Wind River VxWorks < 7 Build 21.03 DoS

#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(155732);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/12/01");

  script_cve_id("CVE-2021-29997");
  script_xref(name:"IAVA", value:"2021-A-0504");

  script_name(english:"Wind River VxWorks < 7 Build 21.03 DoS");

  script_set_attribute(attribute:"synopsis", value:
"The remote VxWorks device is potentially affected by a denial of service vulnerability.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, the remote device is Wind River VxWorks 7 and it's affected by a denial of
service vulnerability due to a buffer over-read on IKE. An unauthenticated, remote attacer can exploit this, by sending
a specially crafted IKE packet, to cause IKE and services dependant on IKE to stop working.

Note that Nessus has not tested for this issue but has instead relied only on the OS version.");
  # https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2021-29997
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?df55bf91");
  script_set_attribute(attribute:"solution", value:
"Contact the device vendor to obtain the appropriate update.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-29997");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/04/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2021/04/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2021/11/30");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:windriver:vxworks");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("windriver_vxworks_rtos_detect.nbin");
  script_require_keys("Host/VxWorks");

  exit(0);
}

get_kb_item_or_exit('Host/VxWorks');
var version = get_kb_item('Host/VxWorks/version');
if (empty_or_null(version))
  version = 'unknown';

# Only 7.x is vulnerable, but still report if unknown and paranoid
var vuln = (version == 'unknown' && report_paranoia >= 2) || version =~ "^7([^0-9]|$)";

# Cannot determine the "21.03" part of the version, so only report if paranoid
if (vuln)
{
  if (report_paranoia >= 2)
  {
    var report =
      '\n    Version       : ' + version +
      '\n    Fixed Version : See vendor advisory' +
      '\n';

    security_report_v4(port:0, severity:SECURITY_WARNING, extra:report);
  }
  else
  {
    audit(AUDIT_POTENTIAL_VULN, 'VxWorks');
  }
}
else if (version == 'unknown') audit(AUDIT_POTENTIAL_VULN, 'VxWorks');
else audit(AUDIT_OS_RELEASE_NOT, 'VxWorks', version);