From 8db69d23fde7dc39644693e40005cef34dd24be7 Mon Sep 17 00:00:00 2001 From: mailsanjayhere Date: Sun, 1 Jun 2025 18:27:29 +0000 Subject: [PATCH 1/9] arista 2021 cves --- CVEasy/Arista/2021/__init__.py | 0 CVEasy/Arista/2021/cve202128496.py | 70 +++++++++++++++++++++++++++ CVEasy/Arista/2021/cve202128500.py | 77 ++++++++++++++++++++++++++++++ CVEasy/Arista/2021/cve202128501.py | 62 ++++++++++++++++++++++++ CVEasy/Arista/2021/cve202128503.py | 71 +++++++++++++++++++++++++++ CVEasy/Arista/2021/cve202128504.py | 63 ++++++++++++++++++++++++ CVEasy/Arista/2021/cve202128505.py | 65 +++++++++++++++++++++++++ CVEasy/Arista/2021/cve202128506.py | 69 ++++++++++++++++++++++++++ CVEasy/Arista/2021/cve202128507.py | 77 ++++++++++++++++++++++++++++++ CVEasy/Arista/2021/cve202128508.py | 71 +++++++++++++++++++++++++++ CVEasy/Arista/2021/cve202128509.py | 71 +++++++++++++++++++++++++++ CVEasy/Arista/2021/cve202128510.py | 71 +++++++++++++++++++++++++++ CVEasy/Arista/2021/cve202128511.py | 70 +++++++++++++++++++++++++++ 13 files changed, 837 insertions(+) create mode 100644 CVEasy/Arista/2021/__init__.py create mode 100644 CVEasy/Arista/2021/cve202128496.py create mode 100644 CVEasy/Arista/2021/cve202128500.py create mode 100644 CVEasy/Arista/2021/cve202128501.py create mode 100644 CVEasy/Arista/2021/cve202128503.py create mode 100644 CVEasy/Arista/2021/cve202128504.py create mode 100644 CVEasy/Arista/2021/cve202128505.py create mode 100644 CVEasy/Arista/2021/cve202128506.py create mode 100644 CVEasy/Arista/2021/cve202128507.py create mode 100644 CVEasy/Arista/2021/cve202128508.py create mode 100644 CVEasy/Arista/2021/cve202128509.py create mode 100644 CVEasy/Arista/2021/cve202128510.py create mode 100644 CVEasy/Arista/2021/cve202128511.py diff --git a/CVEasy/Arista/2021/__init__.py b/CVEasy/Arista/2021/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/CVEasy/Arista/2021/cve202128496.py b/CVEasy/Arista/2021/cve202128496.py new file mode 100644 index 00000000..b691d052 --- /dev/null +++ b/CVEasy/Arista/2021/cve202128496.py @@ -0,0 +1,70 @@ +from comfy import high + + +@high( + name='rule_cve202128496', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_bfd='show running-config | section bfd', + show_eapi='show management api http-commands' + ), +) +def rule_cve202128496(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28496 vulnerability in Arista EOS devices. + The vulnerability allows BFD shared secret passwords to be leaked when displaying output + over eAPI or other JSON outputs to authenticated users on the device. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.22.x versions (all releases) + '4.22.0', '4.22.12', + # 4.23.x versions (up to 4.23.9) + '4.23.0', '4.23.9', + # 4.24.x versions (up to 4.24.7) + '4.24.0', '4.24.7', + # 4.25.x versions (up to 4.25.4) + '4.25.0', '4.25.4', + # 4.26.x versions (up to 4.26.1) + '4.26.0', '4.26.1' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if BFD is configured with shared secret profiles + bfd_config = commands.show_bfd + has_bfd_secrets = 'profile' in bfd_config and 'key-id' in bfd_config + + # Check if eAPI is enabled + eapi_config = commands.show_eapi + eapi_enabled = 'enabled' in eapi_config.lower() + + # Device is vulnerable if using BFD shared secrets and eAPI is enabled + is_vulnerable = has_bfd_secrets and eapi_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28496. " + "The device is running a vulnerable version AND has BFD shared secret profiles configured " + "with eAPI enabled, which could expose sensitive password information. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.23.10 or later for 4.23.x train\n" + " * 4.24.8 or later for 4.24.x train\n" + " * 4.25.5 or later for 4.25.x train\n" + " * 4.26.2 or later for 4.26.x train\n" + "2. Or apply the appropriate hotfix:\n" + " * For 4.22.0 - 4.25.0: SecurityAdvisory0069Hotfix-4.22-4.25.0.swix\n" + " * For 4.25.1 - 4.26.1: SecurityAdvisory0069Hotfix-4.25.1-4.26.1.swix\n" + "3. As a workaround, restrict access to CLI show commands using role-based authorization\n" + "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/13243-security-advisory-0069" + ) diff --git a/CVEasy/Arista/2021/cve202128500.py b/CVEasy/Arista/2021/cve202128500.py new file mode 100644 index 00000000..63783aa6 --- /dev/null +++ b/CVEasy/Arista/2021/cve202128500.py @@ -0,0 +1,77 @@ +from comfy import high + + +@high( + name='rule_cve202128500', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_users='show running-config | section username', + show_agents='show running-config | include openconfig|terminattr' + ), +) +def rule_cve202128500(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28500 vulnerability in Arista EOS devices. + The vulnerability allows unrestricted access to the device for local users with nopassword + configuration due to incorrect use of EOS's AAA APIs by OpenConfig and TerminAttr agents. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.20.x and earlier versions + '4.20.0', '4.20.15', + # 4.21.x versions + '4.21.0', '4.21.14M', + # 4.22.x versions + '4.22.0', '4.22.11M', + # 4.23.x versions + '4.23.0', '4.23.8M', + # 4.24.x versions + '4.24.0', '4.24.6M', + # 4.25.x versions + '4.25.0', '4.25.4M', + # 4.26.x versions + '4.26.0', '4.26.1F' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if any users are configured with nopassword + users_config = commands.show_users + has_nopassword_users = 'nopassword' in users_config + + # Check if OpenConfig or TerminAttr agents are enabled + agents_config = commands.show_agents + agents_enabled = 'openconfig' in agents_config or 'terminattr' in agents_config + + # Device is vulnerable if it has nopassword users and agents enabled + is_vulnerable = has_nopassword_users and agents_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28500. " + "The device is running a vulnerable version AND has local users with nopassword configuration " + "while OpenConfig/TerminAttr agents are enabled, which could allow unrestricted access. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.26.2F or later for 4.26.x train\n" + " * 4.25.5M or later for 4.25.x train\n" + " * 4.24.7M or later for 4.24.x train\n" + " * 4.23.9M or later for 4.23.x train\n" + " * 4.22.12M or later for 4.22.x train\n" + " * 4.21.15M or later for 4.21.x train\n" + "2. Until upgrade is complete, implement these workarounds:\n" + " * Remove nopassword configuration for local users\n" + " * Or apply the appropriate hotfix:\n" + " - For 32-bit systems: SecurityAdvisory0071Hotfix.i386.swix\n" + " - For 64-bit systems: SecurityAdvisory0071Hotfix.x86_64.swix\n" + "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071" + ) diff --git a/CVEasy/Arista/2021/cve202128501.py b/CVEasy/Arista/2021/cve202128501.py new file mode 100644 index 00000000..17d0f617 --- /dev/null +++ b/CVEasy/Arista/2021/cve202128501.py @@ -0,0 +1,62 @@ +from comfy import high + + +@high( + name='rule_cve202128501', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_terminattr='show running-config | include terminattr', + show_openconfig='show running-config | include openconfig', + show_users='show running-config | section username' + ), +) +def rule_cve202128501(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28501 vulnerability in Arista EOS devices. + The vulnerability allows unrestricted access to the device for local users with nopassword + configuration due to incorrect use of EOS's AAA APIs by OpenConfig and TerminAttr agents. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # TerminAttr versions before 1.16.2 + '1.15.0', '1.15.1', '1.15.2', '1.15.3', + '1.16.0', '1.16.1' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if TerminAttr or OpenConfig agents are enabled + terminattr_config = commands.show_terminattr + openconfig_config = commands.show_openconfig + agents_enabled = bool(terminattr_config or openconfig_config) + + # Check if any users are configured with nopassword + users_config = commands.show_users + has_nopassword_users = 'nopassword' in users_config + + # Device is vulnerable if agents are enabled and has nopassword users + is_vulnerable = agents_enabled and has_nopassword_users + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28501. " + "The device is running a vulnerable version of TerminAttr AND has local users with nopassword configuration " + "while OpenConfig/TerminAttr agents are enabled, which could allow unrestricted access. " + "Recommended fixes:\n" + "1. Upgrade to TerminAttr v1.16.2 or later\n" + "2. Until upgrade is complete, implement these workarounds:\n" + " * Disable OpenConfig gNMI/gNOI and OpenConfig RESTCONF and TerminAttr\n" + " * Or apply the appropriate hotfix with proxy service:\n" + " - For 32-bit systems: SecurityAdvisory0071Hotfix.i386.swix\n" + " - For 64-bit systems: SecurityAdvisory0071Hotfix.x86_64.swix\n" + "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071" + ) diff --git a/CVEasy/Arista/2021/cve202128503.py b/CVEasy/Arista/2021/cve202128503.py new file mode 100644 index 00000000..37aa45b7 --- /dev/null +++ b/CVEasy/Arista/2021/cve202128503.py @@ -0,0 +1,71 @@ +from comfy import high + + +@high( + name='rule_cve202128503', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_eapi='show management api http-commands', + show_cert_auth='show running-config | include certificate user' + ), +) +def rule_cve202128503(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28503 vulnerability in Arista EOS devices. + The vulnerability allows remote attackers to bypass authentication when certificate-based + authentication is used with eAPI, due to improper credential re-evaluation. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.23.x versions before 4.23.10 + '4.23.0', '4.23.1', '4.23.2', '4.23.3', '4.23.4', + '4.23.5', '4.23.6', '4.23.7', '4.23.8', '4.23.9', + # 4.24.x versions before 4.24.8 + '4.24.0', '4.24.1', '4.24.2', '4.24.3', '4.24.4', + '4.24.5', '4.24.6', '4.24.7', + # 4.25.x versions before 4.25.6 + '4.25.0', '4.25.1', '4.25.2', '4.25.3', '4.25.4', '4.25.5', + # 4.26.x versions before 4.26.3 + '4.26.0', '4.26.1', '4.26.2' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if eAPI is enabled + eapi_config = commands.show_eapi + eapi_enabled = 'enabled' in eapi_config.lower() + + # Check if certificate-based authentication is configured + cert_config = commands.show_cert_auth + cert_auth_enabled = 'certificate user' in cert_config + + # Device is vulnerable if both eAPI and certificate auth are enabled + is_vulnerable = eapi_enabled and cert_auth_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28503. " + "The device is running a vulnerable version AND has eAPI enabled with certificate-based authentication, " + "which could allow remote attackers to bypass authentication. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.26.3 or later for 4.26.x train\n" + " * 4.25.6 or later for 4.25.x train\n" + " * 4.24.8 or later for 4.24.x train\n" + " * 4.23.10 or later for 4.23.x train\n" + "2. Until upgrade is complete, implement this workaround:\n" + " * Disable certificate-based authentication for eAPI:\n" + " switch(config)#management security\n" + " switch(config-mgmt-security)#ssl profile profileEAPI\n" + " switch(config-mgmt-sec-ssl-profile-profileEAPI)#no trust certificate user.cert\n" + "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/13605-security-advisory-0072" + ) diff --git a/CVEasy/Arista/2021/cve202128504.py b/CVEasy/Arista/2021/cve202128504.py new file mode 100644 index 00000000..aa5d6924 --- /dev/null +++ b/CVEasy/Arista/2021/cve202128504.py @@ -0,0 +1,63 @@ +from comfy import high + + +@high( + name='rule_cve202128504', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_tcam='show hardware tcam profile', + show_acl='show running-config | section ip access-list' + ), +) +def rule_cve202128504(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28504 vulnerability in Arista EOS devices. + The vulnerability occurs on Strata family products when TCAM profile is enabled and + port IPv4 access-lists contain rules matching VXLAN protocol, causing subsequent rules + to not match IP protocol fields as expected. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.26.x versions before 4.26.4F + '4.26.0', '4.26.1F', '4.26.2F', '4.26.3F', + # 4.27.x versions before 4.27.1M + '4.27.0F' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if TCAM profile feature is enabled + tcam_output = commands.show_tcam + tcam_enabled = 'Profile:' in tcam_output + + # Check if any ACL has VXLAN protocol matching + acl_config = commands.show_acl + has_vxlan_acl = 'protocol vxlan' in acl_config.lower() + + # Device is vulnerable if TCAM profile is enabled and has VXLAN protocol matching in ACLs + is_vulnerable = tcam_enabled and has_vxlan_acl + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28504. " + "The device is running a vulnerable version AND has TCAM profile enabled with ACLs matching VXLAN protocol, " + "which could cause subsequent ACL rules to not match IP protocol fields correctly. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.26.4F or later for 4.26.x train\n" + " * 4.27.1M or later for 4.27.x train\n" + "2. Until upgrade is complete, implement this workaround:\n" + " * Replace 'protocol vxlan' matches in ACLs with:\n" + " - protocol udp\n" + " - destination port 4789 (or configured VXLAN port)\n" + "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/15267-security-advisory-0073" + ) diff --git a/CVEasy/Arista/2021/cve202128505.py b/CVEasy/Arista/2021/cve202128505.py new file mode 100644 index 00000000..cd024844 --- /dev/null +++ b/CVEasy/Arista/2021/cve202128505.py @@ -0,0 +1,65 @@ +from comfy import high + + +@high( + name='rule_cve202128505', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_acl='show running-config | section ip access-list', + show_interfaces='show running-config | section interface' + ), +) +def rule_cve202128505(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28505 vulnerability in Arista EOS devices. + The vulnerability occurs when VXLAN match rules in IPv4 access-lists are applied to + ingress L2/L3 ports or SVIs, causing subsequent ACL rules to ignore IP protocol fields. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.26.x versions before 4.26.4M + '4.26.0', '4.26.1F', '4.26.2F', '4.26.3M', + # 4.27.x versions before 4.27.1F + '4.27.0F' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if any ACL has VXLAN protocol matching + acl_config = commands.show_acl + has_vxlan_acl = 'protocol vxlan' in acl_config.lower() + + # Check if ACLs are applied to ingress L2/L3 ports or SVIs + interface_config = commands.show_interfaces + has_ingress_acl = any(keyword in interface_config.lower() for keyword in [ + 'ip access-group', + 'ipv4 access-group' + ]) + + # Device is vulnerable if it has VXLAN ACLs applied to ingress interfaces + is_vulnerable = has_vxlan_acl and has_ingress_acl + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28505. " + "The device is running a vulnerable version AND has VXLAN match rules in IPv4 ACLs " + "applied to ingress interfaces, which could cause subsequent rules to ignore IP protocol fields. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.26.4M or later for 4.26.x train\n" + " * 4.27.1F or later for 4.27.x train\n" + "2. Until upgrade is complete, implement this workaround:\n" + " * Replace 'protocol vxlan' matches in ACLs with:\n" + " - protocol udp\n" + " - destination port 4789 (or configured VXLAN port)\n" + "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/15267-security-advisory-0073" + ) diff --git a/CVEasy/Arista/2021/cve202128506.py b/CVEasy/Arista/2021/cve202128506.py new file mode 100644 index 00000000..96f10034 --- /dev/null +++ b/CVEasy/Arista/2021/cve202128506.py @@ -0,0 +1,69 @@ +from comfy import high + + +@high( + name='rule_cve202128506', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_gnmi='show management api gnmi', + show_restconf='show management api restconf', + show_gnoi='show management api gnoi' + ), +) +def rule_cve202128506(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28506 vulnerability in Arista EOS devices. + The vulnerability allows unauthenticated attackers to bypass authentication in gNOI APIs, + potentially allowing factory reset of the device. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.24.x versions before 4.24.8M + '4.24.0', '4.24.1F', '4.24.2F', '4.24.3M', '4.24.4M', '4.24.5M', '4.24.6M', '4.24.7M', + # 4.25.x versions before 4.25.6M + '4.25.0', '4.25.1M', '4.25.2M', '4.25.3M', '4.25.4M', '4.25.5M', + # 4.26.x versions before 4.26.3M + '4.26.0', '4.26.1F', '4.26.2F' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if any of the vulnerable APIs are enabled + gnmi_config = commands.show_gnmi + restconf_config = commands.show_restconf + gnoi_config = commands.show_gnoi + + apis_enabled = any([ + 'enabled' in gnmi_config.lower(), + 'enabled' in restconf_config.lower(), + 'enabled' in gnoi_config.lower() + ]) + + # Device is vulnerable if running affected version and has APIs enabled + is_vulnerable = version_vulnerable and apis_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28506. " + "The device is running a vulnerable version AND has gNMI/gNOI/RESTCONF APIs enabled, " + "which could allow unauthenticated attackers to bypass authentication and factory reset the device. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.26.3M or later for 4.26.x train\n" + " * 4.25.6M or later for 4.25.x train\n" + " * 4.24.8M or later for 4.24.x train\n" + "2. Until upgrade is complete, implement this workaround:\n" + " * Apply the appropriate hotfix with proxy service:\n" + " - For 32-bit systems: SecurityAdvisory0071Hotfix.i386.swix\n" + " - For 64-bit systems: SecurityAdvisory0071Hotfix.x86_64.swix\n" + "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071" + ) diff --git a/CVEasy/Arista/2021/cve202128507.py b/CVEasy/Arista/2021/cve202128507.py new file mode 100644 index 00000000..77814911 --- /dev/null +++ b/CVEasy/Arista/2021/cve202128507.py @@ -0,0 +1,77 @@ +from comfy import high + + +@high( + name='rule_cve202128507', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_openconfig='show running-config | include openconfig', + show_restconf='show management api restconf', + show_acl='show running-config | section service-acl' + ), +) +def rule_cve202128507(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28507 vulnerability in Arista EOS devices. + The vulnerability allows service ACL bypass in OpenConfig gNOI and RESTCONF APIs, + which could result in denied requests being forwarded to the agent. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.21.x and earlier versions + '4.21.', '4.20.', '4.19.', '4.18.', + # 4.22.x versions + '4.22.0', '4.22.1', '4.22.2', '4.22.3', + # 4.23.x versions before 4.23.10M + '4.23.0', '4.23.1', '4.23.2', '4.23.3', '4.23.4', + '4.23.5', '4.23.6', '4.23.7', '4.23.8', '4.23.9', + # 4.24.x versions before 4.24.8M + '4.24.0', '4.24.1', '4.24.2', '4.24.3', '4.24.4', + '4.24.5', '4.24.6', '4.24.7', + # 4.25.x versions before 4.25.6M + '4.25.0', '4.25.1', '4.25.2', '4.25.3', '4.25.4', '4.25.5', + # 4.26.x versions before 4.26.3M + '4.26.0', '4.26.1', '4.26.2' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if OpenConfig or RESTCONF is enabled + openconfig_config = commands.show_openconfig + restconf_config = commands.show_restconf + apis_enabled = bool(openconfig_config or 'enabled' in restconf_config.lower()) + + # Check if service ACLs are configured + acl_config = commands.show_acl + has_service_acl = 'service-acl' in acl_config + + # Device is vulnerable if APIs are enabled and using service ACLs + is_vulnerable = apis_enabled and has_service_acl + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28507. " + "The device is running a vulnerable version AND has OpenConfig/RESTCONF APIs enabled with service ACLs, " + "which could allow denied requests to bypass ACLs and reach the agent. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.26.3M or later for 4.26.x train\n" + " * 4.25.6M or later for 4.25.x train\n" + " * 4.24.8M or later for 4.24.x train\n" + " * 4.23.10M or later for 4.23.x train\n" + "2. Until upgrade is complete, implement these workarounds:\n" + " * Disable OpenConfig gNMI/gNOI and OpenConfig RESTCONF\n" + " * Or apply the appropriate hotfix with proxy service:\n" + " - For 32-bit systems: SecurityAdvisory0071Hotfix.i386.swix\n" + " - For 64-bit systems: SecurityAdvisory0071Hotfix.x86_64.swix\n" + "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071" + ) diff --git a/CVEasy/Arista/2021/cve202128508.py b/CVEasy/Arista/2021/cve202128508.py new file mode 100644 index 00000000..b7256b90 --- /dev/null +++ b/CVEasy/Arista/2021/cve202128508.py @@ -0,0 +1,71 @@ +from comfy import high + + +@high( + name='rule_cve202128508', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_terminattr='show running-config | include terminattr', + show_ipsec='show running-config | section crypto ipsec' + ), +) +def rule_cve202128508(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28508 vulnerability in Arista EOS devices. + The vulnerability allows TerminAttr to leak IPsec sensitive data in clear text to CVP, + which could allow authorized users to decrypt or modify IPsec traffic. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.23.x versions before 4.23.11 + '4.23.0', '4.23.1', '4.23.2', '4.23.3', '4.23.4', '4.23.5', + '4.23.6', '4.23.7', '4.23.8', '4.23.9', '4.23.10', + # 4.24.x versions before 4.24.10 + '4.24.0', '4.24.1', '4.24.2', '4.24.3', '4.24.4', '4.24.5', + '4.24.6', '4.24.7', '4.24.8', '4.24.9', + # 4.25.x versions before 4.25.8 + '4.25.0', '4.25.1', '4.25.2', '4.25.3', '4.25.4', '4.25.5', + '4.25.6', '4.25.7', + # 4.26.x versions before 4.26.6 + '4.26.0', '4.26.1', '4.26.2', '4.26.3', '4.26.4', '4.26.5', + # 4.27.x versions before 4.27.2 + '4.27.0', '4.27.1' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if TerminAttr is enabled + terminattr_config = commands.show_terminattr + terminattr_enabled = bool(terminattr_config) + + # Check if IPsec is configured + ipsec_config = commands.show_ipsec + ipsec_configured = bool(ipsec_config) + + # Device is vulnerable if both TerminAttr and IPsec are enabled + is_vulnerable = terminattr_enabled and ipsec_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28508. " + "The device is running a vulnerable version AND has both TerminAttr and IPsec enabled, " + "which could allow IPsec sensitive data to leak in clear text to CVP. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.27.2 or later for 4.27.x train\n" + " * 4.26.6 or later for 4.26.x train\n" + " * 4.25.8 or later for 4.25.x train\n" + " * 4.24.10 or later for 4.24.x train\n" + "2. Until upgrade is complete, implement this workaround:\n" + " * Disable TerminAttr agent\n" + "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/15484-security-advisory-0077" + ) diff --git a/CVEasy/Arista/2021/cve202128509.py b/CVEasy/Arista/2021/cve202128509.py new file mode 100644 index 00000000..a577c7c3 --- /dev/null +++ b/CVEasy/Arista/2021/cve202128509.py @@ -0,0 +1,71 @@ +from comfy import high + + +@high( + name='rule_cve202128509', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_terminattr='show running-config | include terminattr', + show_macsec='show running-config | section macsec' + ), +) +def rule_cve202128509(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28509 vulnerability in Arista EOS devices. + The vulnerability allows TerminAttr to leak MACsec sensitive data in clear text to CVP, + which could allow authorized users to decrypt or modify MACsec traffic. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.23.x versions before 4.23.12 + '4.23.0', '4.23.1', '4.23.2', '4.23.3', '4.23.4', '4.23.5', + '4.23.6', '4.23.7', '4.23.8', '4.23.9', '4.23.10', '4.23.11', + # 4.24.x versions before 4.24.10 + '4.24.0', '4.24.1', '4.24.2', '4.24.3', '4.24.4', '4.24.5', + '4.24.6', '4.24.7', '4.24.8', '4.24.9', + # 4.25.x versions before 4.25.8 + '4.25.0', '4.25.1', '4.25.2', '4.25.3', '4.25.4', '4.25.5', + '4.25.6', '4.25.7', + # 4.26.x versions before 4.26.6 + '4.26.0', '4.26.1', '4.26.2', '4.26.3', '4.26.4', '4.26.5', + # 4.27.x versions before 4.27.4 + '4.27.0', '4.27.1', '4.27.2', '4.27.3' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if TerminAttr is enabled + terminattr_config = commands.show_terminattr + terminattr_enabled = 'terminattr' in terminattr_config.lower() + + # Check if MACsec is configured + macsec_config = commands.show_macsec + macsec_configured = 'macsec' in macsec_config.lower() + + # Device is vulnerable if both TerminAttr and MACsec are enabled + is_vulnerable = terminattr_enabled and macsec_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28509. " + "The device is running a vulnerable version AND has both TerminAttr and MACsec enabled, " + "which could allow MACsec sensitive data to leak in clear text to CVP. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.27.4 or later for 4.27.x train\n" + " * 4.26.6 or later for 4.26.x train\n" + " * 4.25.8 or later for 4.25.x train\n" + " * 4.24.10 or later for 4.24.x train\n" + "2. Until upgrade is complete, implement this workaround:\n" + " * Disable TerminAttr agent\n" + "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/15484-security-advisory-0077" + ) diff --git a/CVEasy/Arista/2021/cve202128510.py b/CVEasy/Arista/2021/cve202128510.py new file mode 100644 index 00000000..32fbf3aa --- /dev/null +++ b/CVEasy/Arista/2021/cve202128510.py @@ -0,0 +1,71 @@ +from comfy import high + + +@high( + name='rule_cve202128510', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_ptp='show running-config | section ptp' + ), +) +def rule_cve202128510(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28510 vulnerability in Arista EOS devices. + The vulnerability allows an unauthenticated attacker to cause a DoS condition by sending + malformed PTP packets with invalid TLV values, causing the PTP agent to restart repeatedly. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.23.x versions before 4.23.11 + '4.23.0', '4.23.1', '4.23.2', '4.23.3', '4.23.4', '4.23.5', + '4.23.6', '4.23.7', '4.23.8', '4.23.9', '4.23.10', + # 4.24.x versions before 4.24.9 + '4.24.0', '4.24.1', '4.24.2', '4.24.3', '4.24.4', '4.24.5', + '4.24.6', '4.24.7', '4.24.8', + # 4.25.x versions before 4.25.7 + '4.25.0', '4.25.1', '4.25.2', '4.25.3', '4.25.4', '4.25.5', + '4.25.6', + # 4.26.x versions before 4.26.5 + '4.26.0', '4.26.1', '4.26.2', '4.26.3', '4.26.4', + # 4.27.x versions before 4.27.2 + '4.27.0', '4.27.1' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if PTP is configured + ptp_config = commands.show_ptp + ptp_enabled = 'ptp' in ptp_config.lower() + + # Device is vulnerable if running affected version and PTP is enabled + is_vulnerable = version_vulnerable and ptp_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28510. " + "The device is running a vulnerable version AND has PTP enabled, " + "which could allow an attacker to cause a denial of service by sending malformed PTP packets. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.27.2 or later for 4.27.x train\n" + " * 4.26.5 or later for 4.26.x train\n" + " * 4.25.7 or later for 4.25.x train\n" + " * 4.24.9 or later for 4.24.x train\n" + " * 4.23.11 or later for 4.23.x train\n" + "2. Until upgrade is complete, implement this workaround:\n" + " * Install ACL rules to drop PTP packets from untrusted sources\n" + " * Block access to untrusted (non-management) networks\n" + "3. A hotfix is available:\n" + " * SecurityAdvisory76_CVE-2021-28510_Hotfix.swix\n" + " * Note: Installing/uninstalling will cause PTP agent to restart\n" + "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/15439-security-advisory-0076" + ) diff --git a/CVEasy/Arista/2021/cve202128511.py b/CVEasy/Arista/2021/cve202128511.py new file mode 100644 index 00000000..e3a4df2f --- /dev/null +++ b/CVEasy/Arista/2021/cve202128511.py @@ -0,0 +1,70 @@ +from comfy import high + + +@high( + name='rule_cve202128511', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_nat='show running-config | section ip nat', + show_acl='show running-config | section ip access-list' + ), +) +def rule_cve202128511(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28511 vulnerability in Arista EOS devices. + The vulnerability allows security ACL bypass if a NAT ACL rule filter with permit action + matches a packet flow that should be denied by a security ACL. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.24.x versions before 4.24.10 + '4.24.0', '4.24.1', '4.24.2', '4.24.3', '4.24.4', '4.24.5', + '4.24.6', '4.24.7', '4.24.8', '4.24.9', + # 4.25.x versions before 4.25.9 + '4.25.0', '4.25.1', '4.25.2', '4.25.3', '4.25.4', '4.25.5', + '4.25.6', '4.25.7', '4.25.8', + # 4.26.x versions before 4.26.6 + '4.26.0', '4.26.1', '4.26.2', '4.26.3', '4.26.4', '4.26.5', + # 4.27.x versions before 4.27.4 + '4.27.0', '4.27.1', '4.27.2', '4.27.3' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if NAT is configured + nat_config = commands.show_nat + nat_enabled = 'ip nat' in nat_config.lower() + + # Check if security ACLs are configured + acl_config = commands.show_acl + security_acl_enabled = 'ip access-list' in acl_config.lower() + + # Device is vulnerable if both NAT and security ACLs are enabled + is_vulnerable = nat_enabled and security_acl_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28511. " + "The device is running a vulnerable version AND has both NAT and security ACLs configured, " + "which could allow security ACL bypass through NAT permit rules. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.28.0 or later for 4.28.x train\n" + " * 4.27.4 or later for 4.27.x train\n" + " * 4.26.6 or later for 4.26.x train\n" + " * 4.25.9 or later for 4.25.x train\n" + " * 4.24.10 or later for 4.24.x train\n" + "2. Until upgrade is complete, implement this workaround:\n" + " * Configure a NAT 'drop' ACL rule for each security ACL 'drop' rule\n" + " * Apply these rules to interfaces with NAT configured\n" + "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/15862-security-advisory-0078" + ) From 9b12ab2891fc2efc2b16e9ad1ab23a6277171f72 Mon Sep 17 00:00:00 2001 From: mailsanjayhere Date: Sun, 1 Jun 2025 19:07:56 +0000 Subject: [PATCH 2/9] Fix flake8 and syntax errors in Arista CVE scripts --- CVEasy/Arista/2021/cve202128496.py | 5 +++-- CVEasy/Arista/2021/cve202128500.py | 5 +++-- CVEasy/Arista/2021/cve202128501.py | 5 +++-- CVEasy/Arista/2021/cve202128503.py | 5 +++-- CVEasy/Arista/2021/cve202128504.py | 7 ++++--- CVEasy/Arista/2021/cve202128505.py | 5 +++-- CVEasy/Arista/2021/cve202128506.py | 3 ++- CVEasy/Arista/2021/cve202128507.py | 3 ++- CVEasy/Arista/2021/cve202128508.py | 3 ++- CVEasy/Arista/2021/cve202128509.py | 3 ++- CVEasy/Arista/2021/cve202128510.py | 3 ++- CVEasy/Arista/2021/cve202128511.py | 3 ++- 12 files changed, 31 insertions(+), 19 deletions(-) diff --git a/CVEasy/Arista/2021/cve202128496.py b/CVEasy/Arista/2021/cve202128496.py index b691d052..0c636c99 100644 --- a/CVEasy/Arista/2021/cve202128496.py +++ b/CVEasy/Arista/2021/cve202128496.py @@ -13,7 +13,7 @@ def rule_cve202128496(configuration, commands, device, devices): """ This rule checks for CVE-2021-28496 vulnerability in Arista EOS devices. - The vulnerability allows BFD shared secret passwords to be leaked when displaying output + The vulnerability allows BFD shared secret passwords to be leaked when displaying output over eAPI or other JSON outputs to authenticated users on the device. """ # Extract the version information from the command output @@ -66,5 +66,6 @@ def rule_cve202128496(configuration, commands, device, devices): " * For 4.22.0 - 4.25.0: SecurityAdvisory0069Hotfix-4.22-4.25.0.swix\n" " * For 4.25.1 - 4.26.1: SecurityAdvisory0069Hotfix-4.25.1-4.26.1.swix\n" "3. As a workaround, restrict access to CLI show commands using role-based authorization\n" - "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/13243-security-advisory-0069" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/13243-security-advisory-0069" ) diff --git a/CVEasy/Arista/2021/cve202128500.py b/CVEasy/Arista/2021/cve202128500.py index 63783aa6..95ebee4b 100644 --- a/CVEasy/Arista/2021/cve202128500.py +++ b/CVEasy/Arista/2021/cve202128500.py @@ -13,7 +13,7 @@ def rule_cve202128500(configuration, commands, device, devices): """ This rule checks for CVE-2021-28500 vulnerability in Arista EOS devices. - The vulnerability allows unrestricted access to the device for local users with nopassword + The vulnerability allows unrestricted access to the device for local users with nopassword configuration due to incorrect use of EOS's AAA APIs by OpenConfig and TerminAttr agents. """ # Extract the version information from the command output @@ -73,5 +73,6 @@ def rule_cve202128500(configuration, commands, device, devices): " * Or apply the appropriate hotfix:\n" " - For 32-bit systems: SecurityAdvisory0071Hotfix.i386.swix\n" " - For 64-bit systems: SecurityAdvisory0071Hotfix.x86_64.swix\n" - "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071" + "For more information, see " + "https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071" ) diff --git a/CVEasy/Arista/2021/cve202128501.py b/CVEasy/Arista/2021/cve202128501.py index 17d0f617..5c1db418 100644 --- a/CVEasy/Arista/2021/cve202128501.py +++ b/CVEasy/Arista/2021/cve202128501.py @@ -14,7 +14,7 @@ def rule_cve202128501(configuration, commands, device, devices): """ This rule checks for CVE-2021-28501 vulnerability in Arista EOS devices. - The vulnerability allows unrestricted access to the device for local users with nopassword + The vulnerability allows unrestricted access to the device for local users with nopassword configuration due to incorrect use of EOS's AAA APIs by OpenConfig and TerminAttr agents. """ # Extract the version information from the command output @@ -58,5 +58,6 @@ def rule_cve202128501(configuration, commands, device, devices): " * Or apply the appropriate hotfix with proxy service:\n" " - For 32-bit systems: SecurityAdvisory0071Hotfix.i386.swix\n" " - For 64-bit systems: SecurityAdvisory0071Hotfix.x86_64.swix\n" - "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071" ) diff --git a/CVEasy/Arista/2021/cve202128503.py b/CVEasy/Arista/2021/cve202128503.py index 37aa45b7..40986559 100644 --- a/CVEasy/Arista/2021/cve202128503.py +++ b/CVEasy/Arista/2021/cve202128503.py @@ -13,7 +13,7 @@ def rule_cve202128503(configuration, commands, device, devices): """ This rule checks for CVE-2021-28503 vulnerability in Arista EOS devices. - The vulnerability allows remote attackers to bypass authentication when certificate-based + The vulnerability allows remote attackers to bypass authentication when certificate-based authentication is used with eAPI, due to improper credential re-evaluation. """ # Extract the version information from the command output @@ -67,5 +67,6 @@ def rule_cve202128503(configuration, commands, device, devices): " switch(config)#management security\n" " switch(config-mgmt-security)#ssl profile profileEAPI\n" " switch(config-mgmt-sec-ssl-profile-profileEAPI)#no trust certificate user.cert\n" - "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/13605-security-advisory-0072" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/13605-security-advisory-0072" ) diff --git a/CVEasy/Arista/2021/cve202128504.py b/CVEasy/Arista/2021/cve202128504.py index aa5d6924..6f0aed1e 100644 --- a/CVEasy/Arista/2021/cve202128504.py +++ b/CVEasy/Arista/2021/cve202128504.py @@ -13,8 +13,8 @@ def rule_cve202128504(configuration, commands, device, devices): """ This rule checks for CVE-2021-28504 vulnerability in Arista EOS devices. - The vulnerability occurs on Strata family products when TCAM profile is enabled and - port IPv4 access-lists contain rules matching VXLAN protocol, causing subsequent rules + The vulnerability occurs on Strata family products when TCAM profile is enabled and + port IPv4 access-lists contain rules matching VXLAN protocol, causing subsequent rules to not match IP protocol fields as expected. """ # Extract the version information from the command output @@ -59,5 +59,6 @@ def rule_cve202128504(configuration, commands, device, devices): " * Replace 'protocol vxlan' matches in ACLs with:\n" " - protocol udp\n" " - destination port 4789 (or configured VXLAN port)\n" - "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/15267-security-advisory-0073" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/15267-security-advisory-0073" ) diff --git a/CVEasy/Arista/2021/cve202128505.py b/CVEasy/Arista/2021/cve202128505.py index cd024844..2ff97f87 100644 --- a/CVEasy/Arista/2021/cve202128505.py +++ b/CVEasy/Arista/2021/cve202128505.py @@ -13,7 +13,7 @@ def rule_cve202128505(configuration, commands, device, devices): """ This rule checks for CVE-2021-28505 vulnerability in Arista EOS devices. - The vulnerability occurs when VXLAN match rules in IPv4 access-lists are applied to + The vulnerability occurs when VXLAN match rules in IPv4 access-lists are applied to ingress L2/L3 ports or SVIs, causing subsequent ACL rules to ignore IP protocol fields. """ # Extract the version information from the command output @@ -61,5 +61,6 @@ def rule_cve202128505(configuration, commands, device, devices): " * Replace 'protocol vxlan' matches in ACLs with:\n" " - protocol udp\n" " - destination port 4789 (or configured VXLAN port)\n" - "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/15267-security-advisory-0073" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/15267-security-advisory-0073" ) diff --git a/CVEasy/Arista/2021/cve202128506.py b/CVEasy/Arista/2021/cve202128506.py index 96f10034..f60d7bb9 100644 --- a/CVEasy/Arista/2021/cve202128506.py +++ b/CVEasy/Arista/2021/cve202128506.py @@ -65,5 +65,6 @@ def rule_cve202128506(configuration, commands, device, devices): " * Apply the appropriate hotfix with proxy service:\n" " - For 32-bit systems: SecurityAdvisory0071Hotfix.i386.swix\n" " - For 64-bit systems: SecurityAdvisory0071Hotfix.x86_64.swix\n" - "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071" ) diff --git a/CVEasy/Arista/2021/cve202128507.py b/CVEasy/Arista/2021/cve202128507.py index 77814911..07a65c07 100644 --- a/CVEasy/Arista/2021/cve202128507.py +++ b/CVEasy/Arista/2021/cve202128507.py @@ -73,5 +73,6 @@ def rule_cve202128507(configuration, commands, device, devices): " * Or apply the appropriate hotfix with proxy service:\n" " - For 32-bit systems: SecurityAdvisory0071Hotfix.i386.swix\n" " - For 64-bit systems: SecurityAdvisory0071Hotfix.x86_64.swix\n" - "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071" ) diff --git a/CVEasy/Arista/2021/cve202128508.py b/CVEasy/Arista/2021/cve202128508.py index b7256b90..1badbc3e 100644 --- a/CVEasy/Arista/2021/cve202128508.py +++ b/CVEasy/Arista/2021/cve202128508.py @@ -67,5 +67,6 @@ def rule_cve202128508(configuration, commands, device, devices): " * 4.24.10 or later for 4.24.x train\n" "2. Until upgrade is complete, implement this workaround:\n" " * Disable TerminAttr agent\n" - "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/15484-security-advisory-0077" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/15484-security-advisory-0077" ) diff --git a/CVEasy/Arista/2021/cve202128509.py b/CVEasy/Arista/2021/cve202128509.py index a577c7c3..ec3f020f 100644 --- a/CVEasy/Arista/2021/cve202128509.py +++ b/CVEasy/Arista/2021/cve202128509.py @@ -67,5 +67,6 @@ def rule_cve202128509(configuration, commands, device, devices): " * 4.24.10 or later for 4.24.x train\n" "2. Until upgrade is complete, implement this workaround:\n" " * Disable TerminAttr agent\n" - "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/15484-security-advisory-0077" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/15484-security-advisory-0077" ) diff --git a/CVEasy/Arista/2021/cve202128510.py b/CVEasy/Arista/2021/cve202128510.py index 32fbf3aa..844c01c5 100644 --- a/CVEasy/Arista/2021/cve202128510.py +++ b/CVEasy/Arista/2021/cve202128510.py @@ -67,5 +67,6 @@ def rule_cve202128510(configuration, commands, device, devices): "3. A hotfix is available:\n" " * SecurityAdvisory76_CVE-2021-28510_Hotfix.swix\n" " * Note: Installing/uninstalling will cause PTP agent to restart\n" - "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/15439-security-advisory-0076" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/15439-security-advisory-0076" ) diff --git a/CVEasy/Arista/2021/cve202128511.py b/CVEasy/Arista/2021/cve202128511.py index e3a4df2f..9c1252f8 100644 --- a/CVEasy/Arista/2021/cve202128511.py +++ b/CVEasy/Arista/2021/cve202128511.py @@ -66,5 +66,6 @@ def rule_cve202128511(configuration, commands, device, devices): "2. Until upgrade is complete, implement this workaround:\n" " * Configure a NAT 'drop' ACL rule for each security ACL 'drop' rule\n" " * Apply these rules to interfaces with NAT configured\n" - "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/15862-security-advisory-0078" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/15862-security-advisory-0078" ) From eb48f51858732f0bd0d4c7987e125b454dddfa54 Mon Sep 17 00:00:00 2001 From: mailsanjayhere Date: Sun, 1 Jun 2025 19:22:24 +0000 Subject: [PATCH 3/9] cisco_ios 2022 cves --- CVEasy/Cisco/2022/__init__.py | 0 CVEasy/Cisco/2022/cisco_ios/__init__.py | 0 CVEasy/Cisco/2022/cisco_ios/cve202220677.py | 34 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_ios/cve202220697.py | 32 +++++++++++++++++++ CVEasy/Cisco/2022/cisco_ios/cve202220718.py | 34 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_ios/cve202220719.py | 35 +++++++++++++++++++++ CVEasy/Cisco/2022/cisco_ios/cve202220720.py | 35 +++++++++++++++++++++ CVEasy/Cisco/2022/cisco_ios/cve202220721.py | 34 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_ios/cve202220722.py | 34 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_ios/cve202220723.py | 34 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_ios/cve202220724.py | 34 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_ios/cve202220725.py | 34 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_ios/cve202220726.py | 34 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_ios/cve202220727.py | 34 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_ios/cve202220761.py | 33 +++++++++++++++++++ CVEasy/Cisco/2022/cisco_ios/cve202220919.py | 34 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_ios/cve202220920.py | 34 ++++++++++++++++++++ 17 files changed, 509 insertions(+) create mode 100644 CVEasy/Cisco/2022/__init__.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/__init__.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/cve202220677.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/cve202220697.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/cve202220718.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/cve202220719.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/cve202220720.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/cve202220721.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/cve202220722.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/cve202220723.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/cve202220724.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/cve202220725.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/cve202220726.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/cve202220727.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/cve202220761.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/cve202220919.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/cve202220920.py diff --git a/CVEasy/Cisco/2022/__init__.py b/CVEasy/Cisco/2022/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/CVEasy/Cisco/2022/cisco_ios/__init__.py b/CVEasy/Cisco/2022/cisco_ios/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220677.py b/CVEasy/Cisco/2022/cisco_ios/cve202220677.py new file mode 100644 index 00000000..1031e83b --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220677.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220677', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220677(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20677 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application hosting environment. + An attacker could exploit this vulnerability to inject arbitrary commands into the underlying host + operating system, execute arbitrary code, install applications without authentication, or conduct + cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20677. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220697.py b/CVEasy/Cisco/2022/cisco_ios/cve202220697.py new file mode 100644 index 00000000..1804c43a --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220697.py @@ -0,0 +1,32 @@ +from comfy import high + + +@high( + name='rule_cve202220697', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_http='show running-config | include ip http' + ), +) +def rule_cve202220697(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20697 vulnerability in Cisco IOS Software. + The vulnerability is due to improper resource management in the HTTP server code. + An attacker could exploit this vulnerability by sending a large number of HTTP requests + to an affected device, causing it to reload and resulting in a denial of service (DoS) condition. + """ + # Extract the output of the command to check HTTP configuration + http_output = commands.check_http + + # Check if HTTP server is enabled + http_enabled = any(service in http_output for service in ['ip http server', 'ip http secure-server']) + + # Assert that the device is not vulnerable + assert not http_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20697. " + "The device has HTTP/HTTPS server enabled, " + "which could allow an attacker to cause a denial of service through crafted HTTP requests. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http-dos-svOdkdBS" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220718.py b/CVEasy/Cisco/2022/cisco_ios/cve202220718.py new file mode 100644 index 00000000..3abeec7e --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220718.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220718', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220718(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20718 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application hosting environment. + Multiple vulnerabilities could allow an attacker to inject arbitrary commands into the underlying host + operating system, execute arbitrary code, install applications without authentication, or conduct + cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20718. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220719.py b/CVEasy/Cisco/2022/cisco_ios/cve202220719.py new file mode 100644 index 00000000..e3665251 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220719.py @@ -0,0 +1,35 @@ +from comfy import high + + +@high( + name='rule_cve202220719', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220719(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20719 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application + hosting environment. Multiple vulnerabilities could allow an attacker to inject + arbitrary commands into the underlying host operating system, execute arbitrary + code, install applications without authentication, or conduct cross-site + scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20719. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220720.py b/CVEasy/Cisco/2022/cisco_ios/cve202220720.py new file mode 100644 index 00000000..ecea6ab3 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220720.py @@ -0,0 +1,35 @@ +from comfy import high + + +@high( + name='rule_cve202220720', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220720(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20720 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application + hosting environment. + Multiple vulnerabilities could allow an attacker to inject arbitrary commands + into the underlying host operating system, execute arbitrary code, install + applications without authentication, or conduct cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20720. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220721.py b/CVEasy/Cisco/2022/cisco_ios/cve202220721.py new file mode 100644 index 00000000..fa410727 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220721.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220721', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220721(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20721 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application hosting environment. + Multiple vulnerabilities could allow an attacker to inject arbitrary commands into the underlying host + operating system, execute arbitrary code, install applications without authentication, or conduct + cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20721. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220722.py b/CVEasy/Cisco/2022/cisco_ios/cve202220722.py new file mode 100644 index 00000000..e5d99e25 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220722.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220722', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220722(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20722 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application hosting environment. + Multiple vulnerabilities could allow an attacker to inject arbitrary commands into the underlying host + operating system, execute arbitrary code, install applications without authentication, or conduct + cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20722. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220723.py b/CVEasy/Cisco/2022/cisco_ios/cve202220723.py new file mode 100644 index 00000000..fe189087 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220723.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220723', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220723(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20723 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application hosting environment. + Multiple vulnerabilities could allow an attacker to inject arbitrary commands into the underlying host + operating system, execute arbitrary code, install applications without authentication, or conduct + cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20723. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220724.py b/CVEasy/Cisco/2022/cisco_ios/cve202220724.py new file mode 100644 index 00000000..293118d4 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220724.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220724', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220724(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20724 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application hosting environment. + Multiple vulnerabilities could allow an attacker to inject arbitrary commands into the underlying host + operating system, execute arbitrary code, install applications without authentication, or conduct + cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20724. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220725.py b/CVEasy/Cisco/2022/cisco_ios/cve202220725.py new file mode 100644 index 00000000..c7994a30 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220725.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220725', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220725(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20725 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application hosting environment. + Multiple vulnerabilities could allow an attacker to inject arbitrary commands into the underlying host + operating system, execute arbitrary code, install applications without authentication, or conduct + cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20725. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220726.py b/CVEasy/Cisco/2022/cisco_ios/cve202220726.py new file mode 100644 index 00000000..c5b607ff --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220726.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220726', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220726(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20726 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application hosting environment. + Multiple vulnerabilities could allow an attacker to inject arbitrary commands into the underlying host + operating system, execute arbitrary code, install applications without authentication, or conduct + cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20726. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220727.py b/CVEasy/Cisco/2022/cisco_ios/cve202220727.py new file mode 100644 index 00000000..e87b64e3 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220727.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220727', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220727(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20727 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application hosting environment. + Multiple vulnerabilities could allow an attacker to inject arbitrary commands into the underlying host + operating system, execute arbitrary code, install applications without authentication, or conduct + cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20727. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220761.py b/CVEasy/Cisco/2022/cisco_ios/cve202220761.py new file mode 100644 index 00000000..2811f670 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220761.py @@ -0,0 +1,33 @@ +from comfy import high + + +@high( + name='rule_cve202220761', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ap='show running-config | include autonomous-ap' + ), +) +def rule_cve202220761(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20761 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient input validation in the integrated wireless access point (AP) + packet processing of the Cisco 1000 Series Connected Grid Router (CGR1K). An attacker could exploit + this vulnerability by sending crafted traffic to an affected device, causing the integrated AP to stop + processing traffic and resulting in a denial of service condition. + """ + # Extract the output of the command to check AP configuration + ap_output = commands.check_ap + + # Check if integrated AP is configured + ap_configured = 'autonomous-ap' in ap_output + + # Assert that the device is not vulnerable + assert not ap_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20761. " + "The device has integrated wireless access point configured, " + "which could allow an adjacent attacker to cause a denial of service through crafted traffic. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cgr1k-ap-dos-mSZR4QVh" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220919.py b/CVEasy/Cisco/2022/cisco_ios/cve202220919.py new file mode 100644 index 00000000..8e2b3148 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220919.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220919', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_cip='show running-config | include cip enable' + ), +) +def rule_cve202220919(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20919 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient input validation during processing of + Common Industrial Protocol (CIP) packets. + An unauthenticated, remote attacker could exploit this vulnerability by sending + malformed CIP packets to an affected device, + causing it to unexpectedly reload and resulting in a denial of service (DoS) condition. + """ + # Extract the output of the command to check CIP configuration + cip_output = commands.check_cip + + # Check if CIP is enabled + cip_enabled = 'cip enable' in cip_output + + # Assert that the device is not vulnerable + assert not cip_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20919. " + "The device has Common Industrial Protocol (CIP) enabled, " + "which could allow an unauthenticated attacker to cause a denial of service through malformed CIP packets. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-cip-dos-9rTbKLt9" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220920.py b/CVEasy/Cisco/2022/cisco_ios/cve202220920.py new file mode 100644 index 00000000..51f76da3 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220920.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220920', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ssh='show running-config | include ip ssh' + ), +) +def rule_cve202220920(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20920 vulnerability in Cisco IOS Software. + The vulnerability is due to improper handling of resources during an exceptional + situation in the SSH implementation. + An authenticated, remote attacker could exploit this vulnerability by continuously connecting to an affected device + and sending specific SSH requests, causing the device to reload and resulting in a + denial of service (DoS) condition. + """ + # Extract the output of the command to check SSH configuration + ssh_output = commands.check_ssh + + # Check if SSH is enabled + ssh_enabled = 'ip ssh' in ssh_output + + # Assert that the device is not vulnerable + assert not ssh_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20920. " + "The device has SSH enabled, " + "which could allow an authenticated attacker to cause a denial of service through crafted SSH requests. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ssh-excpt-dos-FzOBQTnk" + ) From 8720e4e29c9b5049f3e4b7b8a6c52fd7d49a9add Mon Sep 17 00:00:00 2001 From: mailsanjayhere Date: Sun, 1 Jun 2025 19:45:01 +0000 Subject: [PATCH 4/9] cisco_xe 2022 cves --- CVEasy/Cisco/2022/cisco_xe/__init__.py | 0 CVEasy/Cisco/2022/cisco_xe/cve202220676.py | 32 ++++++++++++++ CVEasy/Cisco/2022/cisco_xe/cve202220678.py | 35 +++++++++++++++ CVEasy/Cisco/2022/cisco_xe/cve202220679.py | 47 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_xe/cve202220681.py | 40 +++++++++++++++++ CVEasy/Cisco/2022/cisco_xe/cve202220682.py | 47 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_xe/cve202220683.py | 47 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_xe/cve202220684.py | 48 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_xe/cve202220692.py | 33 ++++++++++++++ CVEasy/Cisco/2022/cisco_xe/cve202220693.py | 37 ++++++++++++++++ CVEasy/Cisco/2022/cisco_xe/cve202220694.py | 37 ++++++++++++++++ CVEasy/Cisco/2022/cisco_xe/cve202220810.py | 47 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_xe/cve202220837.py | 37 ++++++++++++++++ CVEasy/Cisco/2022/cisco_xe/cve202220847.py | 48 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_xe/cve202220848.py | 51 ++++++++++++++++++++++ CVEasy/Cisco/2022/cisco_xe/cve202220851.py | 37 ++++++++++++++++ CVEasy/Cisco/2022/cisco_xe/cve202220855.py | 51 ++++++++++++++++++++++ CVEasy/Cisco/2022/cisco_xe/cve202220856.py | 48 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_xe/cve202220864.py | 44 +++++++++++++++++++ CVEasy/Cisco/2022/cisco_xe/cve202220870.py | 47 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_xe/cve202220915.py | 47 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_xe/cve202220944.py | 48 ++++++++++++++++++++ 22 files changed, 908 insertions(+) create mode 100644 CVEasy/Cisco/2022/cisco_xe/__init__.py create mode 100644 CVEasy/Cisco/2022/cisco_xe/cve202220676.py create mode 100644 CVEasy/Cisco/2022/cisco_xe/cve202220678.py create mode 100644 CVEasy/Cisco/2022/cisco_xe/cve202220679.py create mode 100644 CVEasy/Cisco/2022/cisco_xe/cve202220681.py create mode 100644 CVEasy/Cisco/2022/cisco_xe/cve202220682.py create mode 100644 CVEasy/Cisco/2022/cisco_xe/cve202220683.py create mode 100644 CVEasy/Cisco/2022/cisco_xe/cve202220684.py create mode 100644 CVEasy/Cisco/2022/cisco_xe/cve202220692.py create mode 100644 CVEasy/Cisco/2022/cisco_xe/cve202220693.py create mode 100644 CVEasy/Cisco/2022/cisco_xe/cve202220694.py create mode 100644 CVEasy/Cisco/2022/cisco_xe/cve202220810.py create mode 100644 CVEasy/Cisco/2022/cisco_xe/cve202220837.py create mode 100644 CVEasy/Cisco/2022/cisco_xe/cve202220847.py create mode 100644 CVEasy/Cisco/2022/cisco_xe/cve202220848.py create mode 100644 CVEasy/Cisco/2022/cisco_xe/cve202220851.py create mode 100644 CVEasy/Cisco/2022/cisco_xe/cve202220855.py create mode 100644 CVEasy/Cisco/2022/cisco_xe/cve202220856.py create mode 100644 CVEasy/Cisco/2022/cisco_xe/cve202220864.py create mode 100644 CVEasy/Cisco/2022/cisco_xe/cve202220870.py create mode 100644 CVEasy/Cisco/2022/cisco_xe/cve202220915.py create mode 100644 CVEasy/Cisco/2022/cisco_xe/cve202220944.py diff --git a/CVEasy/Cisco/2022/cisco_xe/__init__.py b/CVEasy/Cisco/2022/cisco_xe/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220676.py b/CVEasy/Cisco/2022/cisco_xe/cve202220676.py new file mode 100644 index 00000000..e4c9db0d --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220676.py @@ -0,0 +1,32 @@ +from comfy import high + + +@high( + name='rule_cve202220676', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_tcl='show running-config | include tclsh' + ), +) +def rule_cve202220676(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20676 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient input validation of data that is passed into the Tcl interpreter. + An authenticated, local attacker with privilege level 15 could exploit this vulnerability by loading + malicious Tcl code on an affected device, allowing them to escalate to root-level privileges. + """ + # Extract the output of the command to check Tcl configuration + tcl_output = commands.check_tcl + + # Check if Tcl shell access is enabled + tcl_enabled = 'tclsh' in tcl_output + + # Assert that the device is not vulnerable + assert not tcl_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20676. " + "The device has Tcl shell access enabled, " + "which could allow an authenticated attacker with privilege level 15 to escalate to root privileges. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-priv-esc-grbtubU" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220678.py b/CVEasy/Cisco/2022/cisco_xe/cve202220678.py new file mode 100644 index 00000000..dd812915 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220678.py @@ -0,0 +1,35 @@ +from comfy import high + + +@high( + name='rule_cve202220678', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_appnav='show running-config | include appnav-controller|service-insertion' + ), +) +def rule_cve202220678(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20678 vulnerability in Cisco IOS XE Software. + The vulnerability is due to incorrect handling of certain TCP segments in the AppNav-XE feature. + An unauthenticated, remote attacker could exploit this vulnerability by sending a stream of crafted + TCP traffic at a high rate through an interface with AppNav interception enabled, causing the device + to reload and resulting in a denial of service (DoS) condition. + """ + # Extract the output of the command to check AppNav configuration + appnav_output = commands.check_appnav + + # Check if AppNav-XE is configured + appnav_configured = any(feature in appnav_output for feature in [ + 'appnav-controller', 'service-insertion' + ]) + + # Assert that the device is not vulnerable + assert not appnav_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20678. " + "The device has AppNav-XE configured, " + "which could allow an unauthenticated attacker to cause a denial of service through crafted TCP traffic. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-appnav-xe-dos-j5MXTR4" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220679.py b/CVEasy/Cisco/2022/cisco_xe/cve202220679.py new file mode 100644 index 00000000..0654fb70 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220679.py @@ -0,0 +1,47 @@ +import re # Add regex module +from comfy import high + + +@high( + name='rule_cve202220679', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_ipsec='show running-config | include crypto ipsec', + check_mtu='show interfaces | include MTU' + ), +) +def rule_cve202220679(configuration, commands, device, devices): + # Convert command outputs to strings to handle None values + ipsec_output = str(commands.check_ipsec or "") + mtu_output = str(commands.check_mtu or "") + + # Check if IPsec is configured + ipsec_configured = 'crypto ipsec' in ipsec_output + + # Check if any interface has MTU >= 1800 using regex + high_mtu = False + for line in mtu_output.splitlines(): + if 'MTU' in line: + # Use regex to find the first sequence of digits after "MTU" + match = re.search(r'MTU.*?(\d+)', line) + if match: + try: + mtu = int(match.group(1)) + if mtu >= 1800: + high_mtu = True + break + except ValueError: + continue + + # Device is vulnerable if both conditions are met + is_vulnerable = ipsec_configured and high_mtu + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20679. " + "The device has IPsec configured and interfaces with MTU >= 1800 bytes, " + "which could allow an attacker to cause a denial of service. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-qfp-ipsec-GQmqvtqV" + ) \ No newline at end of file diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220681.py b/CVEasy/Cisco/2022/cisco_xe/cve202220681.py new file mode 100644 index 00000000..42aa3f4a --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220681.py @@ -0,0 +1,40 @@ +from comfy import high + + +@high( + name='rule_cve202220681', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis' + ), +) +def rule_cve202220681(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20681 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient validation of user privileges after executing certain CLI commands + on Cisco Catalyst 9000 Family Switches and Wireless Controllers. An authenticated, local attacker with low + privileges could exploit this vulnerability by executing certain CLI commands to elevate their privileges + to level 15. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a Catalyst 9000 Series + is_cat9k = 'C9' in platform_output + + # If not a Catalyst 9000 device, it's not vulnerable + if not is_cat9k: + return + + # Assert that the device is not vulnerable + assert not is_cat9k, ( + f"Device {device.name} is vulnerable to CVE-2022-20681. " + "The device is a Catalyst 9000 Series switch/wireless controller, " + "which could allow an authenticated attacker to elevate privileges to level 15 through certain CLI commands. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewlc-priv-esc-ybvHKO5" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220682.py b/CVEasy/Cisco/2022/cisco_xe/cve202220682.py new file mode 100644 index 00000000..aa049d38 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220682.py @@ -0,0 +1,47 @@ +from comfy import high + + +@high( + name='rule_cve202220682', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_wireless='show running-config | include wireless|capwap' + ), +) +def rule_cve202220682(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20682 vulnerability in Cisco IOS XE Software. + The vulnerability is due to inadequate input validation of incoming CAPWAP packets encapsulating + multicast DNS (mDNS) queries in the Catalyst 9000 Family Wireless Controllers. An attacker could + exploit this vulnerability by connecting to a wireless network and sending a crafted mDNS query, + which would flow through and be processed by the wireless controller. + """ + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a Catalyst 9000 Series + is_cat9k = 'C9' in platform_output + + # If not a Catalyst 9000 device, it's not vulnerable + if not is_cat9k: + return + + # Extract the output of the command to check wireless/CAPWAP configuration + wireless_output = commands.check_wireless + + # Check if wireless controller and CAPWAP are configured + wireless_configured = any(feature in wireless_output for feature in ['wireless', 'capwap']) + + # Device is vulnerable if it's a Cat9K and has wireless/CAPWAP configured + is_vulnerable = is_cat9k and wireless_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20682. " + "The device is a Catalyst 9000 Series wireless controller with CAPWAP configured, " + "which could allow an unauthenticated attacker to cause a denial of service through crafted mDNS queries. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9800-capwap-mdns-6PSn7gKU" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220683.py b/CVEasy/Cisco/2022/cisco_xe/cve202220683.py new file mode 100644 index 00000000..f75dfa00 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220683.py @@ -0,0 +1,47 @@ +from comfy import high + + +@high( + name='rule_cve202220683', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_fnf='show running-config | include flow|performance monitor' + ), +) +def rule_cve202220683(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20683 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient packet verification for traffic inspected by the AVC feature + in Cisco Catalyst 9800 Series Wireless Controllers. An unauthenticated, remote attacker could exploit + this vulnerability by sending crafted packets from the wired network to a wireless client, causing + the wireless controller to reload and resulting in a denial of service (DoS) condition. + """ + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a Catalyst 9800 Series + is_cat9800 = 'C9800' in platform_output + + # If not a Catalyst 9800 device, it's not vulnerable + if not is_cat9800: + return + + # Extract the output of the command to check AVC/FNF configuration + fnf_output = commands.check_fnf + + # Check if AVC/FNF is configured + fnf_configured = any(feature in fnf_output for feature in ['flow', 'performance monitor']) + + # Device is vulnerable if it's a Cat9800 and has AVC/FNF configured + is_vulnerable = is_cat9800 and fnf_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20683. " + "The device is a Catalyst 9800 Series wireless controller with AVC/FNF configured, " + "which could allow an unauthenticated attacker to cause a denial of service through crafted packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9800-fnf-dos-bOL5vLge" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220684.py b/CVEasy/Cisco/2022/cisco_xe/cve202220684.py new file mode 100644 index 00000000..7652082a --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220684.py @@ -0,0 +1,48 @@ +from comfy import high + + +@high( + name='rule_cve202220684', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_wireless='show running-config | include wireless|snmp-server' + ), +) +def rule_cve202220684(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20684 vulnerability in Cisco IOS XE Software. + The vulnerability is due to a lack of input validation of the information used to generate an SNMP trap + related to a wireless client connection event in Catalyst 9000 Family Wireless Controllers. An attacker + could exploit this vulnerability by sending an 802.1x packet with crafted parameters during the wireless + authentication setup phase of a connection. + """ + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a Catalyst 9000 Series + is_cat9k = 'C9' in platform_output + + # If not a Catalyst 9000 device, it's not vulnerable + if not is_cat9k: + return + + # Extract the output of the command to check wireless and SNMP configuration + wireless_output = commands.check_wireless + + # Check if wireless controller and SNMP traps are configured + wireless_configured = 'wireless' in wireless_output + snmp_configured = 'snmp-server' in wireless_output + + # Device is vulnerable if it's a Cat9K and has both wireless and SNMP configured + is_vulnerable = is_cat9k and wireless_configured and snmp_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20684. " + "The device is a Catalyst 9000 Series wireless controller with SNMP traps configured, " + "which could allow an unauthenticated attacker to cause a denial of service through crafted 802.1x packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9800-snmp-trap-dos-mjent3Ey" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220692.py b/CVEasy/Cisco/2022/cisco_xe/cve202220692.py new file mode 100644 index 00000000..fde47890 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220692.py @@ -0,0 +1,33 @@ +from comfy import high + + +@high( + name='rule_cve202220692', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_netconf='show running-config | include netconf-yang|ssh' + ), +) +def rule_cve202220692(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20692 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient resource management in the NETCONF over SSH feature. + A low-privileged, authenticated, remote attacker could exploit this vulnerability by initiating + a large number of NETCONF over SSH connections, causing the device to reload and resulting in + a denial of service (DoS) condition. + """ + # Extract the output of the command to check NETCONF configuration + netconf_output = commands.check_netconf + + # Check if NETCONF over SSH is enabled + netconf_enabled = 'netconf-yang' in netconf_output and 'ssh' in netconf_output + + # Assert that the device is not vulnerable + assert not netconf_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20692. " + "The device has NETCONF over SSH enabled, " + "which could allow an authenticated attacker to cause a denial of service through multiple connections. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ncossh-dos-ZAkfOdq8" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220693.py b/CVEasy/Cisco/2022/cisco_xe/cve202220693.py new file mode 100644 index 00000000..173c821e --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220693.py @@ -0,0 +1,37 @@ +from comfy import high + + +@high( + name='rule_cve202220693', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_webui='show running-config | include ip http|restconf' + ), +) +def rule_cve202220693(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20693 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient input validation in the web UI feature. + An authenticated, remote attacker could exploit this vulnerability by sending crafted input + to the web UI API, allowing them to inject commands to the underlying operating system with + root privileges. + """ + # Extract the output of the command to check web UI configuration + webui_output = commands.check_webui + + # Check if web UI or RESTCONF is enabled + webui_enabled = any(feature in webui_output for feature in [ + 'ip http server', + 'ip http secure-server', + 'restconf' + ]) + + # Assert that the device is not vulnerable + assert not webui_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20693. " + "The device has web UI or RESTCONF enabled, " + "which could allow an authenticated attacker to inject commands with root privileges through crafted API input. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webuiapi-inj-Nyrq92Od" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220694.py b/CVEasy/Cisco/2022/cisco_xe/cve202220694.py new file mode 100644 index 00000000..0b3d0cf0 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220694.py @@ -0,0 +1,37 @@ +from comfy import high + + +@high( + name='rule_cve202220694', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_rpki='show running-config | include router bgp|rpki' + ), +) +def rule_cve202220694(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20694 vulnerability in Cisco IOS XE Software. + The vulnerability is due to incorrect handling of RPKI to Router (RTR) Protocol packet headers + in the Resource Public Key Infrastructure (RPKI) feature. An unauthenticated, remote attacker + could exploit this vulnerability by sending crafted RTR packets to cause the BGP process to crash, + resulting in a denial of service (DoS) condition. + """ + # Extract the output of the command to check BGP and RPKI configuration + rpki_output = commands.check_rpki + + # Check if BGP is configured with RPKI + bgp_configured = 'router bgp' in rpki_output + rpki_configured = 'rpki' in rpki_output + + # Device is vulnerable if both BGP and RPKI are configured + is_vulnerable = bgp_configured and rpki_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20694. " + "The device has BGP configured with RPKI, " + "which could allow an unauthenticated attacker to cause a denial of service through crafted RTR packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-rpki-dos-2EgCNeKE" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220810.py b/CVEasy/Cisco/2022/cisco_xe/cve202220810.py new file mode 100644 index 00000000..d68c49c9 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220810.py @@ -0,0 +1,47 @@ +from comfy import high + +@high( + name='rule_cve202220810', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_snmp='show running-config | include snmp-server|wireless' + ), +) +def rule_cve202220810(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20810 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient restrictions in the SNMP feature of Catalyst 9000 Family + Wireless Controllers that could allow sensitive configuration details to be disclosed. An authenticated, + remote attacker could exploit this vulnerability by retrieving data through SNMP read-only community access, + allowing them to view SSID preshared keys (PSKs) configured on the device. + """ + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a Catalyst 9000 Series + is_cat9k = 'C9' in platform_output + + # If not a Catalyst 9000 device, it's not vulnerable + if not is_cat9k: + return + + # Extract the output of the command to check SNMP and wireless configuration + snmp_output = commands.check_snmp + + # Check if SNMP and wireless are configured + snmp_configured = 'snmp-server' in snmp_output + wireless_configured = 'wireless' in snmp_output + + # Device is vulnerable if it's a Cat9K and has both SNMP and wireless configured + is_vulnerable = is_cat9k and snmp_configured and wireless_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20810. " + "The device is a Catalyst 9000 Series wireless controller with SNMP configured, " + "which could allow an authenticated attacker to view SSID preshared keys through SNMP read-only access. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cwlc-snmpidv-rnyyQzUZ" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220837.py b/CVEasy/Cisco/2022/cisco_xe/cve202220837.py new file mode 100644 index 00000000..e0714f58 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220837.py @@ -0,0 +1,37 @@ +from comfy import high + + +@high( + name='rule_cve202220837', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_nat='show running-config | include ip nat|alg' + ), +) +def rule_cve202220837(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20837 vulnerability in Cisco IOS XE Software. + The vulnerability is due to a logic error in the DNS application layer gateway (ALG) functionality + used by Network Address Translation (NAT). An unauthenticated, remote attacker could exploit this + vulnerability by sending crafted IPv4 TCP DNS packets through an affected device that is performing + NAT for DNS packets, causing the device to reload and resulting in a denial of service (DoS) condition. + """ + # Extract the output of the command to check NAT and ALG configuration + nat_output = commands.check_nat + + # Check if NAT is configured with DNS ALG + nat_configured = 'ip nat' in nat_output + alg_enabled = not ('no ip nat service alg dns tcp' in nat_output) # ALG is enabled by default + + # Device is vulnerable if NAT is configured and DNS ALG is not explicitly disabled + is_vulnerable = nat_configured and alg_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20837. " + "The device has NAT configured with DNS ALG enabled, " + "which could allow an unauthenticated attacker to cause a denial of service through crafted IPv4 TCP DNS packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-alg-dos-KU9Z8kFX" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220847.py b/CVEasy/Cisco/2022/cisco_xe/cve202220847.py new file mode 100644 index 00000000..c6208b1e --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220847.py @@ -0,0 +1,48 @@ +from comfy import high + + +@high( + name='rule_cve202220847', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_dhcp='show running-config | include ip dhcp|wireless' + ), +) +def rule_cve202220847(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20847 vulnerability in Cisco IOS XE Software. + The vulnerability is due to improper processing of DHCP messages in Catalyst 9000 Family + Wireless Controllers. An unauthenticated, remote attacker could exploit this vulnerability + by sending malicious DHCP messages to an affected device, causing it to reload and resulting + in a denial of service (DoS) condition. + """ + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a Catalyst 9000 Series + is_cat9k = 'C9' in platform_output + + # If not a Catalyst 9000 device, it's not vulnerable + if not is_cat9k: + return + + # Extract the output of the command to check DHCP and wireless configuration + dhcp_output = commands.check_dhcp + + # Check if DHCP and wireless are configured + dhcp_configured = 'ip dhcp' in dhcp_output + wireless_configured = 'wireless' in dhcp_output + + # Device is vulnerable if it's a Cat9K and has both DHCP and wireless configured + is_vulnerable = is_cat9k and dhcp_configured and wireless_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20847. " + "The device is a Catalyst 9000 Series wireless controller with DHCP configured, " + "which could allow an unauthenticated attacker to cause a denial of service through malicious DHCP messages. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-dhcp-dos-76pCjPxK" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220848.py b/CVEasy/Cisco/2022/cisco_xe/cve202220848.py new file mode 100644 index 00000000..cc4ef75a --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220848.py @@ -0,0 +1,51 @@ +from comfy import high + + +@high( + name='rule_cve202220848', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_wireless='show running-config | include ap|wireless' + ), +) +def rule_cve202220848(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20848 vulnerability in Cisco IOS XE Software. + The vulnerability is due to improper processing of UDP datagrams in Embedded Wireless Controllers + on Catalyst 9100 Series Access Points. An unauthenticated, remote attacker could exploit this + vulnerability by sending malicious UDP datagrams to an affected device, causing it to reload + and resulting in a denial of service (DoS) condition. + """ + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a Catalyst 9100 Series AP + is_cat9100 = 'C91' in platform_output + + # If not a Catalyst 9100 device, it's not vulnerable + if not is_cat9100: + return + + # Extract the output of the command to check wireless configuration + wireless_output = commands.check_wireless + + # Check if device is configured as an embedded wireless controller + wireless_controller_enabled = any(feature in wireless_output for feature in [ + 'ap sso', + 'wireless management interface', + 'wireless controller' + ]) + + # Device is vulnerable if it's a Cat9100 and configured as wireless controller + is_vulnerable = is_cat9100 and wireless_controller_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20848. " + "The device is a Catalyst 9100 Series AP configured as an embedded wireless controller, " + "which could allow an unauthenticated attacker to cause a denial of service through malicious UDP datagrams. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-udp-dos-XDyEwhNz" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220851.py b/CVEasy/Cisco/2022/cisco_xe/cve202220851.py new file mode 100644 index 00000000..7104b977 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220851.py @@ -0,0 +1,37 @@ +from comfy import high + + +@high( + name='rule_cve202220851', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_webui='show running-config | include ip http|restconf' + ), +) +def rule_cve202220851(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20851 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient input validation in the web UI feature. + An authenticated, remote attacker with Administrator privileges could exploit this + vulnerability by sending crafted input to the web UI API, allowing them to execute + arbitrary commands on the underlying operating system with root privileges. + """ + # Extract the output of the command to check web UI configuration + webui_output = commands.check_webui + + # Check if web UI or RESTCONF is enabled + webui_enabled = any(feature in webui_output for feature in [ + 'ip http server', + 'ip http secure-server', + 'restconf' + ]) + + # Assert that the device is not vulnerable + assert not webui_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20851. " + "The device has web UI or RESTCONF enabled, " + "which could allow an authenticated attacker with Administrator privileges to execute arbitrary commands with root privileges. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webui-cmdinj-Gje47EMn" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220855.py b/CVEasy/Cisco/2022/cisco_xe/cve202220855.py new file mode 100644 index 00000000..2100bb57 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220855.py @@ -0,0 +1,51 @@ +from comfy import high + + +@high( + name='rule_cve202220855', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_wireless='show running-config | include ap|wireless' + ), +) +def rule_cve202220855(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20855 vulnerability in Cisco IOS XE Software. + The vulnerability is due to improper checks throughout the restart of certain system processes + in Embedded Wireless Controllers on Catalyst Access Points. An authenticated, local attacker with + privilege level 15 could exploit this vulnerability by executing certain CLI commands to escape + the restricted controller shell and execute arbitrary commands on the underlying OS as root. + """ + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a Catalyst 9100 Series AP + is_cat9100 = 'C91' in platform_output + + # If not a Catalyst 9100 device, it's not vulnerable + if not is_cat9100: + return + + # Extract the output of the command to check wireless configuration + wireless_output = commands.check_wireless + + # Check if device is configured as an embedded wireless controller + wireless_controller_enabled = any(feature in wireless_output for feature in [ + 'ap sso', + 'wireless management interface', + 'wireless controller' + ]) + + # Device is vulnerable if it's a Cat9100 and configured as wireless controller + is_vulnerable = is_cat9100 and wireless_controller_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20855. " + "The device is a Catalyst 9100 Series AP configured as an embedded wireless controller, " + "which could allow a privileged attacker to execute arbitrary commands as root. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewc-priv-esc-nderYLtK" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220856.py b/CVEasy/Cisco/2022/cisco_xe/cve202220856.py new file mode 100644 index 00000000..a8c689e4 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220856.py @@ -0,0 +1,48 @@ +from comfy import high + + +@high( + name='rule_cve202220856', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_wireless='show running-config | include wireless|mobility' + ), +) +def rule_cve202220856(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20856 vulnerability in Cisco IOS XE Software. + The vulnerability is due to a logic error and improper management of resources related to + the handling of CAPWAP Mobility messages in Catalyst 9000 Family Wireless Controllers. + An unauthenticated, remote attacker could exploit this vulnerability by sending crafted + CAPWAP Mobility packets to exhaust resources on the affected device, causing it to reload. + """ + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a Catalyst 9000 Series + is_cat9k = 'C9' in platform_output + + # If not a Catalyst 9000 device, it's not vulnerable + if not is_cat9k: + return + + # Extract the output of the command to check wireless and mobility configuration + wireless_output = commands.check_wireless + + # Check if wireless controller and mobility are configured + wireless_configured = 'wireless' in wireless_output + mobility_configured = 'mobility' in wireless_output + + # Device is vulnerable if it's a Cat9K and has both wireless and mobility configured + is_vulnerable = is_cat9k and wireless_configured and mobility_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20856. " + "The device is a Catalyst 9000 Series wireless controller with mobility configured, " + "which could allow an unauthenticated attacker to cause a denial of service through crafted CAPWAP Mobility packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9800-mob-dos-342YAc6J" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220864.py b/CVEasy/Cisco/2022/cisco_xe/cve202220864.py new file mode 100644 index 00000000..91dc185e --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220864.py @@ -0,0 +1,44 @@ +from comfy import high + + +@high( + name='rule_cve202220864', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_password_recovery='show running-config | include no service password-recovery' + ), +) +def rule_cve202220864(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20864 vulnerability in Cisco IOS XE Software. + The vulnerability is due to a problem with the file and boot variable permissions in ROMMON + when password recovery is disabled. An unauthenticated, local attacker could exploit this + vulnerability by rebooting the switch into ROMMON and entering specific commands through + the console to read any file or reset the enable password. + """ + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a Catalyst switch + is_catalyst = 'C9' in platform_output + + # If not a Catalyst switch, it's not vulnerable + if not is_catalyst: + return + + # Extract the output of the command to check password recovery configuration + password_recovery_output = commands.check_password_recovery + + # Check if password recovery is disabled + password_recovery_disabled = 'no service password-recovery' in password_recovery_output + + # Assert that the device is not vulnerable + assert not password_recovery_disabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20864. " + "The device is a Catalyst switch with password recovery disabled, " + "which could allow an unauthenticated attacker with physical access to recover configuration or reset passwords. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-info-disc-nrORXjO" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220870.py b/CVEasy/Cisco/2022/cisco_xe/cve202220870.py new file mode 100644 index 00000000..39da8e08 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220870.py @@ -0,0 +1,47 @@ +from comfy import high + + +@high( + name='rule_cve202220870', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_mpls='show running-config | include mpls' + ), +) +def rule_cve202220870(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20870 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient input validation of IPv4 traffic in the egress MPLS + packet processing function of Catalyst 3650, 3850, and 9000 Family Switches. An unauthenticated, + remote attacker could exploit this vulnerability by sending a malformed packet out of an affected + MPLS-enabled interface, causing the device to reload. + """ + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a vulnerable Catalyst model (3650, 3850, or 9000 series) + is_vulnerable_platform = any(model in platform_output for model in ['C3650', 'C3850', 'C9']) + + # If not a vulnerable Catalyst model, it's not vulnerable + if not is_vulnerable_platform: + return + + # Extract the output of the command to check MPLS configuration + mpls_output = commands.check_mpls + + # Check if MPLS is enabled + mpls_enabled = 'mpls' in mpls_output + + # Device is vulnerable if it's a vulnerable platform and has MPLS enabled + is_vulnerable = is_vulnerable_platform and mpls_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20870. " + "The device is a Catalyst 3650/3850/9000 switch with MPLS enabled, " + "which could allow an unauthenticated attacker to cause a denial of service through malformed packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-mpls-dos-Ab4OUL3" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220915.py b/CVEasy/Cisco/2022/cisco_xe/cve202220915.py new file mode 100644 index 00000000..734d4009 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220915.py @@ -0,0 +1,47 @@ +from comfy import high + + +@high( + name='rule_cve202220915', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_6vpe='show running-config | include vrf|ipv6|zone', + check_zbfw='show running-config | include zone-pair|class-map|policy-map' + ), +) +def rule_cve202220915(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20915 vulnerability in Cisco IOS XE Software. + The vulnerability is due to improper error handling of an IPv6 packet that is forwarded from + an MPLS and ZBFW-enabled interface in a 6VPE deployment. An unauthenticated, adjacent attacker + could exploit this vulnerability by sending a crafted IPv6 packet sourced from a device on the + IPv6-enabled VRF interface through the affected device. + """ + # Extract the output of the commands + vpe_output = commands.check_6vpe + zbfw_output = commands.check_zbfw + + # Check if 6VPE is configured (requires VRF and IPv6) + vrf_configured = 'vrf' in vpe_output + ipv6_configured = 'ipv6' in vpe_output + vpe_configured = vrf_configured and ipv6_configured + + # Check if Zone-Based Firewall is configured + zbfw_configured = any(feature in zbfw_output for feature in [ + 'zone-pair', + 'class-map', + 'policy-map' + ]) + + # Device is vulnerable if both 6VPE and ZBFW are configured + is_vulnerable = vpe_configured and zbfw_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20915. " + "The device has IPv6 VPN over MPLS (6VPE) and Zone-Based Firewall configured, " + "which could allow an adjacent attacker to cause a denial of service through crafted IPv6 packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-6vpe-dos-tJBtf5Zv" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220944.py b/CVEasy/Cisco/2022/cisco_xe/cve202220944.py new file mode 100644 index 00000000..42a825a2 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220944.py @@ -0,0 +1,48 @@ +from comfy import high + + +@high( + name='rule_cve202220944', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_secure_boot='show platform software authenticity' + ), +) +def rule_cve202220944(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20944 vulnerability in Cisco IOS XE Software. + The vulnerability is due to improper verification of digital signatures during the boot process + in Catalyst 9200 Series Switches. An unauthenticated, physical attacker could exploit this + vulnerability by loading unsigned code at system boot time, allowing them to bypass image + verification and execute arbitrary code. + """ + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a Catalyst 9200 Series + is_cat9200 = 'C92' in platform_output + + # If not a Catalyst 9200 device, it's not vulnerable + if not is_cat9200: + return + + # Extract the output of the command to check secure boot status + secure_boot_output = commands.check_secure_boot + + # Check if secure boot is disabled or not properly configured + secure_boot_disabled = ( + 'Image verification is disabled' in secure_boot_output or + 'Secure Boot: disabled' in secure_boot_output or + not secure_boot_output # If no output, assume it's not properly configured + ) + + # Assert that the device is not vulnerable + assert not secure_boot_disabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20944. " + "The device is a Catalyst 9200 Series switch with image verification disabled or not properly configured, " + "which could allow an attacker with physical access to execute unsigned code at boot time. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-xe-cat-verify-D4NEQA6q" + ) From c70fb5855dc5ec0292c81cb3334d6d9773040e1c Mon Sep 17 00:00:00 2001 From: mailsanjayhere Date: Sun, 1 Jun 2025 19:55:35 +0000 Subject: [PATCH 5/9] cisco_xe 2022 cves --- CVEasy/Cisco/2022/cisco_xe/cve202220679.py | 2 +- CVEasy/Cisco/2022/cisco_xe/cve202220681.py | 2 ++ CVEasy/Cisco/2022/cisco_xe/cve202220693.py | 3 ++- CVEasy/Cisco/2022/cisco_xe/cve202220810.py | 1 + CVEasy/Cisco/2022/cisco_xe/cve202220837.py | 3 ++- CVEasy/Cisco/2022/cisco_xe/cve202220851.py | 3 ++- CVEasy/Cisco/2022/cisco_xe/cve202220856.py | 3 ++- CVEasy/Cisco/2022/cisco_xe/cve202220864.py | 3 ++- 8 files changed, 14 insertions(+), 6 deletions(-) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220679.py b/CVEasy/Cisco/2022/cisco_xe/cve202220679.py index 0654fb70..d876fa19 100644 --- a/CVEasy/Cisco/2022/cisco_xe/cve202220679.py +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220679.py @@ -44,4 +44,4 @@ def rule_cve202220679(configuration, commands, device, devices): "which could allow an attacker to cause a denial of service. " "For more information, see" "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-qfp-ipsec-GQmqvtqV" - ) \ No newline at end of file + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220681.py b/CVEasy/Cisco/2022/cisco_xe/cve202220681.py index 42aa3f4a..a75b1d96 100644 --- a/CVEasy/Cisco/2022/cisco_xe/cve202220681.py +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220681.py @@ -20,6 +20,8 @@ def rule_cve202220681(configuration, commands, device, devices): # Extract the version information from the command output version_output = commands.show_version + _ = version_output # intentionally unused + # Extract the platform information platform_output = commands.check_platform diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220693.py b/CVEasy/Cisco/2022/cisco_xe/cve202220693.py index 173c821e..5ff4d0d2 100644 --- a/CVEasy/Cisco/2022/cisco_xe/cve202220693.py +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220693.py @@ -31,7 +31,8 @@ def rule_cve202220693(configuration, commands, device, devices): assert not webui_enabled, ( f"Device {device.name} is vulnerable to CVE-2022-20693. " "The device has web UI or RESTCONF enabled, " - "which could allow an authenticated attacker to inject commands with root privileges through crafted API input. " + "which could allow an authenticated attacker to inject commands with root privileges through " + "crafted API input. " "For more information, see" "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webuiapi-inj-Nyrq92Od" ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220810.py b/CVEasy/Cisco/2022/cisco_xe/cve202220810.py index d68c49c9..800e1562 100644 --- a/CVEasy/Cisco/2022/cisco_xe/cve202220810.py +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220810.py @@ -1,5 +1,6 @@ from comfy import high + @high( name='rule_cve202220810', platform=['cisco_xe'], diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220837.py b/CVEasy/Cisco/2022/cisco_xe/cve202220837.py index e0714f58..4ad69d65 100644 --- a/CVEasy/Cisco/2022/cisco_xe/cve202220837.py +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220837.py @@ -31,7 +31,8 @@ def rule_cve202220837(configuration, commands, device, devices): assert not is_vulnerable, ( f"Device {device.name} is vulnerable to CVE-2022-20837. " "The device has NAT configured with DNS ALG enabled, " - "which could allow an unauthenticated attacker to cause a denial of service through crafted IPv4 TCP DNS packets. " + "which could allow an unauthenticated attacker to cause a denial of service through crafted " + "IPv4 TCP DNS packets. " "For more information, see" "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-alg-dos-KU9Z8kFX" ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220851.py b/CVEasy/Cisco/2022/cisco_xe/cve202220851.py index 7104b977..23b129aa 100644 --- a/CVEasy/Cisco/2022/cisco_xe/cve202220851.py +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220851.py @@ -31,7 +31,8 @@ def rule_cve202220851(configuration, commands, device, devices): assert not webui_enabled, ( f"Device {device.name} is vulnerable to CVE-2022-20851. " "The device has web UI or RESTCONF enabled, " - "which could allow an authenticated attacker with Administrator privileges to execute arbitrary commands with root privileges. " + "which could allow an authenticated attacker with Administrator privileges to execute arbitrary " + "commands with root privileges. " "For more information, see" "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webui-cmdinj-Gje47EMn" ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220856.py b/CVEasy/Cisco/2022/cisco_xe/cve202220856.py index a8c689e4..01b3ebcd 100644 --- a/CVEasy/Cisco/2022/cisco_xe/cve202220856.py +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220856.py @@ -42,7 +42,8 @@ def rule_cve202220856(configuration, commands, device, devices): assert not is_vulnerable, ( f"Device {device.name} is vulnerable to CVE-2022-20856. " "The device is a Catalyst 9000 Series wireless controller with mobility configured, " - "which could allow an unauthenticated attacker to cause a denial of service through crafted CAPWAP Mobility packets. " + "which could allow an unauthenticated attacker to cause a denial of service through crafted " + "CAPWAP Mobility packets. " "For more information, see" "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9800-mob-dos-342YAc6J" ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220864.py b/CVEasy/Cisco/2022/cisco_xe/cve202220864.py index 91dc185e..c0d1e7a5 100644 --- a/CVEasy/Cisco/2022/cisco_xe/cve202220864.py +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220864.py @@ -38,7 +38,8 @@ def rule_cve202220864(configuration, commands, device, devices): assert not password_recovery_disabled, ( f"Device {device.name} is vulnerable to CVE-2022-20864. " "The device is a Catalyst switch with password recovery disabled, " - "which could allow an unauthenticated attacker with physical access to recover configuration or reset passwords. " + "which could allow an unauthenticated attacker with physical access to recover configuration " + "or reset passwords. " "For more information, see" "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-info-disc-nrORXjO" ) From 91456ea475da94c3dda644d69aff53d70ad61cff Mon Sep 17 00:00:00 2001 From: mailsanjayhere Date: Sun, 1 Jun 2025 20:18:00 +0000 Subject: [PATCH 6/9] cisco_xr 2022 cves --- CVEasy/Cisco/2022/cisco_xr/__init__.py | 0 CVEasy/Cisco/2022/cisco_xr/cve202220655.py | 54 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_xr/cve202220714.py | 33 ++++++++++++ CVEasy/Cisco/2022/cisco_xr/cve202220758.py | 37 ++++++++++++++ CVEasy/Cisco/2022/cisco_xr/cve202220821.py | 39 ++++++++++++++ CVEasy/Cisco/2022/cisco_xr/cve202220845.py | 59 ++++++++++++++++++++++ CVEasy/Cisco/2022/cisco_xr/cve202220846.py | 58 +++++++++++++++++++++ CVEasy/Cisco/2022/cisco_xr/cve202220849.py | 55 ++++++++++++++++++++ 8 files changed, 335 insertions(+) create mode 100644 CVEasy/Cisco/2022/cisco_xr/__init__.py create mode 100644 CVEasy/Cisco/2022/cisco_xr/cve202220655.py create mode 100644 CVEasy/Cisco/2022/cisco_xr/cve202220714.py create mode 100644 CVEasy/Cisco/2022/cisco_xr/cve202220758.py create mode 100644 CVEasy/Cisco/2022/cisco_xr/cve202220821.py create mode 100644 CVEasy/Cisco/2022/cisco_xr/cve202220845.py create mode 100644 CVEasy/Cisco/2022/cisco_xr/cve202220846.py create mode 100644 CVEasy/Cisco/2022/cisco_xr/cve202220849.py diff --git a/CVEasy/Cisco/2022/cisco_xr/__init__.py b/CVEasy/Cisco/2022/cisco_xr/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/CVEasy/Cisco/2022/cisco_xr/cve202220655.py b/CVEasy/Cisco/2022/cisco_xr/cve202220655.py new file mode 100644 index 00000000..d3229321 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xr/cve202220655.py @@ -0,0 +1,54 @@ +from comfy import high + + +@high( + name='rule_cve202220655', + platform=['cisco_xr'], + commands=dict( + show_version='show version', + check_confd='show processes confd' + ), +) +def rule_cve202220655(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20655 vulnerability in Cisco IOS XR Software. + The vulnerability is due to insufficient validation of a process argument in the ConfD CLI. + An authenticated, local attacker could exploit this vulnerability by injecting commands during + the execution of this process, allowing them to execute arbitrary commands on the underlying + operating system with root privileges. + """ + # List of vulnerable versions + vulnerable_versions = [ + '7.0.1', '7.0.2', '7.0.3', '7.1.0', # IOS XR versions + '2.6.5', # Virtual Topology System versions + '4.3.9.1', '4.4.5.6', '4.5.7', '4.6.1.7', '4.7.1', '5.1.0.1', # Network Services Orchestrator versions + '3.12.1', # Enterprise NFV Infrastructure Software versions + '18.4.4', '19.2.1', # Catalyst SD-WAN Manager versions + '16.10.2', '16.12.1b', '17.2.1r', # IOS XE Catalyst SD-WAN versions + '18.4.4', '19.2.1' # SD-WAN vEdge Router versions + ] + + # Extract the version information + version_output = commands.show_version + + # Check if version is vulnerable + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check ConfD process + confd_output = commands.check_confd + + # Check if ConfD is running + confd_running = 'confd' in confd_output + + # Assert that the device is not vulnerable + assert not confd_running, ( + f"Device {device.name} is vulnerable to CVE-2022-20655. " + "The device is running a vulnerable version with ConfD enabled, " + "which could allow an authenticated attacker to execute arbitrary commands with root privileges. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cli-cmdinj-4MttWZPB" + ) diff --git a/CVEasy/Cisco/2022/cisco_xr/cve202220714.py b/CVEasy/Cisco/2022/cisco_xr/cve202220714.py new file mode 100644 index 00000000..c434098d --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xr/cve202220714.py @@ -0,0 +1,33 @@ +from comfy import high + + +@high( + name='rule_cve202220714', + platform=['cisco_xr'], + commands=dict( + show_version='show version', + check_linecard='show inventory | include Lightspeed-Plus' + ), +) +def rule_cve202220714(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20714 vulnerability in Cisco IOS XR Software. + The vulnerability is due to incorrect handling of malformed packets in the data plane microcode + of Lightspeed-Plus line cards for ASR 9000 Series routers. An unauthenticated, remote attacker + could exploit this vulnerability by sending crafted IPv4 or IPv6 packets through an affected device, + causing the line card to reset and resulting in a denial of service condition. + """ + # Extract the output of the command to check for Lightspeed-Plus line cards + linecard_output = commands.check_linecard + + # Check if Lightspeed-Plus line cards are present + lightspeed_plus_present = 'Lightspeed-Plus' in linecard_output + + # Assert that the device is not vulnerable + assert not lightspeed_plus_present, ( + f"Device {device.name} is vulnerable to CVE-2022-20714. " + "The device has Lightspeed-Plus line cards installed, " + "which could allow an unauthenticated attacker to cause a denial of service through crafted IPv4/IPv6 packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-lsplus-Z6AQEOjk" + ) diff --git a/CVEasy/Cisco/2022/cisco_xr/cve202220758.py b/CVEasy/Cisco/2022/cisco_xr/cve202220758.py new file mode 100644 index 00000000..5f0e6a84 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xr/cve202220758.py @@ -0,0 +1,37 @@ +from comfy import high + + +@high( + name='rule_cve202220758', + platform=['cisco_xr'], + commands=dict( + show_version='show version', + check_bgp='show running-config | include router bgp|address-family l2vpn evpn' + ), +) +def rule_cve202220758(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20758 vulnerability in Cisco IOS XR Software. + The vulnerability is due to incorrect processing of BGP update messages containing specific EVPN attributes. + An unauthenticated, remote attacker could exploit this vulnerability by sending crafted BGP update messages + through an established trusted peer connection, causing the BGP process to restart and resulting in a + denial of service (DoS) condition. + """ + # Extract the output of the command to check BGP EVPN configuration + bgp_output = commands.check_bgp + + # Check if BGP is configured with L2VPN EVPN address family + bgp_configured = 'router bgp' in bgp_output + evpn_configured = 'address-family l2vpn evpn' in bgp_output + + # Device is vulnerable if both BGP and L2VPN EVPN are configured + is_vulnerable = bgp_configured and evpn_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20758. " + "The device has BGP configured with L2VPN EVPN address-family, " + "which could allow an unauthenticated attacker to cause a denial of service through crafted BGP update messages. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bgpevpn-zWTRtPBb" + ) diff --git a/CVEasy/Cisco/2022/cisco_xr/cve202220821.py b/CVEasy/Cisco/2022/cisco_xr/cve202220821.py new file mode 100644 index 00000000..befbecc7 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xr/cve202220821.py @@ -0,0 +1,39 @@ +from comfy import high + + +@high( + name='rule_cve202220821', + platform=['cisco_xr'], + commands=dict( + show_version='show version', + check_redis='show processes | include redis', + check_port='show processes | include 6379' + ), +) +def rule_cve202220821(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20821 vulnerability in Cisco IOS XR Software. + The vulnerability is due to the health check RPM opening TCP port 6379 by default upon activation. + An unauthenticated, remote attacker could exploit this vulnerability by connecting to the Redis + instance on the open port, allowing them to write to the Redis in-memory database, write arbitrary + files to the container filesystem, and retrieve information about the Redis database. + """ + # Extract the output of the commands + redis_output = commands.check_redis + port_output = commands.check_port + + # Check if Redis is running and port 6379 is open + redis_running = 'redis' in redis_output + port_open = '6379' in port_output + + # Device is vulnerable if Redis is running and port 6379 is open + is_vulnerable = redis_running and port_open + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20821. " + "The device has Redis running with port 6379 open, " + "which could allow an unauthenticated attacker to access and modify the Redis database. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-redis-ABJyE5xK" + ) diff --git a/CVEasy/Cisco/2022/cisco_xr/cve202220845.py b/CVEasy/Cisco/2022/cisco_xr/cve202220845.py new file mode 100644 index 00000000..6687124a --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xr/cve202220845.py @@ -0,0 +1,59 @@ +from comfy import high + + +@high( + name='rule_cve202220845', + platform=['cisco_xr'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_tl1='show processes | include tl1' + ), +) +def rule_cve202220845(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20845 vulnerability in Cisco IOS XR Software. + The vulnerability is due to TL1 not freeing memory under some conditions in NCS 4000 Series devices. + An authenticated, local attacker could exploit this vulnerability by connecting to the device and + issuing TL1 commands, causing the TL1 process to consume large amounts of memory and potentially + leading to a denial of service condition. + """ + # List of vulnerable versions + vulnerable_versions = [ + '6.5.25', '6.5.26', '6.5.28', '6.5.29', '6.5.31', '6.5.32' + ] + + # Extract the version information + version_output = commands.show_version + + # Check if version is vulnerable + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is an NCS 4000 Series + is_ncs4k = 'NCS-4' in platform_output + + # If not an NCS 4000 device, it's not vulnerable + if not is_ncs4k: + return + + # Extract the output of the command to check TL1 process + tl1_output = commands.check_tl1 + + # Check if TL1 process is running + tl1_running = 'tl1' in tl1_output + + # Assert that the device is not vulnerable + assert not tl1_running, ( + f"Device {device.name} is vulnerable to CVE-2022-20845. " + "The device is an NCS 4000 Series running a vulnerable version with TL1 process enabled, " + "which could allow an authenticated attacker to cause a denial of service through memory exhaustion. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ncs4k-tl1-GNnLwC6" + ) diff --git a/CVEasy/Cisco/2022/cisco_xr/cve202220846.py b/CVEasy/Cisco/2022/cisco_xr/cve202220846.py new file mode 100644 index 00000000..80868215 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xr/cve202220846.py @@ -0,0 +1,58 @@ +from comfy import high + + +@high( + name='rule_cve202220846', + platform=['cisco_xr'], + commands=dict( + show_version='show version', + check_cdp='show running-config | include cdp' + ), +) +def rule_cve202220846(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20846 vulnerability in Cisco IOS XR Software. + The vulnerability is due to a heap buffer overflow in certain Cisco Discovery Protocol messages. + An unauthenticated, adjacent attacker could exploit this vulnerability by sending malicious + Cisco Discovery Protocol packets to an affected device, causing the CDP process to reload. + """ + # List of vulnerable versions + vulnerable_versions = [ + '6.5.1', '6.5.2', '6.5.3', '6.5.15', '6.5.25', '6.5.26', '6.5.28', '6.5.29', + '6.5.31', '6.5.32', '6.5.90', '6.5.92', '6.5.93', + '6.6.1', '6.6.2', '6.6.3', '6.6.4', '6.6.11', '6.6.12', '6.6.25', + '6.7.1', '6.7.2', '6.7.3', '6.7.4', '6.7.35', + '6.8.1', '6.8.2', '6.9.1', + '7.0.0', '7.0.1', '7.0.2', '7.0.11', '7.0.12', '7.0.14', '7.0.90', + '7.1.1', '7.1.2', '7.1.3', '7.1.15', '7.1.25', + '7.2.0', '7.2.1', '7.2.2', '7.2.12', + '7.3.1', '7.3.2', '7.3.3', '7.3.4', '7.3.15', '7.3.16', '7.3.27', + '7.4.1', '7.4.2', '7.4.15', '7.4.16', + '7.5.1', '7.5.2', '7.5.12', + '7.6.1', '7.6.15' + ] + + # Extract the version information + version_output = commands.show_version + + # Check if version is vulnerable + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check CDP configuration + cdp_output = commands.check_cdp + + # Check if CDP is enabled (CDP is enabled by default unless explicitly disabled) + cdp_disabled = 'no cdp' in cdp_output + + # Assert that the device is not vulnerable + assert cdp_disabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20846. " + "The device is running a vulnerable version with CDP enabled, " + "which could allow an adjacent attacker to cause a denial of service through malicious CDP packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xr-cdp-wnALzvT2" + ) diff --git a/CVEasy/Cisco/2022/cisco_xr/cve202220849.py b/CVEasy/Cisco/2022/cisco_xr/cve202220849.py new file mode 100644 index 00000000..acc5b32b --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xr/cve202220849.py @@ -0,0 +1,55 @@ +from comfy import high + + +@high( + name='rule_cve202220849', + platform=['cisco_xr'], + commands=dict( + show_version='show version', + check_pppoe='show running-config | include bba-group pppoe|pppoe enable' + ), +) +def rule_cve202220849(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20849 vulnerability in Cisco IOS XR Software. + The vulnerability is due to improper handling of error conditions within specific PPPoE packet + sequences in the Broadband Network Gateway feature. An unauthenticated, adjacent attacker could + exploit this vulnerability by sending a sequence of specific PPPoE packets from controlled CPE, + causing the PPPoE process to continually restart and resulting in a denial of service condition. + """ + # List of vulnerable versions + vulnerable_versions = [ + '6.5.1', '6.5.2', '6.5.3', '6.5.15', '6.6.1', '6.6.2', '6.6.3', '6.6.4', '6.6.25', + '6.7.1', '6.7.2', '6.7.3', '6.7.35', '6.8.1', '6.8.2', '6.9.1', + '7.0.1', '7.0.2', '7.0.90', '7.1.1', '7.1.2', '7.1.3', '7.1.15', '7.1.25', + '7.2.1', '7.2.2', '7.3.1', '7.3.2', '7.3.3', '7.3.4', '7.4.1', '7.4.2', + '7.5.1' + ] + + # Extract the version information + version_output = commands.show_version + + # Check if version is vulnerable + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check PPPoE configuration + pppoe_output = commands.check_pppoe + + # Check if PPPoE is configured + pppoe_configured = any(feature in pppoe_output for feature in [ + 'bba-group pppoe', + 'pppoe enable' + ]) + + # Assert that the device is not vulnerable + assert not pppoe_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20849. " + "The device is running a vulnerable version with PPPoE enabled, " + "which could allow an adjacent attacker to cause a denial of service through crafted PPPoE packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-bng-Gmg5Gxt" + ) From 35f3b68c9173776e97f1efa55712827c89aa25c5 Mon Sep 17 00:00:00 2001 From: mailsanjayhere Date: Sun, 1 Jun 2025 20:26:49 +0000 Subject: [PATCH 7/9] cisco_xr 2022 cves --- CVEasy/Cisco/2022/cisco_xr/cve202220758.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CVEasy/Cisco/2022/cisco_xr/cve202220758.py b/CVEasy/Cisco/2022/cisco_xr/cve202220758.py index 5f0e6a84..0b8c565f 100644 --- a/CVEasy/Cisco/2022/cisco_xr/cve202220758.py +++ b/CVEasy/Cisco/2022/cisco_xr/cve202220758.py @@ -31,7 +31,8 @@ def rule_cve202220758(configuration, commands, device, devices): assert not is_vulnerable, ( f"Device {device.name} is vulnerable to CVE-2022-20758. " "The device has BGP configured with L2VPN EVPN address-family, " - "which could allow an unauthenticated attacker to cause a denial of service through crafted BGP update messages. " + "which could allow an unauthenticated attacker to cause a denial of service through crafted " + "BGP update messages. " "For more information, see" "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bgpevpn-zWTRtPBb" ) From c11981a297c59eebb7955baedec111363c6e600e Mon Sep 17 00:00:00 2001 From: mailsanjayhere Date: Sun, 1 Jun 2025 20:33:43 +0000 Subject: [PATCH 8/9] cisco_nxos 2022 cves --- CVEasy/Cisco/2022/cisco_nxos/__init__.py | 0 CVEasy/Cisco/2022/cisco_nxos/cve202220623.py | 44 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_nxos/cve202220624.py | 38 +++++++++++++++++ CVEasy/Cisco/2022/cisco_nxos/cve202220625.py | 38 +++++++++++++++++ CVEasy/Cisco/2022/cisco_nxos/cve202220650.py | 37 ++++++++++++++++ CVEasy/Cisco/2022/cisco_nxos/cve202220823.py | 41 ++++++++++++++++++ CVEasy/Cisco/2022/cisco_nxos/cve202220824.py | 37 ++++++++++++++++ 7 files changed, 235 insertions(+) create mode 100644 CVEasy/Cisco/2022/cisco_nxos/__init__.py create mode 100644 CVEasy/Cisco/2022/cisco_nxos/cve202220623.py create mode 100644 CVEasy/Cisco/2022/cisco_nxos/cve202220624.py create mode 100644 CVEasy/Cisco/2022/cisco_nxos/cve202220625.py create mode 100644 CVEasy/Cisco/2022/cisco_nxos/cve202220650.py create mode 100644 CVEasy/Cisco/2022/cisco_nxos/cve202220823.py create mode 100644 CVEasy/Cisco/2022/cisco_nxos/cve202220824.py diff --git a/CVEasy/Cisco/2022/cisco_nxos/__init__.py b/CVEasy/Cisco/2022/cisco_nxos/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/CVEasy/Cisco/2022/cisco_nxos/cve202220623.py b/CVEasy/Cisco/2022/cisco_nxos/cve202220623.py new file mode 100644 index 00000000..68d2b466 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_nxos/cve202220623.py @@ -0,0 +1,44 @@ +from comfy import high + + +@high( + name='rule_cve202220623', + platform=['cisco_nxos'], + commands=dict( + show_version='show version', + check_bfd='show running-config | include feature bfd' + ), +) +def rule_cve202220623(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20623 vulnerability in Cisco NX-OS Software. + The vulnerability is due to a logic error in the BFD rate limiter functionality of Nexus 9000 Series Switches. + An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted stream of traffic + through the device, causing BFD traffic to be dropped and resulting in BFD session flaps, route instability, + and a denial of service condition. + """ + # Extract the platform information + platform_output = commands.show_version + + # Check if the device is a Nexus 9000 Series + is_n9k = 'Nexus 9000' in platform_output + + # If not a Nexus 9000 device, it's not vulnerable + if not is_n9k: + return + + # Extract the output of the command to check BFD configuration + bfd_output = commands.check_bfd + + # Check if BFD is enabled + bfd_enabled = 'feature bfd' in bfd_output + + # Assert that the device is not vulnerable + assert not bfd_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20623. " + "The device is a Nexus 9000 Series switch with BFD enabled, " + "which could allow an unauthenticated attacker to cause BFD session flaps and a denial of service " + "through crafted traffic. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-bfd-dos-wGQXrzxn" + ) diff --git a/CVEasy/Cisco/2022/cisco_nxos/cve202220624.py b/CVEasy/Cisco/2022/cisco_nxos/cve202220624.py new file mode 100644 index 00000000..32f2796b --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_nxos/cve202220624.py @@ -0,0 +1,38 @@ +from comfy import high + + +@high( + name='rule_cve202220624', + platform=['cisco_nxos'], + commands=dict( + show_version='show version', + check_cfs='show running-config | include cfs ipv4 distribute' + ), +) +def rule_cve202220624(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20624 vulnerability in Cisco NX-OS Software. + The vulnerability is due to insufficient validation of incoming CFSoIP packets. + An unauthenticated, remote attacker could exploit this vulnerability by sending crafted + CFSoIP packets to an affected device, causing it to reload and resulting in a denial of + service condition. + """ + # Extract the output of the command to check CFS configuration + cfs_output = commands.check_cfs + + # Check if CFSoIP is enabled + cfs_enabled = 'cfs ipv4 distribute' in cfs_output + + # If CFSoIP is not enabled, device is not vulnerable + if not cfs_enabled: + return + + # Assert that the device is not vulnerable + assert not cfs_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20624. " + "The device has Cisco Fabric Services over IP (CFSoIP) enabled, " + "which could allow an unauthenticated attacker to cause a denial of service through crafted " + "CFSoIP packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cfsoip-dos-tpykyDr" + ) diff --git a/CVEasy/Cisco/2022/cisco_nxos/cve202220625.py b/CVEasy/Cisco/2022/cisco_nxos/cve202220625.py new file mode 100644 index 00000000..24ec9eb1 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_nxos/cve202220625.py @@ -0,0 +1,38 @@ +from comfy import high + + +@high( + name='rule_cve202220625', + platform=['cisco_nxos'], + commands=dict( + show_version='show version', + check_cdp='show running-config | include no cdp enable|cdp enable' + ), +) +def rule_cve202220625(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20625 vulnerability in Cisco NX-OS Software. + The vulnerability is due to improper handling of Cisco Discovery Protocol messages. + An unauthenticated, adjacent attacker could exploit this vulnerability by sending + malicious CDP packets to an affected device, causing the CDP service to fail and + restart, and in rare conditions, causing the entire device to restart. + """ + # Extract the output of the command to check CDP configuration + cdp_output = commands.check_cdp + + # Check if CDP is enabled + cdp_enabled = 'cdp enable' in cdp_output + + # If CDP is not enabled, device is not vulnerable + if not cdp_enabled: + return + + # Assert that the device is not vulnerable + assert not cdp_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20625. " + "The device has Cisco Discovery Protocol enabled, " + "which could allow an adjacent attacker to cause a denial of service through " + "malicious CDP packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cdp-dos-G8DPLWYG" + ) diff --git a/CVEasy/Cisco/2022/cisco_nxos/cve202220650.py b/CVEasy/Cisco/2022/cisco_nxos/cve202220650.py new file mode 100644 index 00000000..94e66d00 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_nxos/cve202220650.py @@ -0,0 +1,37 @@ +from comfy import high + + +@high( + name='rule_cve202220650', + platform=['cisco_nxos'], + commands=dict( + show_version='show version', + check_nxapi='show running-config | include feature nxapi' + ), +) +def rule_cve202220650(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20650 vulnerability in Cisco NX-OS Software. + The vulnerability is due to insufficient input validation of user supplied data that is sent to the NX-API. + An authenticated, remote attacker could exploit this vulnerability by sending a crafted HTTP POST request + to the NX-API of an affected device, allowing them to execute arbitrary commands with root privileges. + Note: The NX-API feature is disabled by default. + """ + # Extract the output of the command to check NX-API configuration + nxapi_output = commands.check_nxapi + + # Check if NX-API is enabled + nxapi_enabled = 'feature nxapi' in nxapi_output + + # If NX-API is not enabled, device is not vulnerable + if not nxapi_enabled: + return + + # Assert that the device is not vulnerable + assert not nxapi_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20650. " + "The device has NX-API enabled, which could allow an authenticated attacker " + "to execute arbitrary commands with root privileges through crafted HTTP POST requests. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-nxapi-cmdinject-ULukNMZ2" + ) diff --git a/CVEasy/Cisco/2022/cisco_nxos/cve202220823.py b/CVEasy/Cisco/2022/cisco_nxos/cve202220823.py new file mode 100644 index 00000000..b8a815ac --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_nxos/cve202220823.py @@ -0,0 +1,41 @@ +from comfy import high + + +@high( + name='rule_cve202220823', + platform=['cisco_nxos'], + commands=dict( + show_version='show version', + check_ospfv3='show running-config | include router ospfv3|ipv6 router ospf' + ), +) +def rule_cve202220823(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20823 vulnerability in Cisco NX-OS Software. + The vulnerability is due to incomplete input validation of specific OSPFv3 packets. + An unauthenticated, remote attacker could exploit this vulnerability by sending a malicious + OSPFv3 link-state advertisement (LSA) to an affected device, causing the OSPFv3 process to + crash and restart multiple times, leading to a denial of service condition. + Note: The OSPFv3 feature is disabled by default. + """ + # Extract the output of the command to check OSPFv3 configuration + ospfv3_output = commands.check_ospfv3 + + # Check if OSPFv3 is enabled (either via 'router ospfv3' or 'ipv6 router ospf') + ospfv3_enabled = any(feature in ospfv3_output for feature in [ + 'router ospfv3', + 'ipv6 router ospf' + ]) + + # If OSPFv3 is not enabled, device is not vulnerable + if not ospfv3_enabled: + return + + # Assert that the device is not vulnerable + assert not ospfv3_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20823. " + "The device has OSPFv3 enabled, which could allow an unauthenticated attacker " + "to cause a denial of service through malicious OSPFv3 LSA packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-ospfv3-dos-48qutcu" + ) diff --git a/CVEasy/Cisco/2022/cisco_nxos/cve202220824.py b/CVEasy/Cisco/2022/cisco_nxos/cve202220824.py new file mode 100644 index 00000000..c43f8933 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_nxos/cve202220824.py @@ -0,0 +1,37 @@ +from comfy import high + + +@high( + name='rule_cve202220824', + platform=['cisco_nxos'], + commands=dict( + show_version='show version', + check_cdp='show running-config | include no cdp enable|cdp enable' + ), +) +def rule_cve202220824(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20824 vulnerability in Cisco NX-OS Software. + The vulnerability is due to improper input validation of specific values within Cisco Discovery Protocol messages. + An unauthenticated, adjacent attacker could exploit this vulnerability by sending malicious CDP packets to an + affected device, allowing them to execute arbitrary code with root privileges or cause a denial of service condition. + Note: CDP is enabled by default, and the attacker must be in the same broadcast domain (Layer 2 adjacent). + """ + # Extract the output of the command to check CDP configuration + cdp_output = commands.check_cdp + + # Check if CDP is enabled + cdp_enabled = 'cdp enable' in cdp_output + + # If CDP is not enabled, device is not vulnerable + if not cdp_enabled: + return + + # Assert that the device is not vulnerable + assert not cdp_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20824. " + "The device has Cisco Discovery Protocol enabled, " + "which could allow an adjacent attacker to execute arbitrary code with root privileges or cause a denial of service. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-cdp-dos-ce-wWvPucC9" + ) From a16a8ac1ee153cd6a1cc3d66a74e1c1d41ac1301 Mon Sep 17 00:00:00 2001 From: mailsanjayhere Date: Sun, 1 Jun 2025 20:36:23 +0000 Subject: [PATCH 9/9] cisco_nxos 2022 cves --- CVEasy/Cisco/2022/cisco_nxos/cve202220824.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/CVEasy/Cisco/2022/cisco_nxos/cve202220824.py b/CVEasy/Cisco/2022/cisco_nxos/cve202220824.py index c43f8933..0f036b7e 100644 --- a/CVEasy/Cisco/2022/cisco_nxos/cve202220824.py +++ b/CVEasy/Cisco/2022/cisco_nxos/cve202220824.py @@ -14,7 +14,8 @@ def rule_cve202220824(configuration, commands, device, devices): This rule checks for the CVE-2022-20824 vulnerability in Cisco NX-OS Software. The vulnerability is due to improper input validation of specific values within Cisco Discovery Protocol messages. An unauthenticated, adjacent attacker could exploit this vulnerability by sending malicious CDP packets to an - affected device, allowing them to execute arbitrary code with root privileges or cause a denial of service condition. + affected device, allowing them to execute arbitrary code with root privileges or cause a denial of " + "service condition. Note: CDP is enabled by default, and the attacker must be in the same broadcast domain (Layer 2 adjacent). """ # Extract the output of the command to check CDP configuration @@ -31,7 +32,7 @@ def rule_cve202220824(configuration, commands, device, devices): assert not cdp_enabled, ( f"Device {device.name} is vulnerable to CVE-2022-20824. " "The device has Cisco Discovery Protocol enabled, " - "which could allow an adjacent attacker to execute arbitrary code with root privileges or cause a denial of service. " - "For more information, see" + "which could allow an adjacent attacker to execute arbitrary code with root privileges or cause a " + "denial of service. For more information, see" "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-cdp-dos-ce-wWvPucC9" )