From 8db69d23fde7dc39644693e40005cef34dd24be7 Mon Sep 17 00:00:00 2001 From: mailsanjayhere Date: Sun, 1 Jun 2025 18:27:29 +0000 Subject: [PATCH 1/3] arista 2021 cves --- CVEasy/Arista/2021/__init__.py | 0 CVEasy/Arista/2021/cve202128496.py | 70 +++++++++++++++++++++++++++ CVEasy/Arista/2021/cve202128500.py | 77 ++++++++++++++++++++++++++++++ CVEasy/Arista/2021/cve202128501.py | 62 ++++++++++++++++++++++++ CVEasy/Arista/2021/cve202128503.py | 71 +++++++++++++++++++++++++++ CVEasy/Arista/2021/cve202128504.py | 63 ++++++++++++++++++++++++ CVEasy/Arista/2021/cve202128505.py | 65 +++++++++++++++++++++++++ CVEasy/Arista/2021/cve202128506.py | 69 ++++++++++++++++++++++++++ CVEasy/Arista/2021/cve202128507.py | 77 ++++++++++++++++++++++++++++++ CVEasy/Arista/2021/cve202128508.py | 71 +++++++++++++++++++++++++++ CVEasy/Arista/2021/cve202128509.py | 71 +++++++++++++++++++++++++++ CVEasy/Arista/2021/cve202128510.py | 71 +++++++++++++++++++++++++++ CVEasy/Arista/2021/cve202128511.py | 70 +++++++++++++++++++++++++++ 13 files changed, 837 insertions(+) create mode 100644 CVEasy/Arista/2021/__init__.py create mode 100644 CVEasy/Arista/2021/cve202128496.py create mode 100644 CVEasy/Arista/2021/cve202128500.py create mode 100644 CVEasy/Arista/2021/cve202128501.py create mode 100644 CVEasy/Arista/2021/cve202128503.py create mode 100644 CVEasy/Arista/2021/cve202128504.py create mode 100644 CVEasy/Arista/2021/cve202128505.py create mode 100644 CVEasy/Arista/2021/cve202128506.py create mode 100644 CVEasy/Arista/2021/cve202128507.py create mode 100644 CVEasy/Arista/2021/cve202128508.py create mode 100644 CVEasy/Arista/2021/cve202128509.py create mode 100644 CVEasy/Arista/2021/cve202128510.py create mode 100644 CVEasy/Arista/2021/cve202128511.py diff --git a/CVEasy/Arista/2021/__init__.py b/CVEasy/Arista/2021/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/CVEasy/Arista/2021/cve202128496.py b/CVEasy/Arista/2021/cve202128496.py new file mode 100644 index 00000000..b691d052 --- /dev/null +++ b/CVEasy/Arista/2021/cve202128496.py @@ -0,0 +1,70 @@ +from comfy import high + + +@high( + name='rule_cve202128496', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_bfd='show running-config | section bfd', + show_eapi='show management api http-commands' + ), +) +def rule_cve202128496(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28496 vulnerability in Arista EOS devices. + The vulnerability allows BFD shared secret passwords to be leaked when displaying output + over eAPI or other JSON outputs to authenticated users on the device. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.22.x versions (all releases) + '4.22.0', '4.22.12', + # 4.23.x versions (up to 4.23.9) + '4.23.0', '4.23.9', + # 4.24.x versions (up to 4.24.7) + '4.24.0', '4.24.7', + # 4.25.x versions (up to 4.25.4) + '4.25.0', '4.25.4', + # 4.26.x versions (up to 4.26.1) + '4.26.0', '4.26.1' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if BFD is configured with shared secret profiles + bfd_config = commands.show_bfd + has_bfd_secrets = 'profile' in bfd_config and 'key-id' in bfd_config + + # Check if eAPI is enabled + eapi_config = commands.show_eapi + eapi_enabled = 'enabled' in eapi_config.lower() + + # Device is vulnerable if using BFD shared secrets and eAPI is enabled + is_vulnerable = has_bfd_secrets and eapi_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28496. " + "The device is running a vulnerable version AND has BFD shared secret profiles configured " + "with eAPI enabled, which could expose sensitive password information. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.23.10 or later for 4.23.x train\n" + " * 4.24.8 or later for 4.24.x train\n" + " * 4.25.5 or later for 4.25.x train\n" + " * 4.26.2 or later for 4.26.x train\n" + "2. Or apply the appropriate hotfix:\n" + " * For 4.22.0 - 4.25.0: SecurityAdvisory0069Hotfix-4.22-4.25.0.swix\n" + " * For 4.25.1 - 4.26.1: SecurityAdvisory0069Hotfix-4.25.1-4.26.1.swix\n" + "3. As a workaround, restrict access to CLI show commands using role-based authorization\n" + "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/13243-security-advisory-0069" + ) diff --git a/CVEasy/Arista/2021/cve202128500.py b/CVEasy/Arista/2021/cve202128500.py new file mode 100644 index 00000000..63783aa6 --- /dev/null +++ b/CVEasy/Arista/2021/cve202128500.py @@ -0,0 +1,77 @@ +from comfy import high + + +@high( + name='rule_cve202128500', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_users='show running-config | section username', + show_agents='show running-config | include openconfig|terminattr' + ), +) +def rule_cve202128500(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28500 vulnerability in Arista EOS devices. + The vulnerability allows unrestricted access to the device for local users with nopassword + configuration due to incorrect use of EOS's AAA APIs by OpenConfig and TerminAttr agents. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.20.x and earlier versions + '4.20.0', '4.20.15', + # 4.21.x versions + '4.21.0', '4.21.14M', + # 4.22.x versions + '4.22.0', '4.22.11M', + # 4.23.x versions + '4.23.0', '4.23.8M', + # 4.24.x versions + '4.24.0', '4.24.6M', + # 4.25.x versions + '4.25.0', '4.25.4M', + # 4.26.x versions + '4.26.0', '4.26.1F' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if any users are configured with nopassword + users_config = commands.show_users + has_nopassword_users = 'nopassword' in users_config + + # Check if OpenConfig or TerminAttr agents are enabled + agents_config = commands.show_agents + agents_enabled = 'openconfig' in agents_config or 'terminattr' in agents_config + + # Device is vulnerable if it has nopassword users and agents enabled + is_vulnerable = has_nopassword_users and agents_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28500. " + "The device is running a vulnerable version AND has local users with nopassword configuration " + "while OpenConfig/TerminAttr agents are enabled, which could allow unrestricted access. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.26.2F or later for 4.26.x train\n" + " * 4.25.5M or later for 4.25.x train\n" + " * 4.24.7M or later for 4.24.x train\n" + " * 4.23.9M or later for 4.23.x train\n" + " * 4.22.12M or later for 4.22.x train\n" + " * 4.21.15M or later for 4.21.x train\n" + "2. Until upgrade is complete, implement these workarounds:\n" + " * Remove nopassword configuration for local users\n" + " * Or apply the appropriate hotfix:\n" + " - For 32-bit systems: SecurityAdvisory0071Hotfix.i386.swix\n" + " - For 64-bit systems: SecurityAdvisory0071Hotfix.x86_64.swix\n" + "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071" + ) diff --git a/CVEasy/Arista/2021/cve202128501.py b/CVEasy/Arista/2021/cve202128501.py new file mode 100644 index 00000000..17d0f617 --- /dev/null +++ b/CVEasy/Arista/2021/cve202128501.py @@ -0,0 +1,62 @@ +from comfy import high + + +@high( + name='rule_cve202128501', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_terminattr='show running-config | include terminattr', + show_openconfig='show running-config | include openconfig', + show_users='show running-config | section username' + ), +) +def rule_cve202128501(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28501 vulnerability in Arista EOS devices. + The vulnerability allows unrestricted access to the device for local users with nopassword + configuration due to incorrect use of EOS's AAA APIs by OpenConfig and TerminAttr agents. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # TerminAttr versions before 1.16.2 + '1.15.0', '1.15.1', '1.15.2', '1.15.3', + '1.16.0', '1.16.1' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if TerminAttr or OpenConfig agents are enabled + terminattr_config = commands.show_terminattr + openconfig_config = commands.show_openconfig + agents_enabled = bool(terminattr_config or openconfig_config) + + # Check if any users are configured with nopassword + users_config = commands.show_users + has_nopassword_users = 'nopassword' in users_config + + # Device is vulnerable if agents are enabled and has nopassword users + is_vulnerable = agents_enabled and has_nopassword_users + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28501. " + "The device is running a vulnerable version of TerminAttr AND has local users with nopassword configuration " + "while OpenConfig/TerminAttr agents are enabled, which could allow unrestricted access. " + "Recommended fixes:\n" + "1. Upgrade to TerminAttr v1.16.2 or later\n" + "2. Until upgrade is complete, implement these workarounds:\n" + " * Disable OpenConfig gNMI/gNOI and OpenConfig RESTCONF and TerminAttr\n" + " * Or apply the appropriate hotfix with proxy service:\n" + " - For 32-bit systems: SecurityAdvisory0071Hotfix.i386.swix\n" + " - For 64-bit systems: SecurityAdvisory0071Hotfix.x86_64.swix\n" + "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071" + ) diff --git a/CVEasy/Arista/2021/cve202128503.py b/CVEasy/Arista/2021/cve202128503.py new file mode 100644 index 00000000..37aa45b7 --- /dev/null +++ b/CVEasy/Arista/2021/cve202128503.py @@ -0,0 +1,71 @@ +from comfy import high + + +@high( + name='rule_cve202128503', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_eapi='show management api http-commands', + show_cert_auth='show running-config | include certificate user' + ), +) +def rule_cve202128503(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28503 vulnerability in Arista EOS devices. + The vulnerability allows remote attackers to bypass authentication when certificate-based + authentication is used with eAPI, due to improper credential re-evaluation. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.23.x versions before 4.23.10 + '4.23.0', '4.23.1', '4.23.2', '4.23.3', '4.23.4', + '4.23.5', '4.23.6', '4.23.7', '4.23.8', '4.23.9', + # 4.24.x versions before 4.24.8 + '4.24.0', '4.24.1', '4.24.2', '4.24.3', '4.24.4', + '4.24.5', '4.24.6', '4.24.7', + # 4.25.x versions before 4.25.6 + '4.25.0', '4.25.1', '4.25.2', '4.25.3', '4.25.4', '4.25.5', + # 4.26.x versions before 4.26.3 + '4.26.0', '4.26.1', '4.26.2' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if eAPI is enabled + eapi_config = commands.show_eapi + eapi_enabled = 'enabled' in eapi_config.lower() + + # Check if certificate-based authentication is configured + cert_config = commands.show_cert_auth + cert_auth_enabled = 'certificate user' in cert_config + + # Device is vulnerable if both eAPI and certificate auth are enabled + is_vulnerable = eapi_enabled and cert_auth_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28503. " + "The device is running a vulnerable version AND has eAPI enabled with certificate-based authentication, " + "which could allow remote attackers to bypass authentication. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.26.3 or later for 4.26.x train\n" + " * 4.25.6 or later for 4.25.x train\n" + " * 4.24.8 or later for 4.24.x train\n" + " * 4.23.10 or later for 4.23.x train\n" + "2. Until upgrade is complete, implement this workaround:\n" + " * Disable certificate-based authentication for eAPI:\n" + " switch(config)#management security\n" + " switch(config-mgmt-security)#ssl profile profileEAPI\n" + " switch(config-mgmt-sec-ssl-profile-profileEAPI)#no trust certificate user.cert\n" + "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/13605-security-advisory-0072" + ) diff --git a/CVEasy/Arista/2021/cve202128504.py b/CVEasy/Arista/2021/cve202128504.py new file mode 100644 index 00000000..aa5d6924 --- /dev/null +++ b/CVEasy/Arista/2021/cve202128504.py @@ -0,0 +1,63 @@ +from comfy import high + + +@high( + name='rule_cve202128504', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_tcam='show hardware tcam profile', + show_acl='show running-config | section ip access-list' + ), +) +def rule_cve202128504(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28504 vulnerability in Arista EOS devices. + The vulnerability occurs on Strata family products when TCAM profile is enabled and + port IPv4 access-lists contain rules matching VXLAN protocol, causing subsequent rules + to not match IP protocol fields as expected. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.26.x versions before 4.26.4F + '4.26.0', '4.26.1F', '4.26.2F', '4.26.3F', + # 4.27.x versions before 4.27.1M + '4.27.0F' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if TCAM profile feature is enabled + tcam_output = commands.show_tcam + tcam_enabled = 'Profile:' in tcam_output + + # Check if any ACL has VXLAN protocol matching + acl_config = commands.show_acl + has_vxlan_acl = 'protocol vxlan' in acl_config.lower() + + # Device is vulnerable if TCAM profile is enabled and has VXLAN protocol matching in ACLs + is_vulnerable = tcam_enabled and has_vxlan_acl + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28504. " + "The device is running a vulnerable version AND has TCAM profile enabled with ACLs matching VXLAN protocol, " + "which could cause subsequent ACL rules to not match IP protocol fields correctly. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.26.4F or later for 4.26.x train\n" + " * 4.27.1M or later for 4.27.x train\n" + "2. Until upgrade is complete, implement this workaround:\n" + " * Replace 'protocol vxlan' matches in ACLs with:\n" + " - protocol udp\n" + " - destination port 4789 (or configured VXLAN port)\n" + "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/15267-security-advisory-0073" + ) diff --git a/CVEasy/Arista/2021/cve202128505.py b/CVEasy/Arista/2021/cve202128505.py new file mode 100644 index 00000000..cd024844 --- /dev/null +++ b/CVEasy/Arista/2021/cve202128505.py @@ -0,0 +1,65 @@ +from comfy import high + + +@high( + name='rule_cve202128505', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_acl='show running-config | section ip access-list', + show_interfaces='show running-config | section interface' + ), +) +def rule_cve202128505(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28505 vulnerability in Arista EOS devices. + The vulnerability occurs when VXLAN match rules in IPv4 access-lists are applied to + ingress L2/L3 ports or SVIs, causing subsequent ACL rules to ignore IP protocol fields. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.26.x versions before 4.26.4M + '4.26.0', '4.26.1F', '4.26.2F', '4.26.3M', + # 4.27.x versions before 4.27.1F + '4.27.0F' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if any ACL has VXLAN protocol matching + acl_config = commands.show_acl + has_vxlan_acl = 'protocol vxlan' in acl_config.lower() + + # Check if ACLs are applied to ingress L2/L3 ports or SVIs + interface_config = commands.show_interfaces + has_ingress_acl = any(keyword in interface_config.lower() for keyword in [ + 'ip access-group', + 'ipv4 access-group' + ]) + + # Device is vulnerable if it has VXLAN ACLs applied to ingress interfaces + is_vulnerable = has_vxlan_acl and has_ingress_acl + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28505. " + "The device is running a vulnerable version AND has VXLAN match rules in IPv4 ACLs " + "applied to ingress interfaces, which could cause subsequent rules to ignore IP protocol fields. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.26.4M or later for 4.26.x train\n" + " * 4.27.1F or later for 4.27.x train\n" + "2. Until upgrade is complete, implement this workaround:\n" + " * Replace 'protocol vxlan' matches in ACLs with:\n" + " - protocol udp\n" + " - destination port 4789 (or configured VXLAN port)\n" + "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/15267-security-advisory-0073" + ) diff --git a/CVEasy/Arista/2021/cve202128506.py b/CVEasy/Arista/2021/cve202128506.py new file mode 100644 index 00000000..96f10034 --- /dev/null +++ b/CVEasy/Arista/2021/cve202128506.py @@ -0,0 +1,69 @@ +from comfy import high + + +@high( + name='rule_cve202128506', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_gnmi='show management api gnmi', + show_restconf='show management api restconf', + show_gnoi='show management api gnoi' + ), +) +def rule_cve202128506(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28506 vulnerability in Arista EOS devices. + The vulnerability allows unauthenticated attackers to bypass authentication in gNOI APIs, + potentially allowing factory reset of the device. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.24.x versions before 4.24.8M + '4.24.0', '4.24.1F', '4.24.2F', '4.24.3M', '4.24.4M', '4.24.5M', '4.24.6M', '4.24.7M', + # 4.25.x versions before 4.25.6M + '4.25.0', '4.25.1M', '4.25.2M', '4.25.3M', '4.25.4M', '4.25.5M', + # 4.26.x versions before 4.26.3M + '4.26.0', '4.26.1F', '4.26.2F' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if any of the vulnerable APIs are enabled + gnmi_config = commands.show_gnmi + restconf_config = commands.show_restconf + gnoi_config = commands.show_gnoi + + apis_enabled = any([ + 'enabled' in gnmi_config.lower(), + 'enabled' in restconf_config.lower(), + 'enabled' in gnoi_config.lower() + ]) + + # Device is vulnerable if running affected version and has APIs enabled + is_vulnerable = version_vulnerable and apis_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28506. " + "The device is running a vulnerable version AND has gNMI/gNOI/RESTCONF APIs enabled, " + "which could allow unauthenticated attackers to bypass authentication and factory reset the device. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.26.3M or later for 4.26.x train\n" + " * 4.25.6M or later for 4.25.x train\n" + " * 4.24.8M or later for 4.24.x train\n" + "2. Until upgrade is complete, implement this workaround:\n" + " * Apply the appropriate hotfix with proxy service:\n" + " - For 32-bit systems: SecurityAdvisory0071Hotfix.i386.swix\n" + " - For 64-bit systems: SecurityAdvisory0071Hotfix.x86_64.swix\n" + "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071" + ) diff --git a/CVEasy/Arista/2021/cve202128507.py b/CVEasy/Arista/2021/cve202128507.py new file mode 100644 index 00000000..77814911 --- /dev/null +++ b/CVEasy/Arista/2021/cve202128507.py @@ -0,0 +1,77 @@ +from comfy import high + + +@high( + name='rule_cve202128507', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_openconfig='show running-config | include openconfig', + show_restconf='show management api restconf', + show_acl='show running-config | section service-acl' + ), +) +def rule_cve202128507(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28507 vulnerability in Arista EOS devices. + The vulnerability allows service ACL bypass in OpenConfig gNOI and RESTCONF APIs, + which could result in denied requests being forwarded to the agent. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.21.x and earlier versions + '4.21.', '4.20.', '4.19.', '4.18.', + # 4.22.x versions + '4.22.0', '4.22.1', '4.22.2', '4.22.3', + # 4.23.x versions before 4.23.10M + '4.23.0', '4.23.1', '4.23.2', '4.23.3', '4.23.4', + '4.23.5', '4.23.6', '4.23.7', '4.23.8', '4.23.9', + # 4.24.x versions before 4.24.8M + '4.24.0', '4.24.1', '4.24.2', '4.24.3', '4.24.4', + '4.24.5', '4.24.6', '4.24.7', + # 4.25.x versions before 4.25.6M + '4.25.0', '4.25.1', '4.25.2', '4.25.3', '4.25.4', '4.25.5', + # 4.26.x versions before 4.26.3M + '4.26.0', '4.26.1', '4.26.2' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if OpenConfig or RESTCONF is enabled + openconfig_config = commands.show_openconfig + restconf_config = commands.show_restconf + apis_enabled = bool(openconfig_config or 'enabled' in restconf_config.lower()) + + # Check if service ACLs are configured + acl_config = commands.show_acl + has_service_acl = 'service-acl' in acl_config + + # Device is vulnerable if APIs are enabled and using service ACLs + is_vulnerable = apis_enabled and has_service_acl + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28507. " + "The device is running a vulnerable version AND has OpenConfig/RESTCONF APIs enabled with service ACLs, " + "which could allow denied requests to bypass ACLs and reach the agent. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.26.3M or later for 4.26.x train\n" + " * 4.25.6M or later for 4.25.x train\n" + " * 4.24.8M or later for 4.24.x train\n" + " * 4.23.10M or later for 4.23.x train\n" + "2. Until upgrade is complete, implement these workarounds:\n" + " * Disable OpenConfig gNMI/gNOI and OpenConfig RESTCONF\n" + " * Or apply the appropriate hotfix with proxy service:\n" + " - For 32-bit systems: SecurityAdvisory0071Hotfix.i386.swix\n" + " - For 64-bit systems: SecurityAdvisory0071Hotfix.x86_64.swix\n" + "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071" + ) diff --git a/CVEasy/Arista/2021/cve202128508.py b/CVEasy/Arista/2021/cve202128508.py new file mode 100644 index 00000000..b7256b90 --- /dev/null +++ b/CVEasy/Arista/2021/cve202128508.py @@ -0,0 +1,71 @@ +from comfy import high + + +@high( + name='rule_cve202128508', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_terminattr='show running-config | include terminattr', + show_ipsec='show running-config | section crypto ipsec' + ), +) +def rule_cve202128508(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28508 vulnerability in Arista EOS devices. + The vulnerability allows TerminAttr to leak IPsec sensitive data in clear text to CVP, + which could allow authorized users to decrypt or modify IPsec traffic. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.23.x versions before 4.23.11 + '4.23.0', '4.23.1', '4.23.2', '4.23.3', '4.23.4', '4.23.5', + '4.23.6', '4.23.7', '4.23.8', '4.23.9', '4.23.10', + # 4.24.x versions before 4.24.10 + '4.24.0', '4.24.1', '4.24.2', '4.24.3', '4.24.4', '4.24.5', + '4.24.6', '4.24.7', '4.24.8', '4.24.9', + # 4.25.x versions before 4.25.8 + '4.25.0', '4.25.1', '4.25.2', '4.25.3', '4.25.4', '4.25.5', + '4.25.6', '4.25.7', + # 4.26.x versions before 4.26.6 + '4.26.0', '4.26.1', '4.26.2', '4.26.3', '4.26.4', '4.26.5', + # 4.27.x versions before 4.27.2 + '4.27.0', '4.27.1' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if TerminAttr is enabled + terminattr_config = commands.show_terminattr + terminattr_enabled = bool(terminattr_config) + + # Check if IPsec is configured + ipsec_config = commands.show_ipsec + ipsec_configured = bool(ipsec_config) + + # Device is vulnerable if both TerminAttr and IPsec are enabled + is_vulnerable = terminattr_enabled and ipsec_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28508. " + "The device is running a vulnerable version AND has both TerminAttr and IPsec enabled, " + "which could allow IPsec sensitive data to leak in clear text to CVP. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.27.2 or later for 4.27.x train\n" + " * 4.26.6 or later for 4.26.x train\n" + " * 4.25.8 or later for 4.25.x train\n" + " * 4.24.10 or later for 4.24.x train\n" + "2. Until upgrade is complete, implement this workaround:\n" + " * Disable TerminAttr agent\n" + "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/15484-security-advisory-0077" + ) diff --git a/CVEasy/Arista/2021/cve202128509.py b/CVEasy/Arista/2021/cve202128509.py new file mode 100644 index 00000000..a577c7c3 --- /dev/null +++ b/CVEasy/Arista/2021/cve202128509.py @@ -0,0 +1,71 @@ +from comfy import high + + +@high( + name='rule_cve202128509', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_terminattr='show running-config | include terminattr', + show_macsec='show running-config | section macsec' + ), +) +def rule_cve202128509(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28509 vulnerability in Arista EOS devices. + The vulnerability allows TerminAttr to leak MACsec sensitive data in clear text to CVP, + which could allow authorized users to decrypt or modify MACsec traffic. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.23.x versions before 4.23.12 + '4.23.0', '4.23.1', '4.23.2', '4.23.3', '4.23.4', '4.23.5', + '4.23.6', '4.23.7', '4.23.8', '4.23.9', '4.23.10', '4.23.11', + # 4.24.x versions before 4.24.10 + '4.24.0', '4.24.1', '4.24.2', '4.24.3', '4.24.4', '4.24.5', + '4.24.6', '4.24.7', '4.24.8', '4.24.9', + # 4.25.x versions before 4.25.8 + '4.25.0', '4.25.1', '4.25.2', '4.25.3', '4.25.4', '4.25.5', + '4.25.6', '4.25.7', + # 4.26.x versions before 4.26.6 + '4.26.0', '4.26.1', '4.26.2', '4.26.3', '4.26.4', '4.26.5', + # 4.27.x versions before 4.27.4 + '4.27.0', '4.27.1', '4.27.2', '4.27.3' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if TerminAttr is enabled + terminattr_config = commands.show_terminattr + terminattr_enabled = 'terminattr' in terminattr_config.lower() + + # Check if MACsec is configured + macsec_config = commands.show_macsec + macsec_configured = 'macsec' in macsec_config.lower() + + # Device is vulnerable if both TerminAttr and MACsec are enabled + is_vulnerable = terminattr_enabled and macsec_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28509. " + "The device is running a vulnerable version AND has both TerminAttr and MACsec enabled, " + "which could allow MACsec sensitive data to leak in clear text to CVP. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.27.4 or later for 4.27.x train\n" + " * 4.26.6 or later for 4.26.x train\n" + " * 4.25.8 or later for 4.25.x train\n" + " * 4.24.10 or later for 4.24.x train\n" + "2. Until upgrade is complete, implement this workaround:\n" + " * Disable TerminAttr agent\n" + "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/15484-security-advisory-0077" + ) diff --git a/CVEasy/Arista/2021/cve202128510.py b/CVEasy/Arista/2021/cve202128510.py new file mode 100644 index 00000000..32fbf3aa --- /dev/null +++ b/CVEasy/Arista/2021/cve202128510.py @@ -0,0 +1,71 @@ +from comfy import high + + +@high( + name='rule_cve202128510', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_ptp='show running-config | section ptp' + ), +) +def rule_cve202128510(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28510 vulnerability in Arista EOS devices. + The vulnerability allows an unauthenticated attacker to cause a DoS condition by sending + malformed PTP packets with invalid TLV values, causing the PTP agent to restart repeatedly. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.23.x versions before 4.23.11 + '4.23.0', '4.23.1', '4.23.2', '4.23.3', '4.23.4', '4.23.5', + '4.23.6', '4.23.7', '4.23.8', '4.23.9', '4.23.10', + # 4.24.x versions before 4.24.9 + '4.24.0', '4.24.1', '4.24.2', '4.24.3', '4.24.4', '4.24.5', + '4.24.6', '4.24.7', '4.24.8', + # 4.25.x versions before 4.25.7 + '4.25.0', '4.25.1', '4.25.2', '4.25.3', '4.25.4', '4.25.5', + '4.25.6', + # 4.26.x versions before 4.26.5 + '4.26.0', '4.26.1', '4.26.2', '4.26.3', '4.26.4', + # 4.27.x versions before 4.27.2 + '4.27.0', '4.27.1' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if PTP is configured + ptp_config = commands.show_ptp + ptp_enabled = 'ptp' in ptp_config.lower() + + # Device is vulnerable if running affected version and PTP is enabled + is_vulnerable = version_vulnerable and ptp_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28510. " + "The device is running a vulnerable version AND has PTP enabled, " + "which could allow an attacker to cause a denial of service by sending malformed PTP packets. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.27.2 or later for 4.27.x train\n" + " * 4.26.5 or later for 4.26.x train\n" + " * 4.25.7 or later for 4.25.x train\n" + " * 4.24.9 or later for 4.24.x train\n" + " * 4.23.11 or later for 4.23.x train\n" + "2. Until upgrade is complete, implement this workaround:\n" + " * Install ACL rules to drop PTP packets from untrusted sources\n" + " * Block access to untrusted (non-management) networks\n" + "3. A hotfix is available:\n" + " * SecurityAdvisory76_CVE-2021-28510_Hotfix.swix\n" + " * Note: Installing/uninstalling will cause PTP agent to restart\n" + "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/15439-security-advisory-0076" + ) diff --git a/CVEasy/Arista/2021/cve202128511.py b/CVEasy/Arista/2021/cve202128511.py new file mode 100644 index 00000000..e3a4df2f --- /dev/null +++ b/CVEasy/Arista/2021/cve202128511.py @@ -0,0 +1,70 @@ +from comfy import high + + +@high( + name='rule_cve202128511', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_nat='show running-config | section ip nat', + show_acl='show running-config | section ip access-list' + ), +) +def rule_cve202128511(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28511 vulnerability in Arista EOS devices. + The vulnerability allows security ACL bypass if a NAT ACL rule filter with permit action + matches a packet flow that should be denied by a security ACL. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.24.x versions before 4.24.10 + '4.24.0', '4.24.1', '4.24.2', '4.24.3', '4.24.4', '4.24.5', + '4.24.6', '4.24.7', '4.24.8', '4.24.9', + # 4.25.x versions before 4.25.9 + '4.25.0', '4.25.1', '4.25.2', '4.25.3', '4.25.4', '4.25.5', + '4.25.6', '4.25.7', '4.25.8', + # 4.26.x versions before 4.26.6 + '4.26.0', '4.26.1', '4.26.2', '4.26.3', '4.26.4', '4.26.5', + # 4.27.x versions before 4.27.4 + '4.27.0', '4.27.1', '4.27.2', '4.27.3' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if NAT is configured + nat_config = commands.show_nat + nat_enabled = 'ip nat' in nat_config.lower() + + # Check if security ACLs are configured + acl_config = commands.show_acl + security_acl_enabled = 'ip access-list' in acl_config.lower() + + # Device is vulnerable if both NAT and security ACLs are enabled + is_vulnerable = nat_enabled and security_acl_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28511. " + "The device is running a vulnerable version AND has both NAT and security ACLs configured, " + "which could allow security ACL bypass through NAT permit rules. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.28.0 or later for 4.28.x train\n" + " * 4.27.4 or later for 4.27.x train\n" + " * 4.26.6 or later for 4.26.x train\n" + " * 4.25.9 or later for 4.25.x train\n" + " * 4.24.10 or later for 4.24.x train\n" + "2. Until upgrade is complete, implement this workaround:\n" + " * Configure a NAT 'drop' ACL rule for each security ACL 'drop' rule\n" + " * Apply these rules to interfaces with NAT configured\n" + "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/15862-security-advisory-0078" + ) From 9b12ab2891fc2efc2b16e9ad1ab23a6277171f72 Mon Sep 17 00:00:00 2001 From: mailsanjayhere Date: Sun, 1 Jun 2025 19:07:56 +0000 Subject: [PATCH 2/3] Fix flake8 and syntax errors in Arista CVE scripts --- CVEasy/Arista/2021/cve202128496.py | 5 +++-- CVEasy/Arista/2021/cve202128500.py | 5 +++-- CVEasy/Arista/2021/cve202128501.py | 5 +++-- CVEasy/Arista/2021/cve202128503.py | 5 +++-- CVEasy/Arista/2021/cve202128504.py | 7 ++++--- CVEasy/Arista/2021/cve202128505.py | 5 +++-- CVEasy/Arista/2021/cve202128506.py | 3 ++- CVEasy/Arista/2021/cve202128507.py | 3 ++- CVEasy/Arista/2021/cve202128508.py | 3 ++- CVEasy/Arista/2021/cve202128509.py | 3 ++- CVEasy/Arista/2021/cve202128510.py | 3 ++- CVEasy/Arista/2021/cve202128511.py | 3 ++- 12 files changed, 31 insertions(+), 19 deletions(-) diff --git a/CVEasy/Arista/2021/cve202128496.py b/CVEasy/Arista/2021/cve202128496.py index b691d052..0c636c99 100644 --- a/CVEasy/Arista/2021/cve202128496.py +++ b/CVEasy/Arista/2021/cve202128496.py @@ -13,7 +13,7 @@ def rule_cve202128496(configuration, commands, device, devices): """ This rule checks for CVE-2021-28496 vulnerability in Arista EOS devices. - The vulnerability allows BFD shared secret passwords to be leaked when displaying output + The vulnerability allows BFD shared secret passwords to be leaked when displaying output over eAPI or other JSON outputs to authenticated users on the device. """ # Extract the version information from the command output @@ -66,5 +66,6 @@ def rule_cve202128496(configuration, commands, device, devices): " * For 4.22.0 - 4.25.0: SecurityAdvisory0069Hotfix-4.22-4.25.0.swix\n" " * For 4.25.1 - 4.26.1: SecurityAdvisory0069Hotfix-4.25.1-4.26.1.swix\n" "3. As a workaround, restrict access to CLI show commands using role-based authorization\n" - "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/13243-security-advisory-0069" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/13243-security-advisory-0069" ) diff --git a/CVEasy/Arista/2021/cve202128500.py b/CVEasy/Arista/2021/cve202128500.py index 63783aa6..95ebee4b 100644 --- a/CVEasy/Arista/2021/cve202128500.py +++ b/CVEasy/Arista/2021/cve202128500.py @@ -13,7 +13,7 @@ def rule_cve202128500(configuration, commands, device, devices): """ This rule checks for CVE-2021-28500 vulnerability in Arista EOS devices. - The vulnerability allows unrestricted access to the device for local users with nopassword + The vulnerability allows unrestricted access to the device for local users with nopassword configuration due to incorrect use of EOS's AAA APIs by OpenConfig and TerminAttr agents. """ # Extract the version information from the command output @@ -73,5 +73,6 @@ def rule_cve202128500(configuration, commands, device, devices): " * Or apply the appropriate hotfix:\n" " - For 32-bit systems: SecurityAdvisory0071Hotfix.i386.swix\n" " - For 64-bit systems: SecurityAdvisory0071Hotfix.x86_64.swix\n" - "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071" + "For more information, see " + "https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071" ) diff --git a/CVEasy/Arista/2021/cve202128501.py b/CVEasy/Arista/2021/cve202128501.py index 17d0f617..5c1db418 100644 --- a/CVEasy/Arista/2021/cve202128501.py +++ b/CVEasy/Arista/2021/cve202128501.py @@ -14,7 +14,7 @@ def rule_cve202128501(configuration, commands, device, devices): """ This rule checks for CVE-2021-28501 vulnerability in Arista EOS devices. - The vulnerability allows unrestricted access to the device for local users with nopassword + The vulnerability allows unrestricted access to the device for local users with nopassword configuration due to incorrect use of EOS's AAA APIs by OpenConfig and TerminAttr agents. """ # Extract the version information from the command output @@ -58,5 +58,6 @@ def rule_cve202128501(configuration, commands, device, devices): " * Or apply the appropriate hotfix with proxy service:\n" " - For 32-bit systems: SecurityAdvisory0071Hotfix.i386.swix\n" " - For 64-bit systems: SecurityAdvisory0071Hotfix.x86_64.swix\n" - "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071" ) diff --git a/CVEasy/Arista/2021/cve202128503.py b/CVEasy/Arista/2021/cve202128503.py index 37aa45b7..40986559 100644 --- a/CVEasy/Arista/2021/cve202128503.py +++ b/CVEasy/Arista/2021/cve202128503.py @@ -13,7 +13,7 @@ def rule_cve202128503(configuration, commands, device, devices): """ This rule checks for CVE-2021-28503 vulnerability in Arista EOS devices. - The vulnerability allows remote attackers to bypass authentication when certificate-based + The vulnerability allows remote attackers to bypass authentication when certificate-based authentication is used with eAPI, due to improper credential re-evaluation. """ # Extract the version information from the command output @@ -67,5 +67,6 @@ def rule_cve202128503(configuration, commands, device, devices): " switch(config)#management security\n" " switch(config-mgmt-security)#ssl profile profileEAPI\n" " switch(config-mgmt-sec-ssl-profile-profileEAPI)#no trust certificate user.cert\n" - "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/13605-security-advisory-0072" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/13605-security-advisory-0072" ) diff --git a/CVEasy/Arista/2021/cve202128504.py b/CVEasy/Arista/2021/cve202128504.py index aa5d6924..6f0aed1e 100644 --- a/CVEasy/Arista/2021/cve202128504.py +++ b/CVEasy/Arista/2021/cve202128504.py @@ -13,8 +13,8 @@ def rule_cve202128504(configuration, commands, device, devices): """ This rule checks for CVE-2021-28504 vulnerability in Arista EOS devices. - The vulnerability occurs on Strata family products when TCAM profile is enabled and - port IPv4 access-lists contain rules matching VXLAN protocol, causing subsequent rules + The vulnerability occurs on Strata family products when TCAM profile is enabled and + port IPv4 access-lists contain rules matching VXLAN protocol, causing subsequent rules to not match IP protocol fields as expected. """ # Extract the version information from the command output @@ -59,5 +59,6 @@ def rule_cve202128504(configuration, commands, device, devices): " * Replace 'protocol vxlan' matches in ACLs with:\n" " - protocol udp\n" " - destination port 4789 (or configured VXLAN port)\n" - "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/15267-security-advisory-0073" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/15267-security-advisory-0073" ) diff --git a/CVEasy/Arista/2021/cve202128505.py b/CVEasy/Arista/2021/cve202128505.py index cd024844..2ff97f87 100644 --- a/CVEasy/Arista/2021/cve202128505.py +++ b/CVEasy/Arista/2021/cve202128505.py @@ -13,7 +13,7 @@ def rule_cve202128505(configuration, commands, device, devices): """ This rule checks for CVE-2021-28505 vulnerability in Arista EOS devices. - The vulnerability occurs when VXLAN match rules in IPv4 access-lists are applied to + The vulnerability occurs when VXLAN match rules in IPv4 access-lists are applied to ingress L2/L3 ports or SVIs, causing subsequent ACL rules to ignore IP protocol fields. """ # Extract the version information from the command output @@ -61,5 +61,6 @@ def rule_cve202128505(configuration, commands, device, devices): " * Replace 'protocol vxlan' matches in ACLs with:\n" " - protocol udp\n" " - destination port 4789 (or configured VXLAN port)\n" - "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/15267-security-advisory-0073" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/15267-security-advisory-0073" ) diff --git a/CVEasy/Arista/2021/cve202128506.py b/CVEasy/Arista/2021/cve202128506.py index 96f10034..f60d7bb9 100644 --- a/CVEasy/Arista/2021/cve202128506.py +++ b/CVEasy/Arista/2021/cve202128506.py @@ -65,5 +65,6 @@ def rule_cve202128506(configuration, commands, device, devices): " * Apply the appropriate hotfix with proxy service:\n" " - For 32-bit systems: SecurityAdvisory0071Hotfix.i386.swix\n" " - For 64-bit systems: SecurityAdvisory0071Hotfix.x86_64.swix\n" - "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071" ) diff --git a/CVEasy/Arista/2021/cve202128507.py b/CVEasy/Arista/2021/cve202128507.py index 77814911..07a65c07 100644 --- a/CVEasy/Arista/2021/cve202128507.py +++ b/CVEasy/Arista/2021/cve202128507.py @@ -73,5 +73,6 @@ def rule_cve202128507(configuration, commands, device, devices): " * Or apply the appropriate hotfix with proxy service:\n" " - For 32-bit systems: SecurityAdvisory0071Hotfix.i386.swix\n" " - For 64-bit systems: SecurityAdvisory0071Hotfix.x86_64.swix\n" - "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071" ) diff --git a/CVEasy/Arista/2021/cve202128508.py b/CVEasy/Arista/2021/cve202128508.py index b7256b90..1badbc3e 100644 --- a/CVEasy/Arista/2021/cve202128508.py +++ b/CVEasy/Arista/2021/cve202128508.py @@ -67,5 +67,6 @@ def rule_cve202128508(configuration, commands, device, devices): " * 4.24.10 or later for 4.24.x train\n" "2. Until upgrade is complete, implement this workaround:\n" " * Disable TerminAttr agent\n" - "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/15484-security-advisory-0077" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/15484-security-advisory-0077" ) diff --git a/CVEasy/Arista/2021/cve202128509.py b/CVEasy/Arista/2021/cve202128509.py index a577c7c3..ec3f020f 100644 --- a/CVEasy/Arista/2021/cve202128509.py +++ b/CVEasy/Arista/2021/cve202128509.py @@ -67,5 +67,6 @@ def rule_cve202128509(configuration, commands, device, devices): " * 4.24.10 or later for 4.24.x train\n" "2. Until upgrade is complete, implement this workaround:\n" " * Disable TerminAttr agent\n" - "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/15484-security-advisory-0077" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/15484-security-advisory-0077" ) diff --git a/CVEasy/Arista/2021/cve202128510.py b/CVEasy/Arista/2021/cve202128510.py index 32fbf3aa..844c01c5 100644 --- a/CVEasy/Arista/2021/cve202128510.py +++ b/CVEasy/Arista/2021/cve202128510.py @@ -67,5 +67,6 @@ def rule_cve202128510(configuration, commands, device, devices): "3. A hotfix is available:\n" " * SecurityAdvisory76_CVE-2021-28510_Hotfix.swix\n" " * Note: Installing/uninstalling will cause PTP agent to restart\n" - "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/15439-security-advisory-0076" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/15439-security-advisory-0076" ) diff --git a/CVEasy/Arista/2021/cve202128511.py b/CVEasy/Arista/2021/cve202128511.py index e3a4df2f..9c1252f8 100644 --- a/CVEasy/Arista/2021/cve202128511.py +++ b/CVEasy/Arista/2021/cve202128511.py @@ -66,5 +66,6 @@ def rule_cve202128511(configuration, commands, device, devices): "2. Until upgrade is complete, implement this workaround:\n" " * Configure a NAT 'drop' ACL rule for each security ACL 'drop' rule\n" " * Apply these rules to interfaces with NAT configured\n" - "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/15862-security-advisory-0078" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/15862-security-advisory-0078" ) From eb48f51858732f0bd0d4c7987e125b454dddfa54 Mon Sep 17 00:00:00 2001 From: mailsanjayhere Date: Sun, 1 Jun 2025 19:22:24 +0000 Subject: [PATCH 3/3] cisco_ios 2022 cves --- CVEasy/Cisco/2022/__init__.py | 0 CVEasy/Cisco/2022/cisco_ios/__init__.py | 0 CVEasy/Cisco/2022/cisco_ios/cve202220677.py | 34 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_ios/cve202220697.py | 32 +++++++++++++++++++ CVEasy/Cisco/2022/cisco_ios/cve202220718.py | 34 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_ios/cve202220719.py | 35 +++++++++++++++++++++ CVEasy/Cisco/2022/cisco_ios/cve202220720.py | 35 +++++++++++++++++++++ CVEasy/Cisco/2022/cisco_ios/cve202220721.py | 34 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_ios/cve202220722.py | 34 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_ios/cve202220723.py | 34 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_ios/cve202220724.py | 34 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_ios/cve202220725.py | 34 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_ios/cve202220726.py | 34 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_ios/cve202220727.py | 34 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_ios/cve202220761.py | 33 +++++++++++++++++++ CVEasy/Cisco/2022/cisco_ios/cve202220919.py | 34 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_ios/cve202220920.py | 34 ++++++++++++++++++++ 17 files changed, 509 insertions(+) create mode 100644 CVEasy/Cisco/2022/__init__.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/__init__.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/cve202220677.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/cve202220697.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/cve202220718.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/cve202220719.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/cve202220720.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/cve202220721.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/cve202220722.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/cve202220723.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/cve202220724.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/cve202220725.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/cve202220726.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/cve202220727.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/cve202220761.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/cve202220919.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/cve202220920.py diff --git a/CVEasy/Cisco/2022/__init__.py b/CVEasy/Cisco/2022/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/CVEasy/Cisco/2022/cisco_ios/__init__.py b/CVEasy/Cisco/2022/cisco_ios/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220677.py b/CVEasy/Cisco/2022/cisco_ios/cve202220677.py new file mode 100644 index 00000000..1031e83b --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220677.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220677', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220677(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20677 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application hosting environment. + An attacker could exploit this vulnerability to inject arbitrary commands into the underlying host + operating system, execute arbitrary code, install applications without authentication, or conduct + cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20677. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220697.py b/CVEasy/Cisco/2022/cisco_ios/cve202220697.py new file mode 100644 index 00000000..1804c43a --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220697.py @@ -0,0 +1,32 @@ +from comfy import high + + +@high( + name='rule_cve202220697', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_http='show running-config | include ip http' + ), +) +def rule_cve202220697(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20697 vulnerability in Cisco IOS Software. + The vulnerability is due to improper resource management in the HTTP server code. + An attacker could exploit this vulnerability by sending a large number of HTTP requests + to an affected device, causing it to reload and resulting in a denial of service (DoS) condition. + """ + # Extract the output of the command to check HTTP configuration + http_output = commands.check_http + + # Check if HTTP server is enabled + http_enabled = any(service in http_output for service in ['ip http server', 'ip http secure-server']) + + # Assert that the device is not vulnerable + assert not http_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20697. " + "The device has HTTP/HTTPS server enabled, " + "which could allow an attacker to cause a denial of service through crafted HTTP requests. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http-dos-svOdkdBS" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220718.py b/CVEasy/Cisco/2022/cisco_ios/cve202220718.py new file mode 100644 index 00000000..3abeec7e --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220718.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220718', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220718(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20718 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application hosting environment. + Multiple vulnerabilities could allow an attacker to inject arbitrary commands into the underlying host + operating system, execute arbitrary code, install applications without authentication, or conduct + cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20718. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220719.py b/CVEasy/Cisco/2022/cisco_ios/cve202220719.py new file mode 100644 index 00000000..e3665251 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220719.py @@ -0,0 +1,35 @@ +from comfy import high + + +@high( + name='rule_cve202220719', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220719(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20719 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application + hosting environment. Multiple vulnerabilities could allow an attacker to inject + arbitrary commands into the underlying host operating system, execute arbitrary + code, install applications without authentication, or conduct cross-site + scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20719. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220720.py b/CVEasy/Cisco/2022/cisco_ios/cve202220720.py new file mode 100644 index 00000000..ecea6ab3 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220720.py @@ -0,0 +1,35 @@ +from comfy import high + + +@high( + name='rule_cve202220720', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220720(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20720 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application + hosting environment. + Multiple vulnerabilities could allow an attacker to inject arbitrary commands + into the underlying host operating system, execute arbitrary code, install + applications without authentication, or conduct cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20720. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220721.py b/CVEasy/Cisco/2022/cisco_ios/cve202220721.py new file mode 100644 index 00000000..fa410727 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220721.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220721', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220721(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20721 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application hosting environment. + Multiple vulnerabilities could allow an attacker to inject arbitrary commands into the underlying host + operating system, execute arbitrary code, install applications without authentication, or conduct + cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20721. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220722.py b/CVEasy/Cisco/2022/cisco_ios/cve202220722.py new file mode 100644 index 00000000..e5d99e25 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220722.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220722', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220722(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20722 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application hosting environment. + Multiple vulnerabilities could allow an attacker to inject arbitrary commands into the underlying host + operating system, execute arbitrary code, install applications without authentication, or conduct + cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20722. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220723.py b/CVEasy/Cisco/2022/cisco_ios/cve202220723.py new file mode 100644 index 00000000..fe189087 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220723.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220723', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220723(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20723 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application hosting environment. + Multiple vulnerabilities could allow an attacker to inject arbitrary commands into the underlying host + operating system, execute arbitrary code, install applications without authentication, or conduct + cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20723. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220724.py b/CVEasy/Cisco/2022/cisco_ios/cve202220724.py new file mode 100644 index 00000000..293118d4 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220724.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220724', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220724(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20724 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application hosting environment. + Multiple vulnerabilities could allow an attacker to inject arbitrary commands into the underlying host + operating system, execute arbitrary code, install applications without authentication, or conduct + cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20724. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220725.py b/CVEasy/Cisco/2022/cisco_ios/cve202220725.py new file mode 100644 index 00000000..c7994a30 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220725.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220725', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220725(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20725 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application hosting environment. + Multiple vulnerabilities could allow an attacker to inject arbitrary commands into the underlying host + operating system, execute arbitrary code, install applications without authentication, or conduct + cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20725. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220726.py b/CVEasy/Cisco/2022/cisco_ios/cve202220726.py new file mode 100644 index 00000000..c5b607ff --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220726.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220726', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220726(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20726 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application hosting environment. + Multiple vulnerabilities could allow an attacker to inject arbitrary commands into the underlying host + operating system, execute arbitrary code, install applications without authentication, or conduct + cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20726. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220727.py b/CVEasy/Cisco/2022/cisco_ios/cve202220727.py new file mode 100644 index 00000000..e87b64e3 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220727.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220727', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220727(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20727 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application hosting environment. + Multiple vulnerabilities could allow an attacker to inject arbitrary commands into the underlying host + operating system, execute arbitrary code, install applications without authentication, or conduct + cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20727. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220761.py b/CVEasy/Cisco/2022/cisco_ios/cve202220761.py new file mode 100644 index 00000000..2811f670 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220761.py @@ -0,0 +1,33 @@ +from comfy import high + + +@high( + name='rule_cve202220761', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ap='show running-config | include autonomous-ap' + ), +) +def rule_cve202220761(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20761 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient input validation in the integrated wireless access point (AP) + packet processing of the Cisco 1000 Series Connected Grid Router (CGR1K). An attacker could exploit + this vulnerability by sending crafted traffic to an affected device, causing the integrated AP to stop + processing traffic and resulting in a denial of service condition. + """ + # Extract the output of the command to check AP configuration + ap_output = commands.check_ap + + # Check if integrated AP is configured + ap_configured = 'autonomous-ap' in ap_output + + # Assert that the device is not vulnerable + assert not ap_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20761. " + "The device has integrated wireless access point configured, " + "which could allow an adjacent attacker to cause a denial of service through crafted traffic. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cgr1k-ap-dos-mSZR4QVh" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220919.py b/CVEasy/Cisco/2022/cisco_ios/cve202220919.py new file mode 100644 index 00000000..8e2b3148 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220919.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220919', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_cip='show running-config | include cip enable' + ), +) +def rule_cve202220919(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20919 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient input validation during processing of + Common Industrial Protocol (CIP) packets. + An unauthenticated, remote attacker could exploit this vulnerability by sending + malformed CIP packets to an affected device, + causing it to unexpectedly reload and resulting in a denial of service (DoS) condition. + """ + # Extract the output of the command to check CIP configuration + cip_output = commands.check_cip + + # Check if CIP is enabled + cip_enabled = 'cip enable' in cip_output + + # Assert that the device is not vulnerable + assert not cip_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20919. " + "The device has Common Industrial Protocol (CIP) enabled, " + "which could allow an unauthenticated attacker to cause a denial of service through malformed CIP packets. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-cip-dos-9rTbKLt9" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220920.py b/CVEasy/Cisco/2022/cisco_ios/cve202220920.py new file mode 100644 index 00000000..51f76da3 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220920.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220920', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ssh='show running-config | include ip ssh' + ), +) +def rule_cve202220920(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20920 vulnerability in Cisco IOS Software. + The vulnerability is due to improper handling of resources during an exceptional + situation in the SSH implementation. + An authenticated, remote attacker could exploit this vulnerability by continuously connecting to an affected device + and sending specific SSH requests, causing the device to reload and resulting in a + denial of service (DoS) condition. + """ + # Extract the output of the command to check SSH configuration + ssh_output = commands.check_ssh + + # Check if SSH is enabled + ssh_enabled = 'ip ssh' in ssh_output + + # Assert that the device is not vulnerable + assert not ssh_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20920. " + "The device has SSH enabled, " + "which could allow an authenticated attacker to cause a denial of service through crafted SSH requests. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ssh-excpt-dos-FzOBQTnk" + )