 'CSCwh31469',
    'cmds'    , make_list('show running-config control-plane management-plane', 'show running-config snmp-server'),
    'fix'     , fix
  );
}
else 
{
  var reporting = make_array(
    'port'    , product_info['port'],
    'severity', SECURITY_NOTE,
    'version' , product_info['version'],
    'bug_id'  , 'CSCwh31469',
    'cmds'    , make_list('show running-config control-plane management-plane', 'show running-config snmp-server')
  );
}

cisco::check_and_report(
  product_info:product_info,
  workarounds:workarounds,
  workaround_params:workaround_params,
  reporting:reporting,
  vuln_ranges:vuln_ranges,
  require_all_workarounds:TRUE
);