diff --git a/CVEasy/Arista/2021/__init__.py b/CVEasy/Arista/2021/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/CVEasy/Arista/2021/cve202128496.py b/CVEasy/Arista/2021/cve202128496.py new file mode 100644 index 00000000..0c636c99 --- /dev/null +++ b/CVEasy/Arista/2021/cve202128496.py @@ -0,0 +1,71 @@ +from comfy import high + + +@high( + name='rule_cve202128496', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_bfd='show running-config | section bfd', + show_eapi='show management api http-commands' + ), +) +def rule_cve202128496(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28496 vulnerability in Arista EOS devices. + The vulnerability allows BFD shared secret passwords to be leaked when displaying output + over eAPI or other JSON outputs to authenticated users on the device. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.22.x versions (all releases) + '4.22.0', '4.22.12', + # 4.23.x versions (up to 4.23.9) + '4.23.0', '4.23.9', + # 4.24.x versions (up to 4.24.7) + '4.24.0', '4.24.7', + # 4.25.x versions (up to 4.25.4) + '4.25.0', '4.25.4', + # 4.26.x versions (up to 4.26.1) + '4.26.0', '4.26.1' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if BFD is configured with shared secret profiles + bfd_config = commands.show_bfd + has_bfd_secrets = 'profile' in bfd_config and 'key-id' in bfd_config + + # Check if eAPI is enabled + eapi_config = commands.show_eapi + eapi_enabled = 'enabled' in eapi_config.lower() + + # Device is vulnerable if using BFD shared secrets and eAPI is enabled + is_vulnerable = has_bfd_secrets and eapi_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28496. " + "The device is running a vulnerable version AND has BFD shared secret profiles configured " + "with eAPI enabled, which could expose sensitive password information. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.23.10 or later for 4.23.x train\n" + " * 4.24.8 or later for 4.24.x train\n" + " * 4.25.5 or later for 4.25.x train\n" + " * 4.26.2 or later for 4.26.x train\n" + "2. Or apply the appropriate hotfix:\n" + " * For 4.22.0 - 4.25.0: SecurityAdvisory0069Hotfix-4.22-4.25.0.swix\n" + " * For 4.25.1 - 4.26.1: SecurityAdvisory0069Hotfix-4.25.1-4.26.1.swix\n" + "3. As a workaround, restrict access to CLI show commands using role-based authorization\n" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/13243-security-advisory-0069" + ) diff --git a/CVEasy/Arista/2021/cve202128500.py b/CVEasy/Arista/2021/cve202128500.py new file mode 100644 index 00000000..95ebee4b --- /dev/null +++ b/CVEasy/Arista/2021/cve202128500.py @@ -0,0 +1,78 @@ +from comfy import high + + +@high( + name='rule_cve202128500', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_users='show running-config | section username', + show_agents='show running-config | include openconfig|terminattr' + ), +) +def rule_cve202128500(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28500 vulnerability in Arista EOS devices. + The vulnerability allows unrestricted access to the device for local users with nopassword + configuration due to incorrect use of EOS's AAA APIs by OpenConfig and TerminAttr agents. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.20.x and earlier versions + '4.20.0', '4.20.15', + # 4.21.x versions + '4.21.0', '4.21.14M', + # 4.22.x versions + '4.22.0', '4.22.11M', + # 4.23.x versions + '4.23.0', '4.23.8M', + # 4.24.x versions + '4.24.0', '4.24.6M', + # 4.25.x versions + '4.25.0', '4.25.4M', + # 4.26.x versions + '4.26.0', '4.26.1F' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if any users are configured with nopassword + users_config = commands.show_users + has_nopassword_users = 'nopassword' in users_config + + # Check if OpenConfig or TerminAttr agents are enabled + agents_config = commands.show_agents + agents_enabled = 'openconfig' in agents_config or 'terminattr' in agents_config + + # Device is vulnerable if it has nopassword users and agents enabled + is_vulnerable = has_nopassword_users and agents_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28500. " + "The device is running a vulnerable version AND has local users with nopassword configuration " + "while OpenConfig/TerminAttr agents are enabled, which could allow unrestricted access. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.26.2F or later for 4.26.x train\n" + " * 4.25.5M or later for 4.25.x train\n" + " * 4.24.7M or later for 4.24.x train\n" + " * 4.23.9M or later for 4.23.x train\n" + " * 4.22.12M or later for 4.22.x train\n" + " * 4.21.15M or later for 4.21.x train\n" + "2. Until upgrade is complete, implement these workarounds:\n" + " * Remove nopassword configuration for local users\n" + " * Or apply the appropriate hotfix:\n" + " - For 32-bit systems: SecurityAdvisory0071Hotfix.i386.swix\n" + " - For 64-bit systems: SecurityAdvisory0071Hotfix.x86_64.swix\n" + "For more information, see " + "https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071" + ) diff --git a/CVEasy/Arista/2021/cve202128501.py b/CVEasy/Arista/2021/cve202128501.py new file mode 100644 index 00000000..5c1db418 --- /dev/null +++ b/CVEasy/Arista/2021/cve202128501.py @@ -0,0 +1,63 @@ +from comfy import high + + +@high( + name='rule_cve202128501', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_terminattr='show running-config | include terminattr', + show_openconfig='show running-config | include openconfig', + show_users='show running-config | section username' + ), +) +def rule_cve202128501(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28501 vulnerability in Arista EOS devices. + The vulnerability allows unrestricted access to the device for local users with nopassword + configuration due to incorrect use of EOS's AAA APIs by OpenConfig and TerminAttr agents. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # TerminAttr versions before 1.16.2 + '1.15.0', '1.15.1', '1.15.2', '1.15.3', + '1.16.0', '1.16.1' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if TerminAttr or OpenConfig agents are enabled + terminattr_config = commands.show_terminattr + openconfig_config = commands.show_openconfig + agents_enabled = bool(terminattr_config or openconfig_config) + + # Check if any users are configured with nopassword + users_config = commands.show_users + has_nopassword_users = 'nopassword' in users_config + + # Device is vulnerable if agents are enabled and has nopassword users + is_vulnerable = agents_enabled and has_nopassword_users + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28501. " + "The device is running a vulnerable version of TerminAttr AND has local users with nopassword configuration " + "while OpenConfig/TerminAttr agents are enabled, which could allow unrestricted access. " + "Recommended fixes:\n" + "1. Upgrade to TerminAttr v1.16.2 or later\n" + "2. Until upgrade is complete, implement these workarounds:\n" + " * Disable OpenConfig gNMI/gNOI and OpenConfig RESTCONF and TerminAttr\n" + " * Or apply the appropriate hotfix with proxy service:\n" + " - For 32-bit systems: SecurityAdvisory0071Hotfix.i386.swix\n" + " - For 64-bit systems: SecurityAdvisory0071Hotfix.x86_64.swix\n" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071" + ) diff --git a/CVEasy/Arista/2021/cve202128503.py b/CVEasy/Arista/2021/cve202128503.py new file mode 100644 index 00000000..40986559 --- /dev/null +++ b/CVEasy/Arista/2021/cve202128503.py @@ -0,0 +1,72 @@ +from comfy import high + + +@high( + name='rule_cve202128503', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_eapi='show management api http-commands', + show_cert_auth='show running-config | include certificate user' + ), +) +def rule_cve202128503(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28503 vulnerability in Arista EOS devices. + The vulnerability allows remote attackers to bypass authentication when certificate-based + authentication is used with eAPI, due to improper credential re-evaluation. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.23.x versions before 4.23.10 + '4.23.0', '4.23.1', '4.23.2', '4.23.3', '4.23.4', + '4.23.5', '4.23.6', '4.23.7', '4.23.8', '4.23.9', + # 4.24.x versions before 4.24.8 + '4.24.0', '4.24.1', '4.24.2', '4.24.3', '4.24.4', + '4.24.5', '4.24.6', '4.24.7', + # 4.25.x versions before 4.25.6 + '4.25.0', '4.25.1', '4.25.2', '4.25.3', '4.25.4', '4.25.5', + # 4.26.x versions before 4.26.3 + '4.26.0', '4.26.1', '4.26.2' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if eAPI is enabled + eapi_config = commands.show_eapi + eapi_enabled = 'enabled' in eapi_config.lower() + + # Check if certificate-based authentication is configured + cert_config = commands.show_cert_auth + cert_auth_enabled = 'certificate user' in cert_config + + # Device is vulnerable if both eAPI and certificate auth are enabled + is_vulnerable = eapi_enabled and cert_auth_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28503. " + "The device is running a vulnerable version AND has eAPI enabled with certificate-based authentication, " + "which could allow remote attackers to bypass authentication. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.26.3 or later for 4.26.x train\n" + " * 4.25.6 or later for 4.25.x train\n" + " * 4.24.8 or later for 4.24.x train\n" + " * 4.23.10 or later for 4.23.x train\n" + "2. Until upgrade is complete, implement this workaround:\n" + " * Disable certificate-based authentication for eAPI:\n" + " switch(config)#management security\n" + " switch(config-mgmt-security)#ssl profile profileEAPI\n" + " switch(config-mgmt-sec-ssl-profile-profileEAPI)#no trust certificate user.cert\n" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/13605-security-advisory-0072" + ) diff --git a/CVEasy/Arista/2021/cve202128504.py b/CVEasy/Arista/2021/cve202128504.py new file mode 100644 index 00000000..6f0aed1e --- /dev/null +++ b/CVEasy/Arista/2021/cve202128504.py @@ -0,0 +1,64 @@ +from comfy import high + + +@high( + name='rule_cve202128504', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_tcam='show hardware tcam profile', + show_acl='show running-config | section ip access-list' + ), +) +def rule_cve202128504(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28504 vulnerability in Arista EOS devices. + The vulnerability occurs on Strata family products when TCAM profile is enabled and + port IPv4 access-lists contain rules matching VXLAN protocol, causing subsequent rules + to not match IP protocol fields as expected. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.26.x versions before 4.26.4F + '4.26.0', '4.26.1F', '4.26.2F', '4.26.3F', + # 4.27.x versions before 4.27.1M + '4.27.0F' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if TCAM profile feature is enabled + tcam_output = commands.show_tcam + tcam_enabled = 'Profile:' in tcam_output + + # Check if any ACL has VXLAN protocol matching + acl_config = commands.show_acl + has_vxlan_acl = 'protocol vxlan' in acl_config.lower() + + # Device is vulnerable if TCAM profile is enabled and has VXLAN protocol matching in ACLs + is_vulnerable = tcam_enabled and has_vxlan_acl + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28504. " + "The device is running a vulnerable version AND has TCAM profile enabled with ACLs matching VXLAN protocol, " + "which could cause subsequent ACL rules to not match IP protocol fields correctly. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.26.4F or later for 4.26.x train\n" + " * 4.27.1M or later for 4.27.x train\n" + "2. Until upgrade is complete, implement this workaround:\n" + " * Replace 'protocol vxlan' matches in ACLs with:\n" + " - protocol udp\n" + " - destination port 4789 (or configured VXLAN port)\n" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/15267-security-advisory-0073" + ) diff --git a/CVEasy/Arista/2021/cve202128505.py b/CVEasy/Arista/2021/cve202128505.py new file mode 100644 index 00000000..2ff97f87 --- /dev/null +++ b/CVEasy/Arista/2021/cve202128505.py @@ -0,0 +1,66 @@ +from comfy import high + + +@high( + name='rule_cve202128505', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_acl='show running-config | section ip access-list', + show_interfaces='show running-config | section interface' + ), +) +def rule_cve202128505(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28505 vulnerability in Arista EOS devices. + The vulnerability occurs when VXLAN match rules in IPv4 access-lists are applied to + ingress L2/L3 ports or SVIs, causing subsequent ACL rules to ignore IP protocol fields. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.26.x versions before 4.26.4M + '4.26.0', '4.26.1F', '4.26.2F', '4.26.3M', + # 4.27.x versions before 4.27.1F + '4.27.0F' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if any ACL has VXLAN protocol matching + acl_config = commands.show_acl + has_vxlan_acl = 'protocol vxlan' in acl_config.lower() + + # Check if ACLs are applied to ingress L2/L3 ports or SVIs + interface_config = commands.show_interfaces + has_ingress_acl = any(keyword in interface_config.lower() for keyword in [ + 'ip access-group', + 'ipv4 access-group' + ]) + + # Device is vulnerable if it has VXLAN ACLs applied to ingress interfaces + is_vulnerable = has_vxlan_acl and has_ingress_acl + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28505. " + "The device is running a vulnerable version AND has VXLAN match rules in IPv4 ACLs " + "applied to ingress interfaces, which could cause subsequent rules to ignore IP protocol fields. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.26.4M or later for 4.26.x train\n" + " * 4.27.1F or later for 4.27.x train\n" + "2. Until upgrade is complete, implement this workaround:\n" + " * Replace 'protocol vxlan' matches in ACLs with:\n" + " - protocol udp\n" + " - destination port 4789 (or configured VXLAN port)\n" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/15267-security-advisory-0073" + ) diff --git a/CVEasy/Arista/2021/cve202128506.py b/CVEasy/Arista/2021/cve202128506.py new file mode 100644 index 00000000..f60d7bb9 --- /dev/null +++ b/CVEasy/Arista/2021/cve202128506.py @@ -0,0 +1,70 @@ +from comfy import high + + +@high( + name='rule_cve202128506', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_gnmi='show management api gnmi', + show_restconf='show management api restconf', + show_gnoi='show management api gnoi' + ), +) +def rule_cve202128506(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28506 vulnerability in Arista EOS devices. + The vulnerability allows unauthenticated attackers to bypass authentication in gNOI APIs, + potentially allowing factory reset of the device. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.24.x versions before 4.24.8M + '4.24.0', '4.24.1F', '4.24.2F', '4.24.3M', '4.24.4M', '4.24.5M', '4.24.6M', '4.24.7M', + # 4.25.x versions before 4.25.6M + '4.25.0', '4.25.1M', '4.25.2M', '4.25.3M', '4.25.4M', '4.25.5M', + # 4.26.x versions before 4.26.3M + '4.26.0', '4.26.1F', '4.26.2F' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if any of the vulnerable APIs are enabled + gnmi_config = commands.show_gnmi + restconf_config = commands.show_restconf + gnoi_config = commands.show_gnoi + + apis_enabled = any([ + 'enabled' in gnmi_config.lower(), + 'enabled' in restconf_config.lower(), + 'enabled' in gnoi_config.lower() + ]) + + # Device is vulnerable if running affected version and has APIs enabled + is_vulnerable = version_vulnerable and apis_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28506. " + "The device is running a vulnerable version AND has gNMI/gNOI/RESTCONF APIs enabled, " + "which could allow unauthenticated attackers to bypass authentication and factory reset the device. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.26.3M or later for 4.26.x train\n" + " * 4.25.6M or later for 4.25.x train\n" + " * 4.24.8M or later for 4.24.x train\n" + "2. Until upgrade is complete, implement this workaround:\n" + " * Apply the appropriate hotfix with proxy service:\n" + " - For 32-bit systems: SecurityAdvisory0071Hotfix.i386.swix\n" + " - For 64-bit systems: SecurityAdvisory0071Hotfix.x86_64.swix\n" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071" + ) diff --git a/CVEasy/Arista/2021/cve202128507.py b/CVEasy/Arista/2021/cve202128507.py new file mode 100644 index 00000000..07a65c07 --- /dev/null +++ b/CVEasy/Arista/2021/cve202128507.py @@ -0,0 +1,78 @@ +from comfy import high + + +@high( + name='rule_cve202128507', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_openconfig='show running-config | include openconfig', + show_restconf='show management api restconf', + show_acl='show running-config | section service-acl' + ), +) +def rule_cve202128507(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28507 vulnerability in Arista EOS devices. + The vulnerability allows service ACL bypass in OpenConfig gNOI and RESTCONF APIs, + which could result in denied requests being forwarded to the agent. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.21.x and earlier versions + '4.21.', '4.20.', '4.19.', '4.18.', + # 4.22.x versions + '4.22.0', '4.22.1', '4.22.2', '4.22.3', + # 4.23.x versions before 4.23.10M + '4.23.0', '4.23.1', '4.23.2', '4.23.3', '4.23.4', + '4.23.5', '4.23.6', '4.23.7', '4.23.8', '4.23.9', + # 4.24.x versions before 4.24.8M + '4.24.0', '4.24.1', '4.24.2', '4.24.3', '4.24.4', + '4.24.5', '4.24.6', '4.24.7', + # 4.25.x versions before 4.25.6M + '4.25.0', '4.25.1', '4.25.2', '4.25.3', '4.25.4', '4.25.5', + # 4.26.x versions before 4.26.3M + '4.26.0', '4.26.1', '4.26.2' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if OpenConfig or RESTCONF is enabled + openconfig_config = commands.show_openconfig + restconf_config = commands.show_restconf + apis_enabled = bool(openconfig_config or 'enabled' in restconf_config.lower()) + + # Check if service ACLs are configured + acl_config = commands.show_acl + has_service_acl = 'service-acl' in acl_config + + # Device is vulnerable if APIs are enabled and using service ACLs + is_vulnerable = apis_enabled and has_service_acl + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28507. " + "The device is running a vulnerable version AND has OpenConfig/RESTCONF APIs enabled with service ACLs, " + "which could allow denied requests to bypass ACLs and reach the agent. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.26.3M or later for 4.26.x train\n" + " * 4.25.6M or later for 4.25.x train\n" + " * 4.24.8M or later for 4.24.x train\n" + " * 4.23.10M or later for 4.23.x train\n" + "2. Until upgrade is complete, implement these workarounds:\n" + " * Disable OpenConfig gNMI/gNOI and OpenConfig RESTCONF\n" + " * Or apply the appropriate hotfix with proxy service:\n" + " - For 32-bit systems: SecurityAdvisory0071Hotfix.i386.swix\n" + " - For 64-bit systems: SecurityAdvisory0071Hotfix.x86_64.swix\n" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071" + ) diff --git a/CVEasy/Arista/2021/cve202128508.py b/CVEasy/Arista/2021/cve202128508.py new file mode 100644 index 00000000..1badbc3e --- /dev/null +++ b/CVEasy/Arista/2021/cve202128508.py @@ -0,0 +1,72 @@ +from comfy import high + + +@high( + name='rule_cve202128508', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_terminattr='show running-config | include terminattr', + show_ipsec='show running-config | section crypto ipsec' + ), +) +def rule_cve202128508(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28508 vulnerability in Arista EOS devices. + The vulnerability allows TerminAttr to leak IPsec sensitive data in clear text to CVP, + which could allow authorized users to decrypt or modify IPsec traffic. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.23.x versions before 4.23.11 + '4.23.0', '4.23.1', '4.23.2', '4.23.3', '4.23.4', '4.23.5', + '4.23.6', '4.23.7', '4.23.8', '4.23.9', '4.23.10', + # 4.24.x versions before 4.24.10 + '4.24.0', '4.24.1', '4.24.2', '4.24.3', '4.24.4', '4.24.5', + '4.24.6', '4.24.7', '4.24.8', '4.24.9', + # 4.25.x versions before 4.25.8 + '4.25.0', '4.25.1', '4.25.2', '4.25.3', '4.25.4', '4.25.5', + '4.25.6', '4.25.7', + # 4.26.x versions before 4.26.6 + '4.26.0', '4.26.1', '4.26.2', '4.26.3', '4.26.4', '4.26.5', + # 4.27.x versions before 4.27.2 + '4.27.0', '4.27.1' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if TerminAttr is enabled + terminattr_config = commands.show_terminattr + terminattr_enabled = bool(terminattr_config) + + # Check if IPsec is configured + ipsec_config = commands.show_ipsec + ipsec_configured = bool(ipsec_config) + + # Device is vulnerable if both TerminAttr and IPsec are enabled + is_vulnerable = terminattr_enabled and ipsec_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28508. " + "The device is running a vulnerable version AND has both TerminAttr and IPsec enabled, " + "which could allow IPsec sensitive data to leak in clear text to CVP. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.27.2 or later for 4.27.x train\n" + " * 4.26.6 or later for 4.26.x train\n" + " * 4.25.8 or later for 4.25.x train\n" + " * 4.24.10 or later for 4.24.x train\n" + "2. Until upgrade is complete, implement this workaround:\n" + " * Disable TerminAttr agent\n" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/15484-security-advisory-0077" + ) diff --git a/CVEasy/Arista/2021/cve202128509.py b/CVEasy/Arista/2021/cve202128509.py new file mode 100644 index 00000000..ec3f020f --- /dev/null +++ b/CVEasy/Arista/2021/cve202128509.py @@ -0,0 +1,72 @@ +from comfy import high + + +@high( + name='rule_cve202128509', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_terminattr='show running-config | include terminattr', + show_macsec='show running-config | section macsec' + ), +) +def rule_cve202128509(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28509 vulnerability in Arista EOS devices. + The vulnerability allows TerminAttr to leak MACsec sensitive data in clear text to CVP, + which could allow authorized users to decrypt or modify MACsec traffic. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.23.x versions before 4.23.12 + '4.23.0', '4.23.1', '4.23.2', '4.23.3', '4.23.4', '4.23.5', + '4.23.6', '4.23.7', '4.23.8', '4.23.9', '4.23.10', '4.23.11', + # 4.24.x versions before 4.24.10 + '4.24.0', '4.24.1', '4.24.2', '4.24.3', '4.24.4', '4.24.5', + '4.24.6', '4.24.7', '4.24.8', '4.24.9', + # 4.25.x versions before 4.25.8 + '4.25.0', '4.25.1', '4.25.2', '4.25.3', '4.25.4', '4.25.5', + '4.25.6', '4.25.7', + # 4.26.x versions before 4.26.6 + '4.26.0', '4.26.1', '4.26.2', '4.26.3', '4.26.4', '4.26.5', + # 4.27.x versions before 4.27.4 + '4.27.0', '4.27.1', '4.27.2', '4.27.3' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if TerminAttr is enabled + terminattr_config = commands.show_terminattr + terminattr_enabled = 'terminattr' in terminattr_config.lower() + + # Check if MACsec is configured + macsec_config = commands.show_macsec + macsec_configured = 'macsec' in macsec_config.lower() + + # Device is vulnerable if both TerminAttr and MACsec are enabled + is_vulnerable = terminattr_enabled and macsec_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28509. " + "The device is running a vulnerable version AND has both TerminAttr and MACsec enabled, " + "which could allow MACsec sensitive data to leak in clear text to CVP. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.27.4 or later for 4.27.x train\n" + " * 4.26.6 or later for 4.26.x train\n" + " * 4.25.8 or later for 4.25.x train\n" + " * 4.24.10 or later for 4.24.x train\n" + "2. Until upgrade is complete, implement this workaround:\n" + " * Disable TerminAttr agent\n" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/15484-security-advisory-0077" + ) diff --git a/CVEasy/Arista/2021/cve202128510.py b/CVEasy/Arista/2021/cve202128510.py new file mode 100644 index 00000000..844c01c5 --- /dev/null +++ b/CVEasy/Arista/2021/cve202128510.py @@ -0,0 +1,72 @@ +from comfy import high + + +@high( + name='rule_cve202128510', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_ptp='show running-config | section ptp' + ), +) +def rule_cve202128510(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28510 vulnerability in Arista EOS devices. + The vulnerability allows an unauthenticated attacker to cause a DoS condition by sending + malformed PTP packets with invalid TLV values, causing the PTP agent to restart repeatedly. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.23.x versions before 4.23.11 + '4.23.0', '4.23.1', '4.23.2', '4.23.3', '4.23.4', '4.23.5', + '4.23.6', '4.23.7', '4.23.8', '4.23.9', '4.23.10', + # 4.24.x versions before 4.24.9 + '4.24.0', '4.24.1', '4.24.2', '4.24.3', '4.24.4', '4.24.5', + '4.24.6', '4.24.7', '4.24.8', + # 4.25.x versions before 4.25.7 + '4.25.0', '4.25.1', '4.25.2', '4.25.3', '4.25.4', '4.25.5', + '4.25.6', + # 4.26.x versions before 4.26.5 + '4.26.0', '4.26.1', '4.26.2', '4.26.3', '4.26.4', + # 4.27.x versions before 4.27.2 + '4.27.0', '4.27.1' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if PTP is configured + ptp_config = commands.show_ptp + ptp_enabled = 'ptp' in ptp_config.lower() + + # Device is vulnerable if running affected version and PTP is enabled + is_vulnerable = version_vulnerable and ptp_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28510. " + "The device is running a vulnerable version AND has PTP enabled, " + "which could allow an attacker to cause a denial of service by sending malformed PTP packets. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.27.2 or later for 4.27.x train\n" + " * 4.26.5 or later for 4.26.x train\n" + " * 4.25.7 or later for 4.25.x train\n" + " * 4.24.9 or later for 4.24.x train\n" + " * 4.23.11 or later for 4.23.x train\n" + "2. Until upgrade is complete, implement this workaround:\n" + " * Install ACL rules to drop PTP packets from untrusted sources\n" + " * Block access to untrusted (non-management) networks\n" + "3. A hotfix is available:\n" + " * SecurityAdvisory76_CVE-2021-28510_Hotfix.swix\n" + " * Note: Installing/uninstalling will cause PTP agent to restart\n" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/15439-security-advisory-0076" + ) diff --git a/CVEasy/Arista/2021/cve202128511.py b/CVEasy/Arista/2021/cve202128511.py new file mode 100644 index 00000000..9c1252f8 --- /dev/null +++ b/CVEasy/Arista/2021/cve202128511.py @@ -0,0 +1,71 @@ +from comfy import high + + +@high( + name='rule_cve202128511', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_nat='show running-config | section ip nat', + show_acl='show running-config | section ip access-list' + ), +) +def rule_cve202128511(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28511 vulnerability in Arista EOS devices. + The vulnerability allows security ACL bypass if a NAT ACL rule filter with permit action + matches a packet flow that should be denied by a security ACL. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.24.x versions before 4.24.10 + '4.24.0', '4.24.1', '4.24.2', '4.24.3', '4.24.4', '4.24.5', + '4.24.6', '4.24.7', '4.24.8', '4.24.9', + # 4.25.x versions before 4.25.9 + '4.25.0', '4.25.1', '4.25.2', '4.25.3', '4.25.4', '4.25.5', + '4.25.6', '4.25.7', '4.25.8', + # 4.26.x versions before 4.26.6 + '4.26.0', '4.26.1', '4.26.2', '4.26.3', '4.26.4', '4.26.5', + # 4.27.x versions before 4.27.4 + '4.27.0', '4.27.1', '4.27.2', '4.27.3' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if NAT is configured + nat_config = commands.show_nat + nat_enabled = 'ip nat' in nat_config.lower() + + # Check if security ACLs are configured + acl_config = commands.show_acl + security_acl_enabled = 'ip access-list' in acl_config.lower() + + # Device is vulnerable if both NAT and security ACLs are enabled + is_vulnerable = nat_enabled and security_acl_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28511. " + "The device is running a vulnerable version AND has both NAT and security ACLs configured, " + "which could allow security ACL bypass through NAT permit rules. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.28.0 or later for 4.28.x train\n" + " * 4.27.4 or later for 4.27.x train\n" + " * 4.26.6 or later for 4.26.x train\n" + " * 4.25.9 or later for 4.25.x train\n" + " * 4.24.10 or later for 4.24.x train\n" + "2. Until upgrade is complete, implement this workaround:\n" + " * Configure a NAT 'drop' ACL rule for each security ACL 'drop' rule\n" + " * Apply these rules to interfaces with NAT configured\n" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/15862-security-advisory-0078" + ) diff --git a/CVEasy/Cisco/2022/__init__.py b/CVEasy/Cisco/2022/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/CVEasy/Cisco/2022/cisco_ios/__init__.py b/CVEasy/Cisco/2022/cisco_ios/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220677.py b/CVEasy/Cisco/2022/cisco_ios/cve202220677.py new file mode 100644 index 00000000..1031e83b --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220677.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220677', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220677(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20677 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application hosting environment. + An attacker could exploit this vulnerability to inject arbitrary commands into the underlying host + operating system, execute arbitrary code, install applications without authentication, or conduct + cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20677. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220697.py b/CVEasy/Cisco/2022/cisco_ios/cve202220697.py new file mode 100644 index 00000000..1804c43a --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220697.py @@ -0,0 +1,32 @@ +from comfy import high + + +@high( + name='rule_cve202220697', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_http='show running-config | include ip http' + ), +) +def rule_cve202220697(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20697 vulnerability in Cisco IOS Software. + The vulnerability is due to improper resource management in the HTTP server code. + An attacker could exploit this vulnerability by sending a large number of HTTP requests + to an affected device, causing it to reload and resulting in a denial of service (DoS) condition. + """ + # Extract the output of the command to check HTTP configuration + http_output = commands.check_http + + # Check if HTTP server is enabled + http_enabled = any(service in http_output for service in ['ip http server', 'ip http secure-server']) + + # Assert that the device is not vulnerable + assert not http_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20697. " + "The device has HTTP/HTTPS server enabled, " + "which could allow an attacker to cause a denial of service through crafted HTTP requests. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http-dos-svOdkdBS" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220718.py b/CVEasy/Cisco/2022/cisco_ios/cve202220718.py new file mode 100644 index 00000000..3abeec7e --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220718.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220718', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220718(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20718 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application hosting environment. + Multiple vulnerabilities could allow an attacker to inject arbitrary commands into the underlying host + operating system, execute arbitrary code, install applications without authentication, or conduct + cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20718. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220719.py b/CVEasy/Cisco/2022/cisco_ios/cve202220719.py new file mode 100644 index 00000000..e3665251 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220719.py @@ -0,0 +1,35 @@ +from comfy import high + + +@high( + name='rule_cve202220719', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220719(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20719 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application + hosting environment. Multiple vulnerabilities could allow an attacker to inject + arbitrary commands into the underlying host operating system, execute arbitrary + code, install applications without authentication, or conduct cross-site + scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20719. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220720.py b/CVEasy/Cisco/2022/cisco_ios/cve202220720.py new file mode 100644 index 00000000..ecea6ab3 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220720.py @@ -0,0 +1,35 @@ +from comfy import high + + +@high( + name='rule_cve202220720', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220720(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20720 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application + hosting environment. + Multiple vulnerabilities could allow an attacker to inject arbitrary commands + into the underlying host operating system, execute arbitrary code, install + applications without authentication, or conduct cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20720. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220721.py b/CVEasy/Cisco/2022/cisco_ios/cve202220721.py new file mode 100644 index 00000000..fa410727 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220721.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220721', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220721(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20721 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application hosting environment. + Multiple vulnerabilities could allow an attacker to inject arbitrary commands into the underlying host + operating system, execute arbitrary code, install applications without authentication, or conduct + cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20721. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220722.py b/CVEasy/Cisco/2022/cisco_ios/cve202220722.py new file mode 100644 index 00000000..e5d99e25 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220722.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220722', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220722(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20722 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application hosting environment. + Multiple vulnerabilities could allow an attacker to inject arbitrary commands into the underlying host + operating system, execute arbitrary code, install applications without authentication, or conduct + cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20722. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220723.py b/CVEasy/Cisco/2022/cisco_ios/cve202220723.py new file mode 100644 index 00000000..fe189087 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220723.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220723', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220723(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20723 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application hosting environment. + Multiple vulnerabilities could allow an attacker to inject arbitrary commands into the underlying host + operating system, execute arbitrary code, install applications without authentication, or conduct + cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20723. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220724.py b/CVEasy/Cisco/2022/cisco_ios/cve202220724.py new file mode 100644 index 00000000..293118d4 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220724.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220724', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220724(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20724 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application hosting environment. + Multiple vulnerabilities could allow an attacker to inject arbitrary commands into the underlying host + operating system, execute arbitrary code, install applications without authentication, or conduct + cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20724. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220725.py b/CVEasy/Cisco/2022/cisco_ios/cve202220725.py new file mode 100644 index 00000000..c7994a30 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220725.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220725', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220725(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20725 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application hosting environment. + Multiple vulnerabilities could allow an attacker to inject arbitrary commands into the underlying host + operating system, execute arbitrary code, install applications without authentication, or conduct + cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20725. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220726.py b/CVEasy/Cisco/2022/cisco_ios/cve202220726.py new file mode 100644 index 00000000..c5b607ff --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220726.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220726', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220726(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20726 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application hosting environment. + Multiple vulnerabilities could allow an attacker to inject arbitrary commands into the underlying host + operating system, execute arbitrary code, install applications without authentication, or conduct + cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20726. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220727.py b/CVEasy/Cisco/2022/cisco_ios/cve202220727.py new file mode 100644 index 00000000..e87b64e3 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220727.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220727', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220727(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20727 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application hosting environment. + Multiple vulnerabilities could allow an attacker to inject arbitrary commands into the underlying host + operating system, execute arbitrary code, install applications without authentication, or conduct + cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20727. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220761.py b/CVEasy/Cisco/2022/cisco_ios/cve202220761.py new file mode 100644 index 00000000..2811f670 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220761.py @@ -0,0 +1,33 @@ +from comfy import high + + +@high( + name='rule_cve202220761', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ap='show running-config | include autonomous-ap' + ), +) +def rule_cve202220761(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20761 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient input validation in the integrated wireless access point (AP) + packet processing of the Cisco 1000 Series Connected Grid Router (CGR1K). An attacker could exploit + this vulnerability by sending crafted traffic to an affected device, causing the integrated AP to stop + processing traffic and resulting in a denial of service condition. + """ + # Extract the output of the command to check AP configuration + ap_output = commands.check_ap + + # Check if integrated AP is configured + ap_configured = 'autonomous-ap' in ap_output + + # Assert that the device is not vulnerable + assert not ap_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20761. " + "The device has integrated wireless access point configured, " + "which could allow an adjacent attacker to cause a denial of service through crafted traffic. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cgr1k-ap-dos-mSZR4QVh" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220919.py b/CVEasy/Cisco/2022/cisco_ios/cve202220919.py new file mode 100644 index 00000000..8e2b3148 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220919.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220919', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_cip='show running-config | include cip enable' + ), +) +def rule_cve202220919(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20919 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient input validation during processing of + Common Industrial Protocol (CIP) packets. + An unauthenticated, remote attacker could exploit this vulnerability by sending + malformed CIP packets to an affected device, + causing it to unexpectedly reload and resulting in a denial of service (DoS) condition. + """ + # Extract the output of the command to check CIP configuration + cip_output = commands.check_cip + + # Check if CIP is enabled + cip_enabled = 'cip enable' in cip_output + + # Assert that the device is not vulnerable + assert not cip_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20919. " + "The device has Common Industrial Protocol (CIP) enabled, " + "which could allow an unauthenticated attacker to cause a denial of service through malformed CIP packets. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-cip-dos-9rTbKLt9" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220920.py b/CVEasy/Cisco/2022/cisco_ios/cve202220920.py new file mode 100644 index 00000000..51f76da3 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220920.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220920', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ssh='show running-config | include ip ssh' + ), +) +def rule_cve202220920(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20920 vulnerability in Cisco IOS Software. + The vulnerability is due to improper handling of resources during an exceptional + situation in the SSH implementation. + An authenticated, remote attacker could exploit this vulnerability by continuously connecting to an affected device + and sending specific SSH requests, causing the device to reload and resulting in a + denial of service (DoS) condition. + """ + # Extract the output of the command to check SSH configuration + ssh_output = commands.check_ssh + + # Check if SSH is enabled + ssh_enabled = 'ip ssh' in ssh_output + + # Assert that the device is not vulnerable + assert not ssh_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20920. " + "The device has SSH enabled, " + "which could allow an authenticated attacker to cause a denial of service through crafted SSH requests. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ssh-excpt-dos-FzOBQTnk" + ) diff --git a/CVEasy/Cisco/2022/cisco_nxos/__init__.py b/CVEasy/Cisco/2022/cisco_nxos/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/CVEasy/Cisco/2022/cisco_nxos/cve202220623.py b/CVEasy/Cisco/2022/cisco_nxos/cve202220623.py new file mode 100644 index 00000000..68d2b466 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_nxos/cve202220623.py @@ -0,0 +1,44 @@ +from comfy import high + + +@high( + name='rule_cve202220623', + platform=['cisco_nxos'], + commands=dict( + show_version='show version', + check_bfd='show running-config | include feature bfd' + ), +) +def rule_cve202220623(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20623 vulnerability in Cisco NX-OS Software. + The vulnerability is due to a logic error in the BFD rate limiter functionality of Nexus 9000 Series Switches. + An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted stream of traffic + through the device, causing BFD traffic to be dropped and resulting in BFD session flaps, route instability, + and a denial of service condition. + """ + # Extract the platform information + platform_output = commands.show_version + + # Check if the device is a Nexus 9000 Series + is_n9k = 'Nexus 9000' in platform_output + + # If not a Nexus 9000 device, it's not vulnerable + if not is_n9k: + return + + # Extract the output of the command to check BFD configuration + bfd_output = commands.check_bfd + + # Check if BFD is enabled + bfd_enabled = 'feature bfd' in bfd_output + + # Assert that the device is not vulnerable + assert not bfd_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20623. " + "The device is a Nexus 9000 Series switch with BFD enabled, " + "which could allow an unauthenticated attacker to cause BFD session flaps and a denial of service " + "through crafted traffic. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-bfd-dos-wGQXrzxn" + ) diff --git a/CVEasy/Cisco/2022/cisco_nxos/cve202220624.py b/CVEasy/Cisco/2022/cisco_nxos/cve202220624.py new file mode 100644 index 00000000..32f2796b --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_nxos/cve202220624.py @@ -0,0 +1,38 @@ +from comfy import high + + +@high( + name='rule_cve202220624', + platform=['cisco_nxos'], + commands=dict( + show_version='show version', + check_cfs='show running-config | include cfs ipv4 distribute' + ), +) +def rule_cve202220624(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20624 vulnerability in Cisco NX-OS Software. + The vulnerability is due to insufficient validation of incoming CFSoIP packets. + An unauthenticated, remote attacker could exploit this vulnerability by sending crafted + CFSoIP packets to an affected device, causing it to reload and resulting in a denial of + service condition. + """ + # Extract the output of the command to check CFS configuration + cfs_output = commands.check_cfs + + # Check if CFSoIP is enabled + cfs_enabled = 'cfs ipv4 distribute' in cfs_output + + # If CFSoIP is not enabled, device is not vulnerable + if not cfs_enabled: + return + + # Assert that the device is not vulnerable + assert not cfs_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20624. " + "The device has Cisco Fabric Services over IP (CFSoIP) enabled, " + "which could allow an unauthenticated attacker to cause a denial of service through crafted " + "CFSoIP packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cfsoip-dos-tpykyDr" + ) diff --git a/CVEasy/Cisco/2022/cisco_nxos/cve202220625.py b/CVEasy/Cisco/2022/cisco_nxos/cve202220625.py new file mode 100644 index 00000000..24ec9eb1 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_nxos/cve202220625.py @@ -0,0 +1,38 @@ +from comfy import high + + +@high( + name='rule_cve202220625', + platform=['cisco_nxos'], + commands=dict( + show_version='show version', + check_cdp='show running-config | include no cdp enable|cdp enable' + ), +) +def rule_cve202220625(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20625 vulnerability in Cisco NX-OS Software. + The vulnerability is due to improper handling of Cisco Discovery Protocol messages. + An unauthenticated, adjacent attacker could exploit this vulnerability by sending + malicious CDP packets to an affected device, causing the CDP service to fail and + restart, and in rare conditions, causing the entire device to restart. + """ + # Extract the output of the command to check CDP configuration + cdp_output = commands.check_cdp + + # Check if CDP is enabled + cdp_enabled = 'cdp enable' in cdp_output + + # If CDP is not enabled, device is not vulnerable + if not cdp_enabled: + return + + # Assert that the device is not vulnerable + assert not cdp_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20625. " + "The device has Cisco Discovery Protocol enabled, " + "which could allow an adjacent attacker to cause a denial of service through " + "malicious CDP packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cdp-dos-G8DPLWYG" + ) diff --git a/CVEasy/Cisco/2022/cisco_nxos/cve202220650.py b/CVEasy/Cisco/2022/cisco_nxos/cve202220650.py new file mode 100644 index 00000000..94e66d00 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_nxos/cve202220650.py @@ -0,0 +1,37 @@ +from comfy import high + + +@high( + name='rule_cve202220650', + platform=['cisco_nxos'], + commands=dict( + show_version='show version', + check_nxapi='show running-config | include feature nxapi' + ), +) +def rule_cve202220650(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20650 vulnerability in Cisco NX-OS Software. + The vulnerability is due to insufficient input validation of user supplied data that is sent to the NX-API. + An authenticated, remote attacker could exploit this vulnerability by sending a crafted HTTP POST request + to the NX-API of an affected device, allowing them to execute arbitrary commands with root privileges. + Note: The NX-API feature is disabled by default. + """ + # Extract the output of the command to check NX-API configuration + nxapi_output = commands.check_nxapi + + # Check if NX-API is enabled + nxapi_enabled = 'feature nxapi' in nxapi_output + + # If NX-API is not enabled, device is not vulnerable + if not nxapi_enabled: + return + + # Assert that the device is not vulnerable + assert not nxapi_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20650. " + "The device has NX-API enabled, which could allow an authenticated attacker " + "to execute arbitrary commands with root privileges through crafted HTTP POST requests. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-nxapi-cmdinject-ULukNMZ2" + ) diff --git a/CVEasy/Cisco/2022/cisco_nxos/cve202220823.py b/CVEasy/Cisco/2022/cisco_nxos/cve202220823.py new file mode 100644 index 00000000..b8a815ac --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_nxos/cve202220823.py @@ -0,0 +1,41 @@ +from comfy import high + + +@high( + name='rule_cve202220823', + platform=['cisco_nxos'], + commands=dict( + show_version='show version', + check_ospfv3='show running-config | include router ospfv3|ipv6 router ospf' + ), +) +def rule_cve202220823(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20823 vulnerability in Cisco NX-OS Software. + The vulnerability is due to incomplete input validation of specific OSPFv3 packets. + An unauthenticated, remote attacker could exploit this vulnerability by sending a malicious + OSPFv3 link-state advertisement (LSA) to an affected device, causing the OSPFv3 process to + crash and restart multiple times, leading to a denial of service condition. + Note: The OSPFv3 feature is disabled by default. + """ + # Extract the output of the command to check OSPFv3 configuration + ospfv3_output = commands.check_ospfv3 + + # Check if OSPFv3 is enabled (either via 'router ospfv3' or 'ipv6 router ospf') + ospfv3_enabled = any(feature in ospfv3_output for feature in [ + 'router ospfv3', + 'ipv6 router ospf' + ]) + + # If OSPFv3 is not enabled, device is not vulnerable + if not ospfv3_enabled: + return + + # Assert that the device is not vulnerable + assert not ospfv3_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20823. " + "The device has OSPFv3 enabled, which could allow an unauthenticated attacker " + "to cause a denial of service through malicious OSPFv3 LSA packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-ospfv3-dos-48qutcu" + ) diff --git a/CVEasy/Cisco/2022/cisco_nxos/cve202220824.py b/CVEasy/Cisco/2022/cisco_nxos/cve202220824.py new file mode 100644 index 00000000..0f036b7e --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_nxos/cve202220824.py @@ -0,0 +1,38 @@ +from comfy import high + + +@high( + name='rule_cve202220824', + platform=['cisco_nxos'], + commands=dict( + show_version='show version', + check_cdp='show running-config | include no cdp enable|cdp enable' + ), +) +def rule_cve202220824(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20824 vulnerability in Cisco NX-OS Software. + The vulnerability is due to improper input validation of specific values within Cisco Discovery Protocol messages. + An unauthenticated, adjacent attacker could exploit this vulnerability by sending malicious CDP packets to an + affected device, allowing them to execute arbitrary code with root privileges or cause a denial of " + "service condition. + Note: CDP is enabled by default, and the attacker must be in the same broadcast domain (Layer 2 adjacent). + """ + # Extract the output of the command to check CDP configuration + cdp_output = commands.check_cdp + + # Check if CDP is enabled + cdp_enabled = 'cdp enable' in cdp_output + + # If CDP is not enabled, device is not vulnerable + if not cdp_enabled: + return + + # Assert that the device is not vulnerable + assert not cdp_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20824. " + "The device has Cisco Discovery Protocol enabled, " + "which could allow an adjacent attacker to execute arbitrary code with root privileges or cause a " + "denial of service. For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-cdp-dos-ce-wWvPucC9" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/__init__.py b/CVEasy/Cisco/2022/cisco_xe/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220676.py b/CVEasy/Cisco/2022/cisco_xe/cve202220676.py new file mode 100644 index 00000000..e4c9db0d --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220676.py @@ -0,0 +1,32 @@ +from comfy import high + + +@high( + name='rule_cve202220676', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_tcl='show running-config | include tclsh' + ), +) +def rule_cve202220676(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20676 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient input validation of data that is passed into the Tcl interpreter. + An authenticated, local attacker with privilege level 15 could exploit this vulnerability by loading + malicious Tcl code on an affected device, allowing them to escalate to root-level privileges. + """ + # Extract the output of the command to check Tcl configuration + tcl_output = commands.check_tcl + + # Check if Tcl shell access is enabled + tcl_enabled = 'tclsh' in tcl_output + + # Assert that the device is not vulnerable + assert not tcl_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20676. " + "The device has Tcl shell access enabled, " + "which could allow an authenticated attacker with privilege level 15 to escalate to root privileges. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-priv-esc-grbtubU" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220678.py b/CVEasy/Cisco/2022/cisco_xe/cve202220678.py new file mode 100644 index 00000000..dd812915 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220678.py @@ -0,0 +1,35 @@ +from comfy import high + + +@high( + name='rule_cve202220678', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_appnav='show running-config | include appnav-controller|service-insertion' + ), +) +def rule_cve202220678(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20678 vulnerability in Cisco IOS XE Software. + The vulnerability is due to incorrect handling of certain TCP segments in the AppNav-XE feature. + An unauthenticated, remote attacker could exploit this vulnerability by sending a stream of crafted + TCP traffic at a high rate through an interface with AppNav interception enabled, causing the device + to reload and resulting in a denial of service (DoS) condition. + """ + # Extract the output of the command to check AppNav configuration + appnav_output = commands.check_appnav + + # Check if AppNav-XE is configured + appnav_configured = any(feature in appnav_output for feature in [ + 'appnav-controller', 'service-insertion' + ]) + + # Assert that the device is not vulnerable + assert not appnav_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20678. " + "The device has AppNav-XE configured, " + "which could allow an unauthenticated attacker to cause a denial of service through crafted TCP traffic. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-appnav-xe-dos-j5MXTR4" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220679.py b/CVEasy/Cisco/2022/cisco_xe/cve202220679.py new file mode 100644 index 00000000..d876fa19 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220679.py @@ -0,0 +1,47 @@ +import re # Add regex module +from comfy import high + + +@high( + name='rule_cve202220679', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_ipsec='show running-config | include crypto ipsec', + check_mtu='show interfaces | include MTU' + ), +) +def rule_cve202220679(configuration, commands, device, devices): + # Convert command outputs to strings to handle None values + ipsec_output = str(commands.check_ipsec or "") + mtu_output = str(commands.check_mtu or "") + + # Check if IPsec is configured + ipsec_configured = 'crypto ipsec' in ipsec_output + + # Check if any interface has MTU >= 1800 using regex + high_mtu = False + for line in mtu_output.splitlines(): + if 'MTU' in line: + # Use regex to find the first sequence of digits after "MTU" + match = re.search(r'MTU.*?(\d+)', line) + if match: + try: + mtu = int(match.group(1)) + if mtu >= 1800: + high_mtu = True + break + except ValueError: + continue + + # Device is vulnerable if both conditions are met + is_vulnerable = ipsec_configured and high_mtu + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20679. " + "The device has IPsec configured and interfaces with MTU >= 1800 bytes, " + "which could allow an attacker to cause a denial of service. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-qfp-ipsec-GQmqvtqV" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220681.py b/CVEasy/Cisco/2022/cisco_xe/cve202220681.py new file mode 100644 index 00000000..a75b1d96 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220681.py @@ -0,0 +1,42 @@ +from comfy import high + + +@high( + name='rule_cve202220681', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis' + ), +) +def rule_cve202220681(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20681 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient validation of user privileges after executing certain CLI commands + on Cisco Catalyst 9000 Family Switches and Wireless Controllers. An authenticated, local attacker with low + privileges could exploit this vulnerability by executing certain CLI commands to elevate their privileges + to level 15. + """ + # Extract the version information from the command output + version_output = commands.show_version + + _ = version_output # intentionally unused + + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a Catalyst 9000 Series + is_cat9k = 'C9' in platform_output + + # If not a Catalyst 9000 device, it's not vulnerable + if not is_cat9k: + return + + # Assert that the device is not vulnerable + assert not is_cat9k, ( + f"Device {device.name} is vulnerable to CVE-2022-20681. " + "The device is a Catalyst 9000 Series switch/wireless controller, " + "which could allow an authenticated attacker to elevate privileges to level 15 through certain CLI commands. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewlc-priv-esc-ybvHKO5" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220682.py b/CVEasy/Cisco/2022/cisco_xe/cve202220682.py new file mode 100644 index 00000000..aa049d38 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220682.py @@ -0,0 +1,47 @@ +from comfy import high + + +@high( + name='rule_cve202220682', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_wireless='show running-config | include wireless|capwap' + ), +) +def rule_cve202220682(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20682 vulnerability in Cisco IOS XE Software. + The vulnerability is due to inadequate input validation of incoming CAPWAP packets encapsulating + multicast DNS (mDNS) queries in the Catalyst 9000 Family Wireless Controllers. An attacker could + exploit this vulnerability by connecting to a wireless network and sending a crafted mDNS query, + which would flow through and be processed by the wireless controller. + """ + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a Catalyst 9000 Series + is_cat9k = 'C9' in platform_output + + # If not a Catalyst 9000 device, it's not vulnerable + if not is_cat9k: + return + + # Extract the output of the command to check wireless/CAPWAP configuration + wireless_output = commands.check_wireless + + # Check if wireless controller and CAPWAP are configured + wireless_configured = any(feature in wireless_output for feature in ['wireless', 'capwap']) + + # Device is vulnerable if it's a Cat9K and has wireless/CAPWAP configured + is_vulnerable = is_cat9k and wireless_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20682. " + "The device is a Catalyst 9000 Series wireless controller with CAPWAP configured, " + "which could allow an unauthenticated attacker to cause a denial of service through crafted mDNS queries. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9800-capwap-mdns-6PSn7gKU" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220683.py b/CVEasy/Cisco/2022/cisco_xe/cve202220683.py new file mode 100644 index 00000000..f75dfa00 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220683.py @@ -0,0 +1,47 @@ +from comfy import high + + +@high( + name='rule_cve202220683', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_fnf='show running-config | include flow|performance monitor' + ), +) +def rule_cve202220683(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20683 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient packet verification for traffic inspected by the AVC feature + in Cisco Catalyst 9800 Series Wireless Controllers. An unauthenticated, remote attacker could exploit + this vulnerability by sending crafted packets from the wired network to a wireless client, causing + the wireless controller to reload and resulting in a denial of service (DoS) condition. + """ + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a Catalyst 9800 Series + is_cat9800 = 'C9800' in platform_output + + # If not a Catalyst 9800 device, it's not vulnerable + if not is_cat9800: + return + + # Extract the output of the command to check AVC/FNF configuration + fnf_output = commands.check_fnf + + # Check if AVC/FNF is configured + fnf_configured = any(feature in fnf_output for feature in ['flow', 'performance monitor']) + + # Device is vulnerable if it's a Cat9800 and has AVC/FNF configured + is_vulnerable = is_cat9800 and fnf_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20683. " + "The device is a Catalyst 9800 Series wireless controller with AVC/FNF configured, " + "which could allow an unauthenticated attacker to cause a denial of service through crafted packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9800-fnf-dos-bOL5vLge" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220684.py b/CVEasy/Cisco/2022/cisco_xe/cve202220684.py new file mode 100644 index 00000000..7652082a --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220684.py @@ -0,0 +1,48 @@ +from comfy import high + + +@high( + name='rule_cve202220684', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_wireless='show running-config | include wireless|snmp-server' + ), +) +def rule_cve202220684(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20684 vulnerability in Cisco IOS XE Software. + The vulnerability is due to a lack of input validation of the information used to generate an SNMP trap + related to a wireless client connection event in Catalyst 9000 Family Wireless Controllers. An attacker + could exploit this vulnerability by sending an 802.1x packet with crafted parameters during the wireless + authentication setup phase of a connection. + """ + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a Catalyst 9000 Series + is_cat9k = 'C9' in platform_output + + # If not a Catalyst 9000 device, it's not vulnerable + if not is_cat9k: + return + + # Extract the output of the command to check wireless and SNMP configuration + wireless_output = commands.check_wireless + + # Check if wireless controller and SNMP traps are configured + wireless_configured = 'wireless' in wireless_output + snmp_configured = 'snmp-server' in wireless_output + + # Device is vulnerable if it's a Cat9K and has both wireless and SNMP configured + is_vulnerable = is_cat9k and wireless_configured and snmp_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20684. " + "The device is a Catalyst 9000 Series wireless controller with SNMP traps configured, " + "which could allow an unauthenticated attacker to cause a denial of service through crafted 802.1x packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9800-snmp-trap-dos-mjent3Ey" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220692.py b/CVEasy/Cisco/2022/cisco_xe/cve202220692.py new file mode 100644 index 00000000..fde47890 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220692.py @@ -0,0 +1,33 @@ +from comfy import high + + +@high( + name='rule_cve202220692', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_netconf='show running-config | include netconf-yang|ssh' + ), +) +def rule_cve202220692(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20692 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient resource management in the NETCONF over SSH feature. + A low-privileged, authenticated, remote attacker could exploit this vulnerability by initiating + a large number of NETCONF over SSH connections, causing the device to reload and resulting in + a denial of service (DoS) condition. + """ + # Extract the output of the command to check NETCONF configuration + netconf_output = commands.check_netconf + + # Check if NETCONF over SSH is enabled + netconf_enabled = 'netconf-yang' in netconf_output and 'ssh' in netconf_output + + # Assert that the device is not vulnerable + assert not netconf_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20692. " + "The device has NETCONF over SSH enabled, " + "which could allow an authenticated attacker to cause a denial of service through multiple connections. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ncossh-dos-ZAkfOdq8" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220693.py b/CVEasy/Cisco/2022/cisco_xe/cve202220693.py new file mode 100644 index 00000000..5ff4d0d2 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220693.py @@ -0,0 +1,38 @@ +from comfy import high + + +@high( + name='rule_cve202220693', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_webui='show running-config | include ip http|restconf' + ), +) +def rule_cve202220693(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20693 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient input validation in the web UI feature. + An authenticated, remote attacker could exploit this vulnerability by sending crafted input + to the web UI API, allowing them to inject commands to the underlying operating system with + root privileges. + """ + # Extract the output of the command to check web UI configuration + webui_output = commands.check_webui + + # Check if web UI or RESTCONF is enabled + webui_enabled = any(feature in webui_output for feature in [ + 'ip http server', + 'ip http secure-server', + 'restconf' + ]) + + # Assert that the device is not vulnerable + assert not webui_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20693. " + "The device has web UI or RESTCONF enabled, " + "which could allow an authenticated attacker to inject commands with root privileges through " + "crafted API input. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webuiapi-inj-Nyrq92Od" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220694.py b/CVEasy/Cisco/2022/cisco_xe/cve202220694.py new file mode 100644 index 00000000..0b3d0cf0 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220694.py @@ -0,0 +1,37 @@ +from comfy import high + + +@high( + name='rule_cve202220694', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_rpki='show running-config | include router bgp|rpki' + ), +) +def rule_cve202220694(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20694 vulnerability in Cisco IOS XE Software. + The vulnerability is due to incorrect handling of RPKI to Router (RTR) Protocol packet headers + in the Resource Public Key Infrastructure (RPKI) feature. An unauthenticated, remote attacker + could exploit this vulnerability by sending crafted RTR packets to cause the BGP process to crash, + resulting in a denial of service (DoS) condition. + """ + # Extract the output of the command to check BGP and RPKI configuration + rpki_output = commands.check_rpki + + # Check if BGP is configured with RPKI + bgp_configured = 'router bgp' in rpki_output + rpki_configured = 'rpki' in rpki_output + + # Device is vulnerable if both BGP and RPKI are configured + is_vulnerable = bgp_configured and rpki_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20694. " + "The device has BGP configured with RPKI, " + "which could allow an unauthenticated attacker to cause a denial of service through crafted RTR packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-rpki-dos-2EgCNeKE" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220810.py b/CVEasy/Cisco/2022/cisco_xe/cve202220810.py new file mode 100644 index 00000000..800e1562 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220810.py @@ -0,0 +1,48 @@ +from comfy import high + + +@high( + name='rule_cve202220810', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_snmp='show running-config | include snmp-server|wireless' + ), +) +def rule_cve202220810(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20810 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient restrictions in the SNMP feature of Catalyst 9000 Family + Wireless Controllers that could allow sensitive configuration details to be disclosed. An authenticated, + remote attacker could exploit this vulnerability by retrieving data through SNMP read-only community access, + allowing them to view SSID preshared keys (PSKs) configured on the device. + """ + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a Catalyst 9000 Series + is_cat9k = 'C9' in platform_output + + # If not a Catalyst 9000 device, it's not vulnerable + if not is_cat9k: + return + + # Extract the output of the command to check SNMP and wireless configuration + snmp_output = commands.check_snmp + + # Check if SNMP and wireless are configured + snmp_configured = 'snmp-server' in snmp_output + wireless_configured = 'wireless' in snmp_output + + # Device is vulnerable if it's a Cat9K and has both SNMP and wireless configured + is_vulnerable = is_cat9k and snmp_configured and wireless_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20810. " + "The device is a Catalyst 9000 Series wireless controller with SNMP configured, " + "which could allow an authenticated attacker to view SSID preshared keys through SNMP read-only access. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cwlc-snmpidv-rnyyQzUZ" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220837.py b/CVEasy/Cisco/2022/cisco_xe/cve202220837.py new file mode 100644 index 00000000..4ad69d65 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220837.py @@ -0,0 +1,38 @@ +from comfy import high + + +@high( + name='rule_cve202220837', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_nat='show running-config | include ip nat|alg' + ), +) +def rule_cve202220837(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20837 vulnerability in Cisco IOS XE Software. + The vulnerability is due to a logic error in the DNS application layer gateway (ALG) functionality + used by Network Address Translation (NAT). An unauthenticated, remote attacker could exploit this + vulnerability by sending crafted IPv4 TCP DNS packets through an affected device that is performing + NAT for DNS packets, causing the device to reload and resulting in a denial of service (DoS) condition. + """ + # Extract the output of the command to check NAT and ALG configuration + nat_output = commands.check_nat + + # Check if NAT is configured with DNS ALG + nat_configured = 'ip nat' in nat_output + alg_enabled = not ('no ip nat service alg dns tcp' in nat_output) # ALG is enabled by default + + # Device is vulnerable if NAT is configured and DNS ALG is not explicitly disabled + is_vulnerable = nat_configured and alg_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20837. " + "The device has NAT configured with DNS ALG enabled, " + "which could allow an unauthenticated attacker to cause a denial of service through crafted " + "IPv4 TCP DNS packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-alg-dos-KU9Z8kFX" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220847.py b/CVEasy/Cisco/2022/cisco_xe/cve202220847.py new file mode 100644 index 00000000..c6208b1e --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220847.py @@ -0,0 +1,48 @@ +from comfy import high + + +@high( + name='rule_cve202220847', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_dhcp='show running-config | include ip dhcp|wireless' + ), +) +def rule_cve202220847(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20847 vulnerability in Cisco IOS XE Software. + The vulnerability is due to improper processing of DHCP messages in Catalyst 9000 Family + Wireless Controllers. An unauthenticated, remote attacker could exploit this vulnerability + by sending malicious DHCP messages to an affected device, causing it to reload and resulting + in a denial of service (DoS) condition. + """ + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a Catalyst 9000 Series + is_cat9k = 'C9' in platform_output + + # If not a Catalyst 9000 device, it's not vulnerable + if not is_cat9k: + return + + # Extract the output of the command to check DHCP and wireless configuration + dhcp_output = commands.check_dhcp + + # Check if DHCP and wireless are configured + dhcp_configured = 'ip dhcp' in dhcp_output + wireless_configured = 'wireless' in dhcp_output + + # Device is vulnerable if it's a Cat9K and has both DHCP and wireless configured + is_vulnerable = is_cat9k and dhcp_configured and wireless_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20847. " + "The device is a Catalyst 9000 Series wireless controller with DHCP configured, " + "which could allow an unauthenticated attacker to cause a denial of service through malicious DHCP messages. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-dhcp-dos-76pCjPxK" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220848.py b/CVEasy/Cisco/2022/cisco_xe/cve202220848.py new file mode 100644 index 00000000..cc4ef75a --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220848.py @@ -0,0 +1,51 @@ +from comfy import high + + +@high( + name='rule_cve202220848', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_wireless='show running-config | include ap|wireless' + ), +) +def rule_cve202220848(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20848 vulnerability in Cisco IOS XE Software. + The vulnerability is due to improper processing of UDP datagrams in Embedded Wireless Controllers + on Catalyst 9100 Series Access Points. An unauthenticated, remote attacker could exploit this + vulnerability by sending malicious UDP datagrams to an affected device, causing it to reload + and resulting in a denial of service (DoS) condition. + """ + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a Catalyst 9100 Series AP + is_cat9100 = 'C91' in platform_output + + # If not a Catalyst 9100 device, it's not vulnerable + if not is_cat9100: + return + + # Extract the output of the command to check wireless configuration + wireless_output = commands.check_wireless + + # Check if device is configured as an embedded wireless controller + wireless_controller_enabled = any(feature in wireless_output for feature in [ + 'ap sso', + 'wireless management interface', + 'wireless controller' + ]) + + # Device is vulnerable if it's a Cat9100 and configured as wireless controller + is_vulnerable = is_cat9100 and wireless_controller_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20848. " + "The device is a Catalyst 9100 Series AP configured as an embedded wireless controller, " + "which could allow an unauthenticated attacker to cause a denial of service through malicious UDP datagrams. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-udp-dos-XDyEwhNz" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220851.py b/CVEasy/Cisco/2022/cisco_xe/cve202220851.py new file mode 100644 index 00000000..23b129aa --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220851.py @@ -0,0 +1,38 @@ +from comfy import high + + +@high( + name='rule_cve202220851', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_webui='show running-config | include ip http|restconf' + ), +) +def rule_cve202220851(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20851 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient input validation in the web UI feature. + An authenticated, remote attacker with Administrator privileges could exploit this + vulnerability by sending crafted input to the web UI API, allowing them to execute + arbitrary commands on the underlying operating system with root privileges. + """ + # Extract the output of the command to check web UI configuration + webui_output = commands.check_webui + + # Check if web UI or RESTCONF is enabled + webui_enabled = any(feature in webui_output for feature in [ + 'ip http server', + 'ip http secure-server', + 'restconf' + ]) + + # Assert that the device is not vulnerable + assert not webui_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20851. " + "The device has web UI or RESTCONF enabled, " + "which could allow an authenticated attacker with Administrator privileges to execute arbitrary " + "commands with root privileges. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webui-cmdinj-Gje47EMn" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220855.py b/CVEasy/Cisco/2022/cisco_xe/cve202220855.py new file mode 100644 index 00000000..2100bb57 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220855.py @@ -0,0 +1,51 @@ +from comfy import high + + +@high( + name='rule_cve202220855', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_wireless='show running-config | include ap|wireless' + ), +) +def rule_cve202220855(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20855 vulnerability in Cisco IOS XE Software. + The vulnerability is due to improper checks throughout the restart of certain system processes + in Embedded Wireless Controllers on Catalyst Access Points. An authenticated, local attacker with + privilege level 15 could exploit this vulnerability by executing certain CLI commands to escape + the restricted controller shell and execute arbitrary commands on the underlying OS as root. + """ + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a Catalyst 9100 Series AP + is_cat9100 = 'C91' in platform_output + + # If not a Catalyst 9100 device, it's not vulnerable + if not is_cat9100: + return + + # Extract the output of the command to check wireless configuration + wireless_output = commands.check_wireless + + # Check if device is configured as an embedded wireless controller + wireless_controller_enabled = any(feature in wireless_output for feature in [ + 'ap sso', + 'wireless management interface', + 'wireless controller' + ]) + + # Device is vulnerable if it's a Cat9100 and configured as wireless controller + is_vulnerable = is_cat9100 and wireless_controller_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20855. " + "The device is a Catalyst 9100 Series AP configured as an embedded wireless controller, " + "which could allow a privileged attacker to execute arbitrary commands as root. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewc-priv-esc-nderYLtK" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220856.py b/CVEasy/Cisco/2022/cisco_xe/cve202220856.py new file mode 100644 index 00000000..01b3ebcd --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220856.py @@ -0,0 +1,49 @@ +from comfy import high + + +@high( + name='rule_cve202220856', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_wireless='show running-config | include wireless|mobility' + ), +) +def rule_cve202220856(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20856 vulnerability in Cisco IOS XE Software. + The vulnerability is due to a logic error and improper management of resources related to + the handling of CAPWAP Mobility messages in Catalyst 9000 Family Wireless Controllers. + An unauthenticated, remote attacker could exploit this vulnerability by sending crafted + CAPWAP Mobility packets to exhaust resources on the affected device, causing it to reload. + """ + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a Catalyst 9000 Series + is_cat9k = 'C9' in platform_output + + # If not a Catalyst 9000 device, it's not vulnerable + if not is_cat9k: + return + + # Extract the output of the command to check wireless and mobility configuration + wireless_output = commands.check_wireless + + # Check if wireless controller and mobility are configured + wireless_configured = 'wireless' in wireless_output + mobility_configured = 'mobility' in wireless_output + + # Device is vulnerable if it's a Cat9K and has both wireless and mobility configured + is_vulnerable = is_cat9k and wireless_configured and mobility_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20856. " + "The device is a Catalyst 9000 Series wireless controller with mobility configured, " + "which could allow an unauthenticated attacker to cause a denial of service through crafted " + "CAPWAP Mobility packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9800-mob-dos-342YAc6J" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220864.py b/CVEasy/Cisco/2022/cisco_xe/cve202220864.py new file mode 100644 index 00000000..c0d1e7a5 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220864.py @@ -0,0 +1,45 @@ +from comfy import high + + +@high( + name='rule_cve202220864', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_password_recovery='show running-config | include no service password-recovery' + ), +) +def rule_cve202220864(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20864 vulnerability in Cisco IOS XE Software. + The vulnerability is due to a problem with the file and boot variable permissions in ROMMON + when password recovery is disabled. An unauthenticated, local attacker could exploit this + vulnerability by rebooting the switch into ROMMON and entering specific commands through + the console to read any file or reset the enable password. + """ + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a Catalyst switch + is_catalyst = 'C9' in platform_output + + # If not a Catalyst switch, it's not vulnerable + if not is_catalyst: + return + + # Extract the output of the command to check password recovery configuration + password_recovery_output = commands.check_password_recovery + + # Check if password recovery is disabled + password_recovery_disabled = 'no service password-recovery' in password_recovery_output + + # Assert that the device is not vulnerable + assert not password_recovery_disabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20864. " + "The device is a Catalyst switch with password recovery disabled, " + "which could allow an unauthenticated attacker with physical access to recover configuration " + "or reset passwords. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-info-disc-nrORXjO" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220870.py b/CVEasy/Cisco/2022/cisco_xe/cve202220870.py new file mode 100644 index 00000000..39da8e08 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220870.py @@ -0,0 +1,47 @@ +from comfy import high + + +@high( + name='rule_cve202220870', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_mpls='show running-config | include mpls' + ), +) +def rule_cve202220870(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20870 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient input validation of IPv4 traffic in the egress MPLS + packet processing function of Catalyst 3650, 3850, and 9000 Family Switches. An unauthenticated, + remote attacker could exploit this vulnerability by sending a malformed packet out of an affected + MPLS-enabled interface, causing the device to reload. + """ + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a vulnerable Catalyst model (3650, 3850, or 9000 series) + is_vulnerable_platform = any(model in platform_output for model in ['C3650', 'C3850', 'C9']) + + # If not a vulnerable Catalyst model, it's not vulnerable + if not is_vulnerable_platform: + return + + # Extract the output of the command to check MPLS configuration + mpls_output = commands.check_mpls + + # Check if MPLS is enabled + mpls_enabled = 'mpls' in mpls_output + + # Device is vulnerable if it's a vulnerable platform and has MPLS enabled + is_vulnerable = is_vulnerable_platform and mpls_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20870. " + "The device is a Catalyst 3650/3850/9000 switch with MPLS enabled, " + "which could allow an unauthenticated attacker to cause a denial of service through malformed packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-mpls-dos-Ab4OUL3" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220915.py b/CVEasy/Cisco/2022/cisco_xe/cve202220915.py new file mode 100644 index 00000000..734d4009 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220915.py @@ -0,0 +1,47 @@ +from comfy import high + + +@high( + name='rule_cve202220915', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_6vpe='show running-config | include vrf|ipv6|zone', + check_zbfw='show running-config | include zone-pair|class-map|policy-map' + ), +) +def rule_cve202220915(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20915 vulnerability in Cisco IOS XE Software. + The vulnerability is due to improper error handling of an IPv6 packet that is forwarded from + an MPLS and ZBFW-enabled interface in a 6VPE deployment. An unauthenticated, adjacent attacker + could exploit this vulnerability by sending a crafted IPv6 packet sourced from a device on the + IPv6-enabled VRF interface through the affected device. + """ + # Extract the output of the commands + vpe_output = commands.check_6vpe + zbfw_output = commands.check_zbfw + + # Check if 6VPE is configured (requires VRF and IPv6) + vrf_configured = 'vrf' in vpe_output + ipv6_configured = 'ipv6' in vpe_output + vpe_configured = vrf_configured and ipv6_configured + + # Check if Zone-Based Firewall is configured + zbfw_configured = any(feature in zbfw_output for feature in [ + 'zone-pair', + 'class-map', + 'policy-map' + ]) + + # Device is vulnerable if both 6VPE and ZBFW are configured + is_vulnerable = vpe_configured and zbfw_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20915. " + "The device has IPv6 VPN over MPLS (6VPE) and Zone-Based Firewall configured, " + "which could allow an adjacent attacker to cause a denial of service through crafted IPv6 packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-6vpe-dos-tJBtf5Zv" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220944.py b/CVEasy/Cisco/2022/cisco_xe/cve202220944.py new file mode 100644 index 00000000..42a825a2 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220944.py @@ -0,0 +1,48 @@ +from comfy import high + + +@high( + name='rule_cve202220944', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_secure_boot='show platform software authenticity' + ), +) +def rule_cve202220944(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20944 vulnerability in Cisco IOS XE Software. + The vulnerability is due to improper verification of digital signatures during the boot process + in Catalyst 9200 Series Switches. An unauthenticated, physical attacker could exploit this + vulnerability by loading unsigned code at system boot time, allowing them to bypass image + verification and execute arbitrary code. + """ + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a Catalyst 9200 Series + is_cat9200 = 'C92' in platform_output + + # If not a Catalyst 9200 device, it's not vulnerable + if not is_cat9200: + return + + # Extract the output of the command to check secure boot status + secure_boot_output = commands.check_secure_boot + + # Check if secure boot is disabled or not properly configured + secure_boot_disabled = ( + 'Image verification is disabled' in secure_boot_output or + 'Secure Boot: disabled' in secure_boot_output or + not secure_boot_output # If no output, assume it's not properly configured + ) + + # Assert that the device is not vulnerable + assert not secure_boot_disabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20944. " + "The device is a Catalyst 9200 Series switch with image verification disabled or not properly configured, " + "which could allow an attacker with physical access to execute unsigned code at boot time. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-xe-cat-verify-D4NEQA6q" + ) diff --git a/CVEasy/Cisco/2022/cisco_xr/__init__.py b/CVEasy/Cisco/2022/cisco_xr/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/CVEasy/Cisco/2022/cisco_xr/cve202220655.py b/CVEasy/Cisco/2022/cisco_xr/cve202220655.py new file mode 100644 index 00000000..d3229321 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xr/cve202220655.py @@ -0,0 +1,54 @@ +from comfy import high + + +@high( + name='rule_cve202220655', + platform=['cisco_xr'], + commands=dict( + show_version='show version', + check_confd='show processes confd' + ), +) +def rule_cve202220655(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20655 vulnerability in Cisco IOS XR Software. + The vulnerability is due to insufficient validation of a process argument in the ConfD CLI. + An authenticated, local attacker could exploit this vulnerability by injecting commands during + the execution of this process, allowing them to execute arbitrary commands on the underlying + operating system with root privileges. + """ + # List of vulnerable versions + vulnerable_versions = [ + '7.0.1', '7.0.2', '7.0.3', '7.1.0', # IOS XR versions + '2.6.5', # Virtual Topology System versions + '4.3.9.1', '4.4.5.6', '4.5.7', '4.6.1.7', '4.7.1', '5.1.0.1', # Network Services Orchestrator versions + '3.12.1', # Enterprise NFV Infrastructure Software versions + '18.4.4', '19.2.1', # Catalyst SD-WAN Manager versions + '16.10.2', '16.12.1b', '17.2.1r', # IOS XE Catalyst SD-WAN versions + '18.4.4', '19.2.1' # SD-WAN vEdge Router versions + ] + + # Extract the version information + version_output = commands.show_version + + # Check if version is vulnerable + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check ConfD process + confd_output = commands.check_confd + + # Check if ConfD is running + confd_running = 'confd' in confd_output + + # Assert that the device is not vulnerable + assert not confd_running, ( + f"Device {device.name} is vulnerable to CVE-2022-20655. " + "The device is running a vulnerable version with ConfD enabled, " + "which could allow an authenticated attacker to execute arbitrary commands with root privileges. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cli-cmdinj-4MttWZPB" + ) diff --git a/CVEasy/Cisco/2022/cisco_xr/cve202220714.py b/CVEasy/Cisco/2022/cisco_xr/cve202220714.py new file mode 100644 index 00000000..c434098d --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xr/cve202220714.py @@ -0,0 +1,33 @@ +from comfy import high + + +@high( + name='rule_cve202220714', + platform=['cisco_xr'], + commands=dict( + show_version='show version', + check_linecard='show inventory | include Lightspeed-Plus' + ), +) +def rule_cve202220714(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20714 vulnerability in Cisco IOS XR Software. + The vulnerability is due to incorrect handling of malformed packets in the data plane microcode + of Lightspeed-Plus line cards for ASR 9000 Series routers. An unauthenticated, remote attacker + could exploit this vulnerability by sending crafted IPv4 or IPv6 packets through an affected device, + causing the line card to reset and resulting in a denial of service condition. + """ + # Extract the output of the command to check for Lightspeed-Plus line cards + linecard_output = commands.check_linecard + + # Check if Lightspeed-Plus line cards are present + lightspeed_plus_present = 'Lightspeed-Plus' in linecard_output + + # Assert that the device is not vulnerable + assert not lightspeed_plus_present, ( + f"Device {device.name} is vulnerable to CVE-2022-20714. " + "The device has Lightspeed-Plus line cards installed, " + "which could allow an unauthenticated attacker to cause a denial of service through crafted IPv4/IPv6 packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-lsplus-Z6AQEOjk" + ) diff --git a/CVEasy/Cisco/2022/cisco_xr/cve202220758.py b/CVEasy/Cisco/2022/cisco_xr/cve202220758.py new file mode 100644 index 00000000..0b8c565f --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xr/cve202220758.py @@ -0,0 +1,38 @@ +from comfy import high + + +@high( + name='rule_cve202220758', + platform=['cisco_xr'], + commands=dict( + show_version='show version', + check_bgp='show running-config | include router bgp|address-family l2vpn evpn' + ), +) +def rule_cve202220758(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20758 vulnerability in Cisco IOS XR Software. + The vulnerability is due to incorrect processing of BGP update messages containing specific EVPN attributes. + An unauthenticated, remote attacker could exploit this vulnerability by sending crafted BGP update messages + through an established trusted peer connection, causing the BGP process to restart and resulting in a + denial of service (DoS) condition. + """ + # Extract the output of the command to check BGP EVPN configuration + bgp_output = commands.check_bgp + + # Check if BGP is configured with L2VPN EVPN address family + bgp_configured = 'router bgp' in bgp_output + evpn_configured = 'address-family l2vpn evpn' in bgp_output + + # Device is vulnerable if both BGP and L2VPN EVPN are configured + is_vulnerable = bgp_configured and evpn_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20758. " + "The device has BGP configured with L2VPN EVPN address-family, " + "which could allow an unauthenticated attacker to cause a denial of service through crafted " + "BGP update messages. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bgpevpn-zWTRtPBb" + ) diff --git a/CVEasy/Cisco/2022/cisco_xr/cve202220821.py b/CVEasy/Cisco/2022/cisco_xr/cve202220821.py new file mode 100644 index 00000000..befbecc7 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xr/cve202220821.py @@ -0,0 +1,39 @@ +from comfy import high + + +@high( + name='rule_cve202220821', + platform=['cisco_xr'], + commands=dict( + show_version='show version', + check_redis='show processes | include redis', + check_port='show processes | include 6379' + ), +) +def rule_cve202220821(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20821 vulnerability in Cisco IOS XR Software. + The vulnerability is due to the health check RPM opening TCP port 6379 by default upon activation. + An unauthenticated, remote attacker could exploit this vulnerability by connecting to the Redis + instance on the open port, allowing them to write to the Redis in-memory database, write arbitrary + files to the container filesystem, and retrieve information about the Redis database. + """ + # Extract the output of the commands + redis_output = commands.check_redis + port_output = commands.check_port + + # Check if Redis is running and port 6379 is open + redis_running = 'redis' in redis_output + port_open = '6379' in port_output + + # Device is vulnerable if Redis is running and port 6379 is open + is_vulnerable = redis_running and port_open + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20821. " + "The device has Redis running with port 6379 open, " + "which could allow an unauthenticated attacker to access and modify the Redis database. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-redis-ABJyE5xK" + ) diff --git a/CVEasy/Cisco/2022/cisco_xr/cve202220845.py b/CVEasy/Cisco/2022/cisco_xr/cve202220845.py new file mode 100644 index 00000000..6687124a --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xr/cve202220845.py @@ -0,0 +1,59 @@ +from comfy import high + + +@high( + name='rule_cve202220845', + platform=['cisco_xr'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_tl1='show processes | include tl1' + ), +) +def rule_cve202220845(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20845 vulnerability in Cisco IOS XR Software. + The vulnerability is due to TL1 not freeing memory under some conditions in NCS 4000 Series devices. + An authenticated, local attacker could exploit this vulnerability by connecting to the device and + issuing TL1 commands, causing the TL1 process to consume large amounts of memory and potentially + leading to a denial of service condition. + """ + # List of vulnerable versions + vulnerable_versions = [ + '6.5.25', '6.5.26', '6.5.28', '6.5.29', '6.5.31', '6.5.32' + ] + + # Extract the version information + version_output = commands.show_version + + # Check if version is vulnerable + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is an NCS 4000 Series + is_ncs4k = 'NCS-4' in platform_output + + # If not an NCS 4000 device, it's not vulnerable + if not is_ncs4k: + return + + # Extract the output of the command to check TL1 process + tl1_output = commands.check_tl1 + + # Check if TL1 process is running + tl1_running = 'tl1' in tl1_output + + # Assert that the device is not vulnerable + assert not tl1_running, ( + f"Device {device.name} is vulnerable to CVE-2022-20845. " + "The device is an NCS 4000 Series running a vulnerable version with TL1 process enabled, " + "which could allow an authenticated attacker to cause a denial of service through memory exhaustion. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ncs4k-tl1-GNnLwC6" + ) diff --git a/CVEasy/Cisco/2022/cisco_xr/cve202220846.py b/CVEasy/Cisco/2022/cisco_xr/cve202220846.py new file mode 100644 index 00000000..80868215 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xr/cve202220846.py @@ -0,0 +1,58 @@ +from comfy import high + + +@high( + name='rule_cve202220846', + platform=['cisco_xr'], + commands=dict( + show_version='show version', + check_cdp='show running-config | include cdp' + ), +) +def rule_cve202220846(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20846 vulnerability in Cisco IOS XR Software. + The vulnerability is due to a heap buffer overflow in certain Cisco Discovery Protocol messages. + An unauthenticated, adjacent attacker could exploit this vulnerability by sending malicious + Cisco Discovery Protocol packets to an affected device, causing the CDP process to reload. + """ + # List of vulnerable versions + vulnerable_versions = [ + '6.5.1', '6.5.2', '6.5.3', '6.5.15', '6.5.25', '6.5.26', '6.5.28', '6.5.29', + '6.5.31', '6.5.32', '6.5.90', '6.5.92', '6.5.93', + '6.6.1', '6.6.2', '6.6.3', '6.6.4', '6.6.11', '6.6.12', '6.6.25', + '6.7.1', '6.7.2', '6.7.3', '6.7.4', '6.7.35', + '6.8.1', '6.8.2', '6.9.1', + '7.0.0', '7.0.1', '7.0.2', '7.0.11', '7.0.12', '7.0.14', '7.0.90', + '7.1.1', '7.1.2', '7.1.3', '7.1.15', '7.1.25', + '7.2.0', '7.2.1', '7.2.2', '7.2.12', + '7.3.1', '7.3.2', '7.3.3', '7.3.4', '7.3.15', '7.3.16', '7.3.27', + '7.4.1', '7.4.2', '7.4.15', '7.4.16', + '7.5.1', '7.5.2', '7.5.12', + '7.6.1', '7.6.15' + ] + + # Extract the version information + version_output = commands.show_version + + # Check if version is vulnerable + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check CDP configuration + cdp_output = commands.check_cdp + + # Check if CDP is enabled (CDP is enabled by default unless explicitly disabled) + cdp_disabled = 'no cdp' in cdp_output + + # Assert that the device is not vulnerable + assert cdp_disabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20846. " + "The device is running a vulnerable version with CDP enabled, " + "which could allow an adjacent attacker to cause a denial of service through malicious CDP packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xr-cdp-wnALzvT2" + ) diff --git a/CVEasy/Cisco/2022/cisco_xr/cve202220849.py b/CVEasy/Cisco/2022/cisco_xr/cve202220849.py new file mode 100644 index 00000000..acc5b32b --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xr/cve202220849.py @@ -0,0 +1,55 @@ +from comfy import high + + +@high( + name='rule_cve202220849', + platform=['cisco_xr'], + commands=dict( + show_version='show version', + check_pppoe='show running-config | include bba-group pppoe|pppoe enable' + ), +) +def rule_cve202220849(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20849 vulnerability in Cisco IOS XR Software. + The vulnerability is due to improper handling of error conditions within specific PPPoE packet + sequences in the Broadband Network Gateway feature. An unauthenticated, adjacent attacker could + exploit this vulnerability by sending a sequence of specific PPPoE packets from controlled CPE, + causing the PPPoE process to continually restart and resulting in a denial of service condition. + """ + # List of vulnerable versions + vulnerable_versions = [ + '6.5.1', '6.5.2', '6.5.3', '6.5.15', '6.6.1', '6.6.2', '6.6.3', '6.6.4', '6.6.25', + '6.7.1', '6.7.2', '6.7.3', '6.7.35', '6.8.1', '6.8.2', '6.9.1', + '7.0.1', '7.0.2', '7.0.90', '7.1.1', '7.1.2', '7.1.3', '7.1.15', '7.1.25', + '7.2.1', '7.2.2', '7.3.1', '7.3.2', '7.3.3', '7.3.4', '7.4.1', '7.4.2', + '7.5.1' + ] + + # Extract the version information + version_output = commands.show_version + + # Check if version is vulnerable + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check PPPoE configuration + pppoe_output = commands.check_pppoe + + # Check if PPPoE is configured + pppoe_configured = any(feature in pppoe_output for feature in [ + 'bba-group pppoe', + 'pppoe enable' + ]) + + # Assert that the device is not vulnerable + assert not pppoe_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20849. " + "The device is running a vulnerable version with PPPoE enabled, " + "which could allow an adjacent attacker to cause a denial of service through crafted PPPoE packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-bng-Gmg5Gxt" + )