Cisco Catalyst 4000 Series Switch Denial of Service Vulnerability (CSCug41049 / CSCue61890)

#TRUSTED 853ed8d2c1fd01bf8b451e8b55a5f79535eb33328df7694a11077ad5872a9b504ff7587db27b21f7b279ea855af8eb1a4c1352b84151a3627ce98eee43ce0add6fe6df84d2436822236f4639a36ac7acb3664ea81c0334e39c1fbb40dab42a932025bd54219db316e6e9828aea31194bb8afe0a16dd2991c88b639636e078ddfa654604ae2647fabea3a8fb47db1a9dc0525d56aeb8f7c6daaf1a1d7096f20552936892300b8ed9ed23d714276f3dafda6e6ac5c2eabeba8104e5e7b5b4ecd7ccfebcf58898eea1c01dec0062c10ad25070ef226e3b18897ec495707032c6e9743c1d003bc3498af80c2921b8f4e823d9b17e2f5b39582e35bd1c465f04fb09daf5d51e7651cc5e08eb5f70dc857f3f827f3b11fa2d83d729532bc09a5d8ec87b9af0cf203168e1f86fb69705e5f21591245bbbfa703067bcb717472779f7f88f6d5e601f1d237d2003e97ad97bc8d621d50fb457c04be2ffff2dfff2d128db7ff7c451ec29c87a782ac8bcabe8a90f1db7910ab6296ce62a56b6f7518e0d7314a63efbb4c80e1262a9fd105a47aba5f67fb3b5ee44475912a0821110aa8024e58eb3f8155b8c8413bd21af5e5ed1414afcd3e963fa299b3dc1b1e8dca55a21fe038b013812adf3551baea3eb968c011fd1d531dd6e0cc09612634f4d6b815524831b361f61094651652d322af15f373cb69e7879ef6ecf97b96624201ccf360
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(73828);
  script_version("1.11");
  script_cvs_date("Date: 2019/11/26");

  script_cve_id("CVE-2014-2131");
  script_bugtraq_id(66515);
  script_xref(name:"CISCO-BUG-ID", value:"CSCug41049");
  script_xref(name:"CISCO-BUG-ID", value:"CSCue61890");

  script_name(english:"Cisco Catalyst 4000 Series Switch Denial of Service Vulnerability (CSCug41049 / CSCue61890)");
  script_summary(english:"Checks the IOS version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is running a vulnerable IOS version.");
  script_set_attribute(attribute:"description", value:
"The remote Cisco device potentially contains an issue which is
potentially affected by errors related to handling Virtual Switching
Systems (VSS) or Bidirectional Forwarding Detection (BFD) traffic that
could allow denial of service attacks.");
  # https://tools.cisco.com/security/center/viewAlert.x?alertId=33558
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e566a186");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/security/center/viewAlert.x?alertId=33558");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug IDs
CSCug41049 and CSCue61890.");
  script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-2131");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/03/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2014/03/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/05/02");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_version.nasl");
  script_require_keys("Host/Cisco/IOS/Version", "Host/Cisco/IOS/Model");

  exit(0);
}

include("audit.inc");
include("cisco_func.inc");
include("cisco_kb_cmd_func.inc");

version = get_kb_item_or_exit("Host/Cisco/IOS/Version");

flag1 = 0;
flag2 = 0;

# CSCug41049
if ( version == '15.2(1)IPI2' ) flag1++;
if ( version == '15.2(1)E' ) flag1++;

# CSCue61890
if ( version == '15.2(1)IPI2' ) flag2++;

# check model
model = get_kb_item("CISCO/model");
if (model)
{
  if (model !~ "catalyst4[0-9][0-9][0-9]") audit(AUDIT_HOST_NOT, "affected");
}
else
{
  model = get_kb_item_or_exit("Host/Cisco/IOS/Model");
  if (model !~ "(^|[^0-9])4[0-9][0-9][0-9]($|[^0-9])") audit(AUDIT_HOST_NOT, "affected");
}

if (flag1 && flag2)
  fix = 'CSCug41049 and CSCue61890';
else if (flag1 && !flag2)
  fix = 'CSCug41049';
else if (!flag1 && flag2)
  fix = 'CSCue61890';

override = FALSE;

if (get_kb_item("Host/local_checks_enabled"))
{
  if (flag1 || flag2)
  {
    flag1 = 0;
    flag2 = 0;
    # Look for BFD
    buf = cisco_command_kb_item("Host/Cisco/Config/show_running-config", "show running-config");
    if (check_cisco_result(buf))
    {
      if (preg(string:buf, pattern:"bfd\s+interval\s+\d+\s+min_rx\s+\d+\s+multiplier\s+\d", multiline:TRUE)) { flag1 = 1; flag2 = 1; }
    }
    else if (cisco_needs_enable(buf)) { flag1 = 1; flag2 = 1; override = TRUE; }

    # Look for VSS
    buf2 = cisco_command_kb_item("Host/Cisco/Config/show_mod", "show mod");
    if (check_cisco_result(buf2))
    {
      if (preg(string:buf2, pattern:"Switch Number:\s+\d+\s+Role:\s+Virtual Switch Active", multiline:TRUE)) { flag1 = 1; flag2 = 1; override = FALSE; }
    }
    else if (cisco_needs_enable(buf2)) { flag1 = 1; flag2 = 1; override = TRUE; }
  }
}

if (flag1 || flag2)
{
  report =
    '\n  Cisco Bug ID        : ' + fix +
    '\n    Installed release : ' + version + '\n';

  security_warning(port:0, extra:report + cisco_caveat(override));
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");