diff --git a/CVEasy/Arista/2021/__init__.py b/CVEasy/Arista/2021/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/CVEasy/Arista/2021/cve202128496.py b/CVEasy/Arista/2021/cve202128496.py new file mode 100644 index 00000000..0c636c99 --- /dev/null +++ b/CVEasy/Arista/2021/cve202128496.py @@ -0,0 +1,71 @@ +from comfy import high + + +@high( + name='rule_cve202128496', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_bfd='show running-config | section bfd', + show_eapi='show management api http-commands' + ), +) +def rule_cve202128496(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28496 vulnerability in Arista EOS devices. + The vulnerability allows BFD shared secret passwords to be leaked when displaying output + over eAPI or other JSON outputs to authenticated users on the device. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.22.x versions (all releases) + '4.22.0', '4.22.12', + # 4.23.x versions (up to 4.23.9) + '4.23.0', '4.23.9', + # 4.24.x versions (up to 4.24.7) + '4.24.0', '4.24.7', + # 4.25.x versions (up to 4.25.4) + '4.25.0', '4.25.4', + # 4.26.x versions (up to 4.26.1) + '4.26.0', '4.26.1' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if BFD is configured with shared secret profiles + bfd_config = commands.show_bfd + has_bfd_secrets = 'profile' in bfd_config and 'key-id' in bfd_config + + # Check if eAPI is enabled + eapi_config = commands.show_eapi + eapi_enabled = 'enabled' in eapi_config.lower() + + # Device is vulnerable if using BFD shared secrets and eAPI is enabled + is_vulnerable = has_bfd_secrets and eapi_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28496. " + "The device is running a vulnerable version AND has BFD shared secret profiles configured " + "with eAPI enabled, which could expose sensitive password information. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.23.10 or later for 4.23.x train\n" + " * 4.24.8 or later for 4.24.x train\n" + " * 4.25.5 or later for 4.25.x train\n" + " * 4.26.2 or later for 4.26.x train\n" + "2. Or apply the appropriate hotfix:\n" + " * For 4.22.0 - 4.25.0: SecurityAdvisory0069Hotfix-4.22-4.25.0.swix\n" + " * For 4.25.1 - 4.26.1: SecurityAdvisory0069Hotfix-4.25.1-4.26.1.swix\n" + "3. As a workaround, restrict access to CLI show commands using role-based authorization\n" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/13243-security-advisory-0069" + ) diff --git a/CVEasy/Arista/2021/cve202128500.py b/CVEasy/Arista/2021/cve202128500.py new file mode 100644 index 00000000..95ebee4b --- /dev/null +++ b/CVEasy/Arista/2021/cve202128500.py @@ -0,0 +1,78 @@ +from comfy import high + + +@high( + name='rule_cve202128500', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_users='show running-config | section username', + show_agents='show running-config | include openconfig|terminattr' + ), +) +def rule_cve202128500(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28500 vulnerability in Arista EOS devices. + The vulnerability allows unrestricted access to the device for local users with nopassword + configuration due to incorrect use of EOS's AAA APIs by OpenConfig and TerminAttr agents. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.20.x and earlier versions + '4.20.0', '4.20.15', + # 4.21.x versions + '4.21.0', '4.21.14M', + # 4.22.x versions + '4.22.0', '4.22.11M', + # 4.23.x versions + '4.23.0', '4.23.8M', + # 4.24.x versions + '4.24.0', '4.24.6M', + # 4.25.x versions + '4.25.0', '4.25.4M', + # 4.26.x versions + '4.26.0', '4.26.1F' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if any users are configured with nopassword + users_config = commands.show_users + has_nopassword_users = 'nopassword' in users_config + + # Check if OpenConfig or TerminAttr agents are enabled + agents_config = commands.show_agents + agents_enabled = 'openconfig' in agents_config or 'terminattr' in agents_config + + # Device is vulnerable if it has nopassword users and agents enabled + is_vulnerable = has_nopassword_users and agents_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28500. " + "The device is running a vulnerable version AND has local users with nopassword configuration " + "while OpenConfig/TerminAttr agents are enabled, which could allow unrestricted access. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.26.2F or later for 4.26.x train\n" + " * 4.25.5M or later for 4.25.x train\n" + " * 4.24.7M or later for 4.24.x train\n" + " * 4.23.9M or later for 4.23.x train\n" + " * 4.22.12M or later for 4.22.x train\n" + " * 4.21.15M or later for 4.21.x train\n" + "2. Until upgrade is complete, implement these workarounds:\n" + " * Remove nopassword configuration for local users\n" + " * Or apply the appropriate hotfix:\n" + " - For 32-bit systems: SecurityAdvisory0071Hotfix.i386.swix\n" + " - For 64-bit systems: SecurityAdvisory0071Hotfix.x86_64.swix\n" + "For more information, see " + "https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071" + ) diff --git a/CVEasy/Arista/2021/cve202128501.py b/CVEasy/Arista/2021/cve202128501.py new file mode 100644 index 00000000..5c1db418 --- /dev/null +++ b/CVEasy/Arista/2021/cve202128501.py @@ -0,0 +1,63 @@ +from comfy import high + + +@high( + name='rule_cve202128501', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_terminattr='show running-config | include terminattr', + show_openconfig='show running-config | include openconfig', + show_users='show running-config | section username' + ), +) +def rule_cve202128501(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28501 vulnerability in Arista EOS devices. + The vulnerability allows unrestricted access to the device for local users with nopassword + configuration due to incorrect use of EOS's AAA APIs by OpenConfig and TerminAttr agents. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # TerminAttr versions before 1.16.2 + '1.15.0', '1.15.1', '1.15.2', '1.15.3', + '1.16.0', '1.16.1' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if TerminAttr or OpenConfig agents are enabled + terminattr_config = commands.show_terminattr + openconfig_config = commands.show_openconfig + agents_enabled = bool(terminattr_config or openconfig_config) + + # Check if any users are configured with nopassword + users_config = commands.show_users + has_nopassword_users = 'nopassword' in users_config + + # Device is vulnerable if agents are enabled and has nopassword users + is_vulnerable = agents_enabled and has_nopassword_users + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28501. " + "The device is running a vulnerable version of TerminAttr AND has local users with nopassword configuration " + "while OpenConfig/TerminAttr agents are enabled, which could allow unrestricted access. " + "Recommended fixes:\n" + "1. Upgrade to TerminAttr v1.16.2 or later\n" + "2. Until upgrade is complete, implement these workarounds:\n" + " * Disable OpenConfig gNMI/gNOI and OpenConfig RESTCONF and TerminAttr\n" + " * Or apply the appropriate hotfix with proxy service:\n" + " - For 32-bit systems: SecurityAdvisory0071Hotfix.i386.swix\n" + " - For 64-bit systems: SecurityAdvisory0071Hotfix.x86_64.swix\n" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071" + ) diff --git a/CVEasy/Arista/2021/cve202128503.py b/CVEasy/Arista/2021/cve202128503.py new file mode 100644 index 00000000..40986559 --- /dev/null +++ b/CVEasy/Arista/2021/cve202128503.py @@ -0,0 +1,72 @@ +from comfy import high + + +@high( + name='rule_cve202128503', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_eapi='show management api http-commands', + show_cert_auth='show running-config | include certificate user' + ), +) +def rule_cve202128503(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28503 vulnerability in Arista EOS devices. + The vulnerability allows remote attackers to bypass authentication when certificate-based + authentication is used with eAPI, due to improper credential re-evaluation. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.23.x versions before 4.23.10 + '4.23.0', '4.23.1', '4.23.2', '4.23.3', '4.23.4', + '4.23.5', '4.23.6', '4.23.7', '4.23.8', '4.23.9', + # 4.24.x versions before 4.24.8 + '4.24.0', '4.24.1', '4.24.2', '4.24.3', '4.24.4', + '4.24.5', '4.24.6', '4.24.7', + # 4.25.x versions before 4.25.6 + '4.25.0', '4.25.1', '4.25.2', '4.25.3', '4.25.4', '4.25.5', + # 4.26.x versions before 4.26.3 + '4.26.0', '4.26.1', '4.26.2' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if eAPI is enabled + eapi_config = commands.show_eapi + eapi_enabled = 'enabled' in eapi_config.lower() + + # Check if certificate-based authentication is configured + cert_config = commands.show_cert_auth + cert_auth_enabled = 'certificate user' in cert_config + + # Device is vulnerable if both eAPI and certificate auth are enabled + is_vulnerable = eapi_enabled and cert_auth_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28503. " + "The device is running a vulnerable version AND has eAPI enabled with certificate-based authentication, " + "which could allow remote attackers to bypass authentication. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.26.3 or later for 4.26.x train\n" + " * 4.25.6 or later for 4.25.x train\n" + " * 4.24.8 or later for 4.24.x train\n" + " * 4.23.10 or later for 4.23.x train\n" + "2. Until upgrade is complete, implement this workaround:\n" + " * Disable certificate-based authentication for eAPI:\n" + " switch(config)#management security\n" + " switch(config-mgmt-security)#ssl profile profileEAPI\n" + " switch(config-mgmt-sec-ssl-profile-profileEAPI)#no trust certificate user.cert\n" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/13605-security-advisory-0072" + ) diff --git a/CVEasy/Arista/2021/cve202128504.py b/CVEasy/Arista/2021/cve202128504.py new file mode 100644 index 00000000..6f0aed1e --- /dev/null +++ b/CVEasy/Arista/2021/cve202128504.py @@ -0,0 +1,64 @@ +from comfy import high + + +@high( + name='rule_cve202128504', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_tcam='show hardware tcam profile', + show_acl='show running-config | section ip access-list' + ), +) +def rule_cve202128504(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28504 vulnerability in Arista EOS devices. + The vulnerability occurs on Strata family products when TCAM profile is enabled and + port IPv4 access-lists contain rules matching VXLAN protocol, causing subsequent rules + to not match IP protocol fields as expected. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.26.x versions before 4.26.4F + '4.26.0', '4.26.1F', '4.26.2F', '4.26.3F', + # 4.27.x versions before 4.27.1M + '4.27.0F' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if TCAM profile feature is enabled + tcam_output = commands.show_tcam + tcam_enabled = 'Profile:' in tcam_output + + # Check if any ACL has VXLAN protocol matching + acl_config = commands.show_acl + has_vxlan_acl = 'protocol vxlan' in acl_config.lower() + + # Device is vulnerable if TCAM profile is enabled and has VXLAN protocol matching in ACLs + is_vulnerable = tcam_enabled and has_vxlan_acl + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28504. " + "The device is running a vulnerable version AND has TCAM profile enabled with ACLs matching VXLAN protocol, " + "which could cause subsequent ACL rules to not match IP protocol fields correctly. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.26.4F or later for 4.26.x train\n" + " * 4.27.1M or later for 4.27.x train\n" + "2. Until upgrade is complete, implement this workaround:\n" + " * Replace 'protocol vxlan' matches in ACLs with:\n" + " - protocol udp\n" + " - destination port 4789 (or configured VXLAN port)\n" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/15267-security-advisory-0073" + ) diff --git a/CVEasy/Arista/2021/cve202128505.py b/CVEasy/Arista/2021/cve202128505.py new file mode 100644 index 00000000..2ff97f87 --- /dev/null +++ b/CVEasy/Arista/2021/cve202128505.py @@ -0,0 +1,66 @@ +from comfy import high + + +@high( + name='rule_cve202128505', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_acl='show running-config | section ip access-list', + show_interfaces='show running-config | section interface' + ), +) +def rule_cve202128505(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28505 vulnerability in Arista EOS devices. + The vulnerability occurs when VXLAN match rules in IPv4 access-lists are applied to + ingress L2/L3 ports or SVIs, causing subsequent ACL rules to ignore IP protocol fields. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.26.x versions before 4.26.4M + '4.26.0', '4.26.1F', '4.26.2F', '4.26.3M', + # 4.27.x versions before 4.27.1F + '4.27.0F' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if any ACL has VXLAN protocol matching + acl_config = commands.show_acl + has_vxlan_acl = 'protocol vxlan' in acl_config.lower() + + # Check if ACLs are applied to ingress L2/L3 ports or SVIs + interface_config = commands.show_interfaces + has_ingress_acl = any(keyword in interface_config.lower() for keyword in [ + 'ip access-group', + 'ipv4 access-group' + ]) + + # Device is vulnerable if it has VXLAN ACLs applied to ingress interfaces + is_vulnerable = has_vxlan_acl and has_ingress_acl + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28505. " + "The device is running a vulnerable version AND has VXLAN match rules in IPv4 ACLs " + "applied to ingress interfaces, which could cause subsequent rules to ignore IP protocol fields. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.26.4M or later for 4.26.x train\n" + " * 4.27.1F or later for 4.27.x train\n" + "2. Until upgrade is complete, implement this workaround:\n" + " * Replace 'protocol vxlan' matches in ACLs with:\n" + " - protocol udp\n" + " - destination port 4789 (or configured VXLAN port)\n" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/15267-security-advisory-0073" + ) diff --git a/CVEasy/Arista/2021/cve202128506.py b/CVEasy/Arista/2021/cve202128506.py new file mode 100644 index 00000000..f60d7bb9 --- /dev/null +++ b/CVEasy/Arista/2021/cve202128506.py @@ -0,0 +1,70 @@ +from comfy import high + + +@high( + name='rule_cve202128506', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_gnmi='show management api gnmi', + show_restconf='show management api restconf', + show_gnoi='show management api gnoi' + ), +) +def rule_cve202128506(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28506 vulnerability in Arista EOS devices. + The vulnerability allows unauthenticated attackers to bypass authentication in gNOI APIs, + potentially allowing factory reset of the device. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.24.x versions before 4.24.8M + '4.24.0', '4.24.1F', '4.24.2F', '4.24.3M', '4.24.4M', '4.24.5M', '4.24.6M', '4.24.7M', + # 4.25.x versions before 4.25.6M + '4.25.0', '4.25.1M', '4.25.2M', '4.25.3M', '4.25.4M', '4.25.5M', + # 4.26.x versions before 4.26.3M + '4.26.0', '4.26.1F', '4.26.2F' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if any of the vulnerable APIs are enabled + gnmi_config = commands.show_gnmi + restconf_config = commands.show_restconf + gnoi_config = commands.show_gnoi + + apis_enabled = any([ + 'enabled' in gnmi_config.lower(), + 'enabled' in restconf_config.lower(), + 'enabled' in gnoi_config.lower() + ]) + + # Device is vulnerable if running affected version and has APIs enabled + is_vulnerable = version_vulnerable and apis_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28506. " + "The device is running a vulnerable version AND has gNMI/gNOI/RESTCONF APIs enabled, " + "which could allow unauthenticated attackers to bypass authentication and factory reset the device. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.26.3M or later for 4.26.x train\n" + " * 4.25.6M or later for 4.25.x train\n" + " * 4.24.8M or later for 4.24.x train\n" + "2. Until upgrade is complete, implement this workaround:\n" + " * Apply the appropriate hotfix with proxy service:\n" + " - For 32-bit systems: SecurityAdvisory0071Hotfix.i386.swix\n" + " - For 64-bit systems: SecurityAdvisory0071Hotfix.x86_64.swix\n" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071" + ) diff --git a/CVEasy/Arista/2021/cve202128507.py b/CVEasy/Arista/2021/cve202128507.py new file mode 100644 index 00000000..07a65c07 --- /dev/null +++ b/CVEasy/Arista/2021/cve202128507.py @@ -0,0 +1,78 @@ +from comfy import high + + +@high( + name='rule_cve202128507', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_openconfig='show running-config | include openconfig', + show_restconf='show management api restconf', + show_acl='show running-config | section service-acl' + ), +) +def rule_cve202128507(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28507 vulnerability in Arista EOS devices. + The vulnerability allows service ACL bypass in OpenConfig gNOI and RESTCONF APIs, + which could result in denied requests being forwarded to the agent. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.21.x and earlier versions + '4.21.', '4.20.', '4.19.', '4.18.', + # 4.22.x versions + '4.22.0', '4.22.1', '4.22.2', '4.22.3', + # 4.23.x versions before 4.23.10M + '4.23.0', '4.23.1', '4.23.2', '4.23.3', '4.23.4', + '4.23.5', '4.23.6', '4.23.7', '4.23.8', '4.23.9', + # 4.24.x versions before 4.24.8M + '4.24.0', '4.24.1', '4.24.2', '4.24.3', '4.24.4', + '4.24.5', '4.24.6', '4.24.7', + # 4.25.x versions before 4.25.6M + '4.25.0', '4.25.1', '4.25.2', '4.25.3', '4.25.4', '4.25.5', + # 4.26.x versions before 4.26.3M + '4.26.0', '4.26.1', '4.26.2' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if OpenConfig or RESTCONF is enabled + openconfig_config = commands.show_openconfig + restconf_config = commands.show_restconf + apis_enabled = bool(openconfig_config or 'enabled' in restconf_config.lower()) + + # Check if service ACLs are configured + acl_config = commands.show_acl + has_service_acl = 'service-acl' in acl_config + + # Device is vulnerable if APIs are enabled and using service ACLs + is_vulnerable = apis_enabled and has_service_acl + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28507. " + "The device is running a vulnerable version AND has OpenConfig/RESTCONF APIs enabled with service ACLs, " + "which could allow denied requests to bypass ACLs and reach the agent. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.26.3M or later for 4.26.x train\n" + " * 4.25.6M or later for 4.25.x train\n" + " * 4.24.8M or later for 4.24.x train\n" + " * 4.23.10M or later for 4.23.x train\n" + "2. Until upgrade is complete, implement these workarounds:\n" + " * Disable OpenConfig gNMI/gNOI and OpenConfig RESTCONF\n" + " * Or apply the appropriate hotfix with proxy service:\n" + " - For 32-bit systems: SecurityAdvisory0071Hotfix.i386.swix\n" + " - For 64-bit systems: SecurityAdvisory0071Hotfix.x86_64.swix\n" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071" + ) diff --git a/CVEasy/Arista/2021/cve202128508.py b/CVEasy/Arista/2021/cve202128508.py new file mode 100644 index 00000000..1badbc3e --- /dev/null +++ b/CVEasy/Arista/2021/cve202128508.py @@ -0,0 +1,72 @@ +from comfy import high + + +@high( + name='rule_cve202128508', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_terminattr='show running-config | include terminattr', + show_ipsec='show running-config | section crypto ipsec' + ), +) +def rule_cve202128508(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28508 vulnerability in Arista EOS devices. + The vulnerability allows TerminAttr to leak IPsec sensitive data in clear text to CVP, + which could allow authorized users to decrypt or modify IPsec traffic. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.23.x versions before 4.23.11 + '4.23.0', '4.23.1', '4.23.2', '4.23.3', '4.23.4', '4.23.5', + '4.23.6', '4.23.7', '4.23.8', '4.23.9', '4.23.10', + # 4.24.x versions before 4.24.10 + '4.24.0', '4.24.1', '4.24.2', '4.24.3', '4.24.4', '4.24.5', + '4.24.6', '4.24.7', '4.24.8', '4.24.9', + # 4.25.x versions before 4.25.8 + '4.25.0', '4.25.1', '4.25.2', '4.25.3', '4.25.4', '4.25.5', + '4.25.6', '4.25.7', + # 4.26.x versions before 4.26.6 + '4.26.0', '4.26.1', '4.26.2', '4.26.3', '4.26.4', '4.26.5', + # 4.27.x versions before 4.27.2 + '4.27.0', '4.27.1' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if TerminAttr is enabled + terminattr_config = commands.show_terminattr + terminattr_enabled = bool(terminattr_config) + + # Check if IPsec is configured + ipsec_config = commands.show_ipsec + ipsec_configured = bool(ipsec_config) + + # Device is vulnerable if both TerminAttr and IPsec are enabled + is_vulnerable = terminattr_enabled and ipsec_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28508. " + "The device is running a vulnerable version AND has both TerminAttr and IPsec enabled, " + "which could allow IPsec sensitive data to leak in clear text to CVP. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.27.2 or later for 4.27.x train\n" + " * 4.26.6 or later for 4.26.x train\n" + " * 4.25.8 or later for 4.25.x train\n" + " * 4.24.10 or later for 4.24.x train\n" + "2. Until upgrade is complete, implement this workaround:\n" + " * Disable TerminAttr agent\n" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/15484-security-advisory-0077" + ) diff --git a/CVEasy/Arista/2021/cve202128509.py b/CVEasy/Arista/2021/cve202128509.py new file mode 100644 index 00000000..ec3f020f --- /dev/null +++ b/CVEasy/Arista/2021/cve202128509.py @@ -0,0 +1,72 @@ +from comfy import high + + +@high( + name='rule_cve202128509', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_terminattr='show running-config | include terminattr', + show_macsec='show running-config | section macsec' + ), +) +def rule_cve202128509(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28509 vulnerability in Arista EOS devices. + The vulnerability allows TerminAttr to leak MACsec sensitive data in clear text to CVP, + which could allow authorized users to decrypt or modify MACsec traffic. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.23.x versions before 4.23.12 + '4.23.0', '4.23.1', '4.23.2', '4.23.3', '4.23.4', '4.23.5', + '4.23.6', '4.23.7', '4.23.8', '4.23.9', '4.23.10', '4.23.11', + # 4.24.x versions before 4.24.10 + '4.24.0', '4.24.1', '4.24.2', '4.24.3', '4.24.4', '4.24.5', + '4.24.6', '4.24.7', '4.24.8', '4.24.9', + # 4.25.x versions before 4.25.8 + '4.25.0', '4.25.1', '4.25.2', '4.25.3', '4.25.4', '4.25.5', + '4.25.6', '4.25.7', + # 4.26.x versions before 4.26.6 + '4.26.0', '4.26.1', '4.26.2', '4.26.3', '4.26.4', '4.26.5', + # 4.27.x versions before 4.27.4 + '4.27.0', '4.27.1', '4.27.2', '4.27.3' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if TerminAttr is enabled + terminattr_config = commands.show_terminattr + terminattr_enabled = 'terminattr' in terminattr_config.lower() + + # Check if MACsec is configured + macsec_config = commands.show_macsec + macsec_configured = 'macsec' in macsec_config.lower() + + # Device is vulnerable if both TerminAttr and MACsec are enabled + is_vulnerable = terminattr_enabled and macsec_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28509. " + "The device is running a vulnerable version AND has both TerminAttr and MACsec enabled, " + "which could allow MACsec sensitive data to leak in clear text to CVP. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.27.4 or later for 4.27.x train\n" + " * 4.26.6 or later for 4.26.x train\n" + " * 4.25.8 or later for 4.25.x train\n" + " * 4.24.10 or later for 4.24.x train\n" + "2. Until upgrade is complete, implement this workaround:\n" + " * Disable TerminAttr agent\n" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/15484-security-advisory-0077" + ) diff --git a/CVEasy/Arista/2021/cve202128510.py b/CVEasy/Arista/2021/cve202128510.py new file mode 100644 index 00000000..844c01c5 --- /dev/null +++ b/CVEasy/Arista/2021/cve202128510.py @@ -0,0 +1,72 @@ +from comfy import high + + +@high( + name='rule_cve202128510', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_ptp='show running-config | section ptp' + ), +) +def rule_cve202128510(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28510 vulnerability in Arista EOS devices. + The vulnerability allows an unauthenticated attacker to cause a DoS condition by sending + malformed PTP packets with invalid TLV values, causing the PTP agent to restart repeatedly. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.23.x versions before 4.23.11 + '4.23.0', '4.23.1', '4.23.2', '4.23.3', '4.23.4', '4.23.5', + '4.23.6', '4.23.7', '4.23.8', '4.23.9', '4.23.10', + # 4.24.x versions before 4.24.9 + '4.24.0', '4.24.1', '4.24.2', '4.24.3', '4.24.4', '4.24.5', + '4.24.6', '4.24.7', '4.24.8', + # 4.25.x versions before 4.25.7 + '4.25.0', '4.25.1', '4.25.2', '4.25.3', '4.25.4', '4.25.5', + '4.25.6', + # 4.26.x versions before 4.26.5 + '4.26.0', '4.26.1', '4.26.2', '4.26.3', '4.26.4', + # 4.27.x versions before 4.27.2 + '4.27.0', '4.27.1' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if PTP is configured + ptp_config = commands.show_ptp + ptp_enabled = 'ptp' in ptp_config.lower() + + # Device is vulnerable if running affected version and PTP is enabled + is_vulnerable = version_vulnerable and ptp_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28510. " + "The device is running a vulnerable version AND has PTP enabled, " + "which could allow an attacker to cause a denial of service by sending malformed PTP packets. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.27.2 or later for 4.27.x train\n" + " * 4.26.5 or later for 4.26.x train\n" + " * 4.25.7 or later for 4.25.x train\n" + " * 4.24.9 or later for 4.24.x train\n" + " * 4.23.11 or later for 4.23.x train\n" + "2. Until upgrade is complete, implement this workaround:\n" + " * Install ACL rules to drop PTP packets from untrusted sources\n" + " * Block access to untrusted (non-management) networks\n" + "3. A hotfix is available:\n" + " * SecurityAdvisory76_CVE-2021-28510_Hotfix.swix\n" + " * Note: Installing/uninstalling will cause PTP agent to restart\n" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/15439-security-advisory-0076" + ) diff --git a/CVEasy/Arista/2021/cve202128511.py b/CVEasy/Arista/2021/cve202128511.py new file mode 100644 index 00000000..9c1252f8 --- /dev/null +++ b/CVEasy/Arista/2021/cve202128511.py @@ -0,0 +1,71 @@ +from comfy import high + + +@high( + name='rule_cve202128511', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_nat='show running-config | section ip nat', + show_acl='show running-config | section ip access-list' + ), +) +def rule_cve202128511(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28511 vulnerability in Arista EOS devices. + The vulnerability allows security ACL bypass if a NAT ACL rule filter with permit action + matches a packet flow that should be denied by a security ACL. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.24.x versions before 4.24.10 + '4.24.0', '4.24.1', '4.24.2', '4.24.3', '4.24.4', '4.24.5', + '4.24.6', '4.24.7', '4.24.8', '4.24.9', + # 4.25.x versions before 4.25.9 + '4.25.0', '4.25.1', '4.25.2', '4.25.3', '4.25.4', '4.25.5', + '4.25.6', '4.25.7', '4.25.8', + # 4.26.x versions before 4.26.6 + '4.26.0', '4.26.1', '4.26.2', '4.26.3', '4.26.4', '4.26.5', + # 4.27.x versions before 4.27.4 + '4.27.0', '4.27.1', '4.27.2', '4.27.3' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if NAT is configured + nat_config = commands.show_nat + nat_enabled = 'ip nat' in nat_config.lower() + + # Check if security ACLs are configured + acl_config = commands.show_acl + security_acl_enabled = 'ip access-list' in acl_config.lower() + + # Device is vulnerable if both NAT and security ACLs are enabled + is_vulnerable = nat_enabled and security_acl_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28511. " + "The device is running a vulnerable version AND has both NAT and security ACLs configured, " + "which could allow security ACL bypass through NAT permit rules. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.28.0 or later for 4.28.x train\n" + " * 4.27.4 or later for 4.27.x train\n" + " * 4.26.6 or later for 4.26.x train\n" + " * 4.25.9 or later for 4.25.x train\n" + " * 4.24.10 or later for 4.24.x train\n" + "2. Until upgrade is complete, implement this workaround:\n" + " * Configure a NAT 'drop' ACL rule for each security ACL 'drop' rule\n" + " * Apply these rules to interfaces with NAT configured\n" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/15862-security-advisory-0078" + ) diff --git a/CVEasy/Arista/2022/__init__.py b/CVEasy/Arista/2022/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/CVEasy/Arista/2022/cve202229071.py b/CVEasy/Arista/2022/cve202229071.py new file mode 100644 index 00000000..f0b916f7 --- /dev/null +++ b/CVEasy/Arista/2022/cve202229071.py @@ -0,0 +1,57 @@ +from comfy import high + + +@high( + name='rule_cve202229071', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_cvp_info='show cvp info' + ), +) +def rule_cve202229071(configuration, commands, device, devices): + """ + This rule checks for CVE-2022-29071 vulnerability in Arista CloudVision Portal (CVP). + The vulnerability allows user passwords to be leaked in the Audit and System logs, + which could expose sensitive information to other authenticated users. + """ + # Extract the CVP version information from the command output + version_output = commands.show_cvp_info + + # List of vulnerable software versions + vulnerable_versions = [ + # CVP versions + '2020.2', '2020.3', + '2021.1', '2021.2', '2021.3' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if this is an on-premises deployment + cvp_info = commands.show_cvp_info + is_onprem = 'Deployment: On-Premises' in cvp_info + + # Device is vulnerable if it's an on-premises deployment + is_vulnerable = is_onprem + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-29071. " + "The device is running a vulnerable version of CVP in an on-premises deployment, " + "which could allow user passwords to be leaked in Audit and System logs. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * CVP 2022.1.1 or later\n" + " * CVP 2022.2.0 or later\n" + "2. Until upgrade is complete, implement these workarounds:\n" + " * Change CVP user passwords and ensure they match switch enable passwords\n" + " * Restrict access to CVP application and host OS to trusted users only\n" + " * Regularly rotate user passwords\n" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/15865-security-advisory-0079" + ) diff --git a/CVEasy/Arista/2023/__init__.py b/CVEasy/Arista/2023/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/CVEasy/Arista/2023/cve202324509.py b/CVEasy/Arista/2023/cve202324509.py new file mode 100644 index 00000000..df7c364a --- /dev/null +++ b/CVEasy/Arista/2023/cve202324509.py @@ -0,0 +1,76 @@ +from comfy import high + + +@high( + name='rule_cve202324509', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_module='show module', + show_redundancy='show redundancy status' + ), +) +def rule_cve202324509(configuration, commands, device, devices): + """ + This rule checks for CVE-2023-24509 vulnerability in Arista EOS devices. + The vulnerability allows privilege escalation when an unprivileged user logs into + the standby supervisor as root on devices with redundant supervisor modules and + RPR/SSO redundancy protocol configured. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.23.x versions + '4.23.0', '4.23.13M', + # 4.24.x versions + '4.24.0', '4.24.10M', + # 4.25.x versions + '4.25.0', '4.25.9M', + # 4.26.x versions + '4.26.0', '4.26.8M', + # 4.27.x versions + '4.27.0', '4.27.6M', + # 4.28.x versions + '4.28.0', '4.28.3M' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check for redundant supervisor modules + module_output = commands.show_module + has_standby_supervisor = 'Standby supervisor' in module_output + + # Check redundancy protocol configuration + redundancy_output = commands.show_redundancy + redundancy_configured = any(protocol in redundancy_output for protocol in [ + 'Route Processor Redundancy', + 'Stateful Switchover' + ]) + + # Device is vulnerable if it has both conditions + is_vulnerable = has_standby_supervisor and redundancy_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2023-24509. " + "The device is running a vulnerable version AND has redundant supervisor modules with RPR/SSO configured, " + "which could allow privilege escalation via root access to standby supervisor. " + "Recommended fixes:\n" + "- Upgrade to one of the following fixed versions:\n" + " * 4.28.4M or later for 4.28.x train\n" + " * 4.27.7M or later for 4.27.x train\n" + " * 4.26.9M or later for 4.26.x train\n" + " * 4.25.10M or later for 4.25.x train\n" + " * 4.24.11M or later for 4.24.x train\n" + "- Or apply the hotfix for supported versions\n" + "Workaround: Disable SSH CLI command in unprivileged mode using RBAC\n" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/16985-security-advisory-0082" + ) diff --git a/CVEasy/Arista/2023/cve202324510.py b/CVEasy/Arista/2023/cve202324510.py new file mode 100644 index 00000000..03bbe4f2 --- /dev/null +++ b/CVEasy/Arista/2023/cve202324510.py @@ -0,0 +1,95 @@ +from comfy import high + + +@high( + name='rule_cve202324510', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_ip_helper='show running-config | include ip helper-address' + ), +) +def rule_cve202324510(configuration, commands, device, devices): + """ + This rule checks for CVE-2023-24510 vulnerability in Arista EOS devices. + The vulnerability allows a malformed DHCP packet to cause the DHCP relay agent to restart + when specific ip helper-address configurations are present on the same interface. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.25.x versions + '4.25.0F', '4.25.10M', + # 4.26.x versions + '4.26.0F', '4.26.9M', + # 4.27.x versions + '4.27.0F', '4.27.9M', + # 4.28.x versions + '4.28.0F', '4.28.6.1M', + # 4.29.x versions + '4.29.0F', '4.29.1F' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check for vulnerable ip helper-address configurations + helper_config = commands.show_ip_helper + config_lines = helper_config.splitlines() + + # Track interfaces with multiple helper addresses + interface_helpers = {} + current_interface = None + + # Parse configuration to find interfaces with multiple helper addresses + for line in config_lines: + if 'interface' in line: + current_interface = line + interface_helpers[current_interface] = { + 'source_interface': False, + 'vrf': False, + 'basic': False + } + elif current_interface and 'ip helper-address' in line: + if 'source-interface' in line: + interface_helpers[current_interface]['source_interface'] = True + elif 'vrf' in line: + interface_helpers[current_interface]['vrf'] = True + else: + interface_helpers[current_interface]['basic'] = True + + # Check for vulnerable configurations + vulnerable_config = False + for interface, config in interface_helpers.items(): + # Scenario One: One command uses source-interface, second command is basic + if config['source_interface'] and config['basic']: + vulnerable_config = True + break + # Scenario Two: One command in VRF, second command is basic + if config['vrf'] and config['basic']: + vulnerable_config = True + break + + # Assert that the device is not vulnerable + assert not vulnerable_config, ( + f"Device {device.name} is vulnerable to CVE-2023-24510. " + "The device is running a vulnerable version AND has multiple ip helper-address commands " + "configured on the same interface in a vulnerable combination:\n" + "- One command using source-interface with a basic command, or\n" + "- One command in a VRF with a basic command\n" + "Recommended fixes:\n" + "- Upgrade to one of the following fixed versions:\n" + " * 4.29.2F or later for 4.29.x train\n" + " * 4.28.7M or later for 4.28.x train\n" + " * 4.27.10M or later for 4.27.x train\n" + " * 4.26.10M or later for 4.26.x train\n" + "- Or apply the hotfix for supported versions\n" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/17445-security-advisory-0087" + ) diff --git a/CVEasy/Arista/2023/cve202324511.py b/CVEasy/Arista/2023/cve202324511.py new file mode 100644 index 00000000..b6074a11 --- /dev/null +++ b/CVEasy/Arista/2023/cve202324511.py @@ -0,0 +1,64 @@ +from comfy import high + + +@high( + name='rule_cve202324511', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_snmp='show running-config | include snmp-server' + ), +) +def rule_cve202324511(configuration, commands, device, devices): + """ + This rule checks for CVE-2023-24511 vulnerability in Arista EOS devices. + The vulnerability allows a specially crafted SNMP packet to cause a memory leak in the snmpd process, + which can lead to process termination and memory resource exhaustion. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.24.x versions + '4.24.0', '4.24.11M', + # 4.25.x versions + '4.25.0', '4.25.10M', + # 4.26.x versions + '4.26.0', '4.26.9M', + # 4.27.x versions + '4.27.0', '4.27.8.1M', + # 4.28.x versions + '4.28.0', '4.28.5.1M', + # 4.29.x versions + '4.29.0', '4.29.1F' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if SNMP is configured + snmp_config = commands.show_snmp + snmp_enabled = 'snmp-server' in snmp_config + + # Assert that the device is not vulnerable + assert not snmp_enabled, ( + f"Device {device.name} is vulnerable to CVE-2023-24511. " + "The device is running a vulnerable version AND has SNMP configured, " + "which could allow memory leaks in the snmpd process leading to service disruption. " + "Recommended fixes:\n" + "- Upgrade to one of the following fixed versions:\n" + " * 4.29.2F or later for 4.29.x train\n" + " * 4.28.6M or later for 4.28.x train\n" + " * 4.27.9M or later for 4.27.x train\n" + " * 4.26.10M or later for 4.26.x train\n" + "Workaround: Configure SNMP ACLs to restrict access:\n" + " snmp-server ipv4 access-list allowHosts4\n" + " snmp-server ipv6 access-list allowHosts6\n" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/17239-security-advisory-0084" + ) diff --git a/CVEasy/Arista/2023/cve202324512.py b/CVEasy/Arista/2023/cve202324512.py new file mode 100644 index 00000000..0bb76000 --- /dev/null +++ b/CVEasy/Arista/2023/cve202324512.py @@ -0,0 +1,70 @@ +from comfy import high + + +@high( + name='rule_cve202324512', + platform=['arista_eos'], + commands=dict( + show_version='show version detail | grep TerminAttr-core', + show_daemon='show daemon TerminAttr', + show_daemon_config='show running-config | section daemon TerminAttr' + ), +) +def rule_cve202324512(configuration, commands, device, devices): + """ + This rule checks for CVE-2023-24512 vulnerability in Arista EOS devices. + The vulnerability allows an authorized attacker with gNMI permissions to craft requests + that could update arbitrary configurations in the switch when the Streaming Telemetry + Agent (TerminAttr) is enabled with gNMI access. + """ + # Extract the TerminAttr version from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # Specific version + 'v1.23.0', + # Version ranges + 'v1.19.', 'v1.20.', 'v1.21.', 'v1.22.0', 'v1.22.1', + 'v1.24.0', 'v1.24.1', 'v1.24.2', 'v1.24.3' + ] + + # Check if the current version matches any vulnerable version patterns + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if TerminAttr daemon is running + daemon_output = commands.show_daemon + daemon_running = 'running with PID' in daemon_output + + # Check if gNMI access is configured + daemon_config = commands.show_daemon_config + gnmi_enabled = '-grpcaddr=' in daemon_config and '-grpcreadonly' not in daemon_config + + # Device is vulnerable if daemon is running and gNMI is enabled without read-only mode + is_vulnerable = daemon_running and gnmi_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2023-24512. " + "The device is running a vulnerable version of TerminAttr AND has the daemon running " + "with gNMI access enabled without read-only mode. " + "Recommended fixes:\n" + "1. Upgrade TerminAttr:\n" + " * Version 1.25.0 or later\n" + " * Version 1.22.2 or later for 1.22.x train\n" + " * Version 1.19.6 or later for 1.19.x train\n" + "2. Or upgrade EOS to a version with fixed TerminAttr:\n" + " * 4.29.2F or later (includes TerminAttr 1.25.0+)\n" + " * 4.28.6M or later (includes TerminAttr 1.22.2+)\n" + " * 4.27.9M or later (includes TerminAttr 1.19.6+)\n" + " * 4.26.10M or later (includes TerminAttr 1.19.6+)\n" + "Workaround: Configure gRPC read-only mode:\n" + " daemon TerminAttr\n" + " exec /usr/bin/TerminAttr -grpcreadonly -grpcaddr=... \n" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/17250-security-advisory-0086" + ) diff --git a/CVEasy/Arista/2023/cve202324513.py b/CVEasy/Arista/2023/cve202324513.py new file mode 100644 index 00000000..df890217 --- /dev/null +++ b/CVEasy/Arista/2023/cve202324513.py @@ -0,0 +1,70 @@ +from comfy import high + + +@high( + name='rule_cve202324513', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_sfe='show sfe status', + show_platform='show platform cloudeos' + ), +) +def rule_cve202324513(configuration, commands, device, devices): + """ + This rule checks for CVE-2023-24513 vulnerability in Arista CloudEOS devices. + The vulnerability in the Software Forwarding Engine (Sfe) can lead to a potential + denial of service attack by sending malformed packets to the switch, causing packet + buffer leaks that may eventually stop traffic forwarding. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.26.x versions + '4.26.0F', '4.26.9M', + # 4.27.x versions + '4.27.0F', '4.27.8M', + # 4.28.x versions + '4.28.0F', '4.28.5M', + # 4.29.x versions + '4.29.0F', '4.29.1F' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if this is a CloudEOS platform + platform_output = commands.show_platform + is_cloudeos = 'CloudEOS' in platform_output + + # Check if SFE is enabled (default on CloudEOS) + sfe_output = commands.show_sfe + sfe_enabled = 'SFE enabled' in sfe_output + + # Device is vulnerable if it's CloudEOS with SFE enabled + is_vulnerable = is_cloudeos and sfe_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2023-24513. " + "The device is running a vulnerable version on CloudEOS platform with " + "Software Forwarding Engine (SFE) enabled, " + "which could allow malformed packets to cause buffer leaks and stop traffic forwarding. " + "Recommended fixes:\n" + "- Upgrade to one of the following fixed versions:\n" + " * 4.29.2F or later for 4.29.x train\n" + " * 4.28.6M or later for 4.28.x train\n" + " * 4.27.9M or later for 4.27.x train\n" + " * 4.26.10M or later for 4.26.x train\n" + "- Or apply the appropriate hotfix for your version\n" + "Note: Installing/uninstalling the hotfix will cause SFE agent to restart " + "and stop forwarding traffic for up to 10 seconds.\n" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/17240-security-advisory-0085" + ) diff --git a/CVEasy/Arista/2023/cve202324545.py b/CVEasy/Arista/2023/cve202324545.py new file mode 100644 index 00000000..55e17960 --- /dev/null +++ b/CVEasy/Arista/2023/cve202324545.py @@ -0,0 +1,70 @@ +from comfy import high + + +@high( + name='rule_cve202324545', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_sfe='show sfe status', + show_platform='show platform cloudeos' + ), +) +def rule_cve202324545(configuration, commands, device, devices): + """ + This rule checks for CVE-2023-24545 vulnerability in Arista CloudEOS devices. + The vulnerability in the Software Forwarding Engine (Sfe) can lead to a potential + denial of service attack by sending malformed packets to the switch, causing packet + buffer leaks that may eventually stop traffic forwarding. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.26.x versions + '4.26.0F', '4.26.8M', + # 4.27.x versions + '4.27.0F', '4.27.7M', + # 4.28.x versions + '4.28.0F', '4.28.4M', + # 4.29.x versions + '4.29.0F', '4.29.1F' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if this is a CloudEOS platform + platform_output = commands.show_platform + is_cloudeos = 'CloudEOS' in platform_output + + # Check if SFE is enabled (default on CloudEOS) + sfe_output = commands.show_sfe + sfe_enabled = 'SFE enabled' in sfe_output + + # Device is vulnerable if it's CloudEOS with SFE enabled + is_vulnerable = is_cloudeos and sfe_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2023-24545. " + "The device is running a vulnerable version on CloudEOS platform with " + "Software Forwarding Engine (SFE) enabled, " + "which could allow malformed packets to cause buffer leaks and stop traffic forwarding. " + "Recommended fixes:\n" + "- Upgrade to one of the following fixed versions:\n" + " * 4.29.2F or later for 4.29.x train\n" + " * 4.28.5M or later for 4.28.x train\n" + " * 4.27.8M or later for 4.27.x train\n" + " * 4.26.9M or later for 4.26.x train\n" + "- Or apply the appropriate hotfix for your version\n" + "Note: Installing/uninstalling the hotfix will cause SFE agent to restart " + "and stop forwarding traffic for up to 10 seconds.\n" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/17240-security-advisory-0085" + ) diff --git a/CVEasy/Arista/2023/cve202324547.py b/CVEasy/Arista/2023/cve202324547.py new file mode 100644 index 00000000..7103073a --- /dev/null +++ b/CVEasy/Arista/2023/cve202324547.py @@ -0,0 +1,63 @@ +from comfy import high + + +@high( + name='rule_cve202324547', + platform=['arista_mos'], + commands=dict( + show_version='show version', + show_bgp_config='show running-config | section router bgp' + ), +) +def rule_cve202324547(configuration, commands, device, devices): + """ + This rule checks for CVE-2023-24547 vulnerability in Arista MOS devices. + The vulnerability exposes BGP passwords in clear text in logs and running configuration, + which could allow authenticated users to view sensitive password information. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # MOS versions from 0.13.0 through 0.39.4 + '0.13.0', '0.34.0', + '0.35.3', + '0.36.0', '0.36.9', + '0.37.0', '0.37.1', + '0.38.0', '0.38.1', + '0.39.0', '0.39.1', '0.39.2', '0.39.3', '0.39.4' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check BGP configuration for plaintext passwords + bgp_config = commands.show_bgp_config + + # Look for BGP neighbor password configurations without type 7 encryption + has_plaintext_password = False + for line in bgp_config.splitlines(): + if 'neighbor' in line and 'password' in line and 'key 7' not in line: + has_plaintext_password = True + break + + # Assert that the device is not vulnerable + assert not has_plaintext_password, ( + f"Device {device.name} is vulnerable to CVE-2023-24547. " + "The device is running a vulnerable version of MOS AND has BGP neighbors configured " + "with plaintext passwords, which could expose sensitive information in logs and running config. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * MOS-0.39.4 or later for 0.39.x train\n" + " * MOS-0.36.10 or later for 0.36.x train\n" + "2. After upgrading, passwords will be automatically obfuscated with type-7 encryption\n" + "3. It is recommended to rotate BGP passwords after upgrading since they may have been exposed\n" + "Note: Only MOS-0.39.x and MOS-0.36.x trains are currently under maintenance support.\n" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/18644-security-advisory-0090" + ) diff --git a/CVEasy/Arista/2023/cve202324548.py b/CVEasy/Arista/2023/cve202324548.py new file mode 100644 index 00000000..c85853bc --- /dev/null +++ b/CVEasy/Arista/2023/cve202324548.py @@ -0,0 +1,90 @@ +from comfy import high + + +@high( + name='rule_cve202324548', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_ip_routing='show running-config | include ip routing', + show_vxlan_config='show running-config | section vxlan', + show_vxlan_vni='show vxlan vni', + show_vlan='show vlan', + show_ip_interface='show ip interface brief' + ), +) +def rule_cve202324548(configuration, commands, device, devices): + """ + This rule checks for CVE-2023-24548 vulnerability in Arista EOS devices. + The vulnerability allows malformed or truncated packets received over a VXLAN tunnel + to cause egress ports to be unable to forward packets when certain conditions are met. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.22.x versions + '4.22.1F', '4.22.13M', + # 4.23.x versions + '4.23.0', '4.23.14M', + # 4.24.x versions + '4.24.0', '4.24.11M', + # 4.25.x versions + '4.25.0F' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if IP routing is enabled + ip_routing = commands.show_ip_routing + routing_enabled = 'ip routing' in ip_routing + + # Check if VXLAN is configured + vxlan_config = commands.show_vxlan_config + vxlan_enabled = 'interface Vxlan1' in vxlan_config + + # Check if VXLAN VNIs are routable + vxlan_vni = commands.show_vxlan_vni + ip_interfaces = commands.show_ip_interface + + # Look for routable VNIs (either VLAN interfaces or VRF-mapped) + has_routable_vni = False + if vxlan_enabled: + # Check for VLANs with IP addresses that are also mapped to VNIs + for line in vxlan_vni.splitlines(): + if 'VNI' in line and 'VLAN' in line: + vlan_id = line.split()[1].strip() + # Check if this VLAN has an IP interface that's up + if f"Vlan{vlan_id}" in ip_interfaces and 'up' in ip_interfaces: + has_routable_vni = True + break + + # Device is vulnerable if all conditions are met + is_vulnerable = routing_enabled and vxlan_enabled and has_routable_vni + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2023-24548. " + "The device is running a vulnerable version AND has all vulnerability conditions met:\n" + "1. IP routing is enabled\n" + "2. VXLAN is configured\n" + "3. Has routable VXLAN VNIs\n" + "This could allow malformed VXLAN packets to cause egress ports to stop forwarding.\n" + "Recommended fixes:\n" + "- Upgrade to one of the following fixed versions:\n" + " * 4.30.0F or later for 4.30.x train\n" + " * 4.29.0F or later for 4.29.x train\n" + " * 4.28.0F or later for 4.28.x train\n" + " * 4.27.0F or later for 4.27.x train\n" + " * 4.26.0F or later for 4.26.x train\n" + " * 4.25.1F or later for 4.25.x train\n" + "Note: No remediation is planned for EOS versions beyond their support lifecycle (4.22, 4.23).\n" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/18043-security-advisory-0089" + ) diff --git a/CVEasy/Arista/2023/cve20233646.py b/CVEasy/Arista/2023/cve20233646.py new file mode 100644 index 00000000..43ed1591 --- /dev/null +++ b/CVEasy/Arista/2023/cve20233646.py @@ -0,0 +1,57 @@ +from comfy import high + + +@high( + name='rule_cve20233646', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_monitor='show monitor session', + ), +) +def rule_cve20233646(configuration, commands, device, devices): + """ + This rule checks for CVE-2023-3646 vulnerability in Arista EOS devices. + The vulnerability can trigger a kernel panic and cause system reload when mirroring + to multiple destinations is configured. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.28.x versions + '4.28.2F', '4.28.3F', '4.28.4F', '4.28.5F', '4.28.5.1M', + # 4.29.x versions + '4.29.0F', '4.29.1F' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check for multiple destination ports in monitor sessions + monitor_output = commands.show_monitor + + # Check if any monitor session has multiple destinations configured + multiple_destinations = False + if 'Session' in monitor_output: + # Count destination ports in active sessions + dest_ports = len([line for line in monitor_output.splitlines() if ': active' in line]) + multiple_destinations = dest_ports > 1 + + # Assert that the device is not vulnerable + assert not multiple_destinations, ( + f"Device {device.name} is vulnerable to CVE-2023-3646. " + "The device is running a vulnerable version AND has mirroring to multiple destinations configured, " + "which could trigger a kernel panic and cause system reload. " + "Recommended fixes:\n" + "- Upgrade to 4.28.6M or later for 4.28.x train\n" + "- Upgrade to 4.29.2F or later for 4.29.x train\n" + "- Workaround: Remove mirroring configuration to multiple destinations\n" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/18042-security-advisory-0088" + ) diff --git a/CVEasy/Arista/2023/cve20236068.py b/CVEasy/Arista/2023/cve20236068.py new file mode 100644 index 00000000..01686680 --- /dev/null +++ b/CVEasy/Arista/2023/cve20236068.py @@ -0,0 +1,51 @@ +from comfy import high + + +@high( + name='rule_cve20236068', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_multiaccess='show running-config | section multiaccess' + ), +) +def rule_cve20236068(configuration, commands, device, devices): + """ + This rule checks for CVE-2023-6068 vulnerability in Arista MOS devices with MultiAccess FPGA. + The vulnerability can cause incorrect operation of configured ACLs on ports, resulting in some + packets that should be denied being permitted. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # MultiAccess FPGA versions + 'multiaccess-1.7.1', + 'multiaccess-1.6' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if MultiAccess FPGA is configured with ACLs + config_output = commands.show_multiaccess + acl_configured = 'access-list' in config_output + + # Assert that the device is not vulnerable + assert not acl_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-6068. " + "The device is running a vulnerable version of MultiAccess FPGA software " + "and has ACLs configured, which may result in incorrect ACL operation. " + "Recommended fixes:\n" + "- Upgrade to MultiAccess FPGA 1.8.0 or later\n" + "Workaround:\n" + "- Only apply one access-list to any particular port after the MultiAccess image is loaded\n" + "- If a new access-list needs to be applied, reload the FPGA image after applying it\n" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/19023-security-advisory-0091" + ) diff --git a/CVEasy/Arista/2024/cve20244578.py b/CVEasy/Arista/2024/cve20244578.py new file mode 100644 index 00000000..72adbe8d --- /dev/null +++ b/CVEasy/Arista/2024/cve20244578.py @@ -0,0 +1,48 @@ +from comfy import high + + +@high( + name='rule_cve20244578', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_config='show running-config' + ), +) +def rule_cve20244578(configuration, commands, device, devices): + """ + This rule checks for CVE-2024-4578 vulnerability in Arista Wireless Access Points. + The vulnerability allows privilege escalation via spawning a bash shell when authenticated + as the "config" user via SSH. The spawned shell can obtain root privileges. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 13.0.2.x versions + '13.0.2-28-vv1002', + # 15.x versions are all vulnerable + '15.0', '15.1', '15.2', '15.3', '15.4', '15.5', '15.6', '15.7', '15.8', '15.9', + # 16.x versions up to the vulnerable version + '16.1.051-vv6' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Assert that the device is not vulnerable + assert not version_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2024-4578. " + "The device is running a vulnerable version that allows privilege escalation " + "via spawning a bash shell when authenticated as the 'config' user. " + "Upgrade to one of the following fixed versions:\n" + "- 13.0.2-28-vv1101 or later for 13.0.2.x\n" + "- 16.1.0-51-vv703 or later for 16.x\n" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/19844-security-advisory-0098" + ) diff --git a/CVEasy/Cisco/2022/__init__.py b/CVEasy/Cisco/2022/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/CVEasy/Cisco/2022/cisco_ios/__init__.py b/CVEasy/Cisco/2022/cisco_ios/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220677.py b/CVEasy/Cisco/2022/cisco_ios/cve202220677.py new file mode 100644 index 00000000..1031e83b --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220677.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220677', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220677(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20677 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application hosting environment. + An attacker could exploit this vulnerability to inject arbitrary commands into the underlying host + operating system, execute arbitrary code, install applications without authentication, or conduct + cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20677. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220697.py b/CVEasy/Cisco/2022/cisco_ios/cve202220697.py new file mode 100644 index 00000000..1804c43a --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220697.py @@ -0,0 +1,32 @@ +from comfy import high + + +@high( + name='rule_cve202220697', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_http='show running-config | include ip http' + ), +) +def rule_cve202220697(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20697 vulnerability in Cisco IOS Software. + The vulnerability is due to improper resource management in the HTTP server code. + An attacker could exploit this vulnerability by sending a large number of HTTP requests + to an affected device, causing it to reload and resulting in a denial of service (DoS) condition. + """ + # Extract the output of the command to check HTTP configuration + http_output = commands.check_http + + # Check if HTTP server is enabled + http_enabled = any(service in http_output for service in ['ip http server', 'ip http secure-server']) + + # Assert that the device is not vulnerable + assert not http_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20697. " + "The device has HTTP/HTTPS server enabled, " + "which could allow an attacker to cause a denial of service through crafted HTTP requests. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http-dos-svOdkdBS" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220718.py b/CVEasy/Cisco/2022/cisco_ios/cve202220718.py new file mode 100644 index 00000000..3abeec7e --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220718.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220718', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220718(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20718 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application hosting environment. + Multiple vulnerabilities could allow an attacker to inject arbitrary commands into the underlying host + operating system, execute arbitrary code, install applications without authentication, or conduct + cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20718. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220719.py b/CVEasy/Cisco/2022/cisco_ios/cve202220719.py new file mode 100644 index 00000000..e3665251 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220719.py @@ -0,0 +1,35 @@ +from comfy import high + + +@high( + name='rule_cve202220719', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220719(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20719 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application + hosting environment. Multiple vulnerabilities could allow an attacker to inject + arbitrary commands into the underlying host operating system, execute arbitrary + code, install applications without authentication, or conduct cross-site + scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20719. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220720.py b/CVEasy/Cisco/2022/cisco_ios/cve202220720.py new file mode 100644 index 00000000..ecea6ab3 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220720.py @@ -0,0 +1,35 @@ +from comfy import high + + +@high( + name='rule_cve202220720', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220720(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20720 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application + hosting environment. + Multiple vulnerabilities could allow an attacker to inject arbitrary commands + into the underlying host operating system, execute arbitrary code, install + applications without authentication, or conduct cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20720. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220721.py b/CVEasy/Cisco/2022/cisco_ios/cve202220721.py new file mode 100644 index 00000000..fa410727 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220721.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220721', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220721(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20721 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application hosting environment. + Multiple vulnerabilities could allow an attacker to inject arbitrary commands into the underlying host + operating system, execute arbitrary code, install applications without authentication, or conduct + cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20721. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220722.py b/CVEasy/Cisco/2022/cisco_ios/cve202220722.py new file mode 100644 index 00000000..e5d99e25 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220722.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220722', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220722(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20722 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application hosting environment. + Multiple vulnerabilities could allow an attacker to inject arbitrary commands into the underlying host + operating system, execute arbitrary code, install applications without authentication, or conduct + cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20722. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220723.py b/CVEasy/Cisco/2022/cisco_ios/cve202220723.py new file mode 100644 index 00000000..fe189087 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220723.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220723', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220723(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20723 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application hosting environment. + Multiple vulnerabilities could allow an attacker to inject arbitrary commands into the underlying host + operating system, execute arbitrary code, install applications without authentication, or conduct + cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20723. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220724.py b/CVEasy/Cisco/2022/cisco_ios/cve202220724.py new file mode 100644 index 00000000..293118d4 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220724.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220724', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220724(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20724 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application hosting environment. + Multiple vulnerabilities could allow an attacker to inject arbitrary commands into the underlying host + operating system, execute arbitrary code, install applications without authentication, or conduct + cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20724. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220725.py b/CVEasy/Cisco/2022/cisco_ios/cve202220725.py new file mode 100644 index 00000000..c7994a30 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220725.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220725', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220725(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20725 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application hosting environment. + Multiple vulnerabilities could allow an attacker to inject arbitrary commands into the underlying host + operating system, execute arbitrary code, install applications without authentication, or conduct + cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20725. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220726.py b/CVEasy/Cisco/2022/cisco_ios/cve202220726.py new file mode 100644 index 00000000..c5b607ff --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220726.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220726', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220726(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20726 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application hosting environment. + Multiple vulnerabilities could allow an attacker to inject arbitrary commands into the underlying host + operating system, execute arbitrary code, install applications without authentication, or conduct + cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20726. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220727.py b/CVEasy/Cisco/2022/cisco_ios/cve202220727.py new file mode 100644 index 00000000..e87b64e3 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220727.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220727', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220727(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20727 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application hosting environment. + Multiple vulnerabilities could allow an attacker to inject arbitrary commands into the underlying host + operating system, execute arbitrary code, install applications without authentication, or conduct + cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20727. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220761.py b/CVEasy/Cisco/2022/cisco_ios/cve202220761.py new file mode 100644 index 00000000..2811f670 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220761.py @@ -0,0 +1,33 @@ +from comfy import high + + +@high( + name='rule_cve202220761', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ap='show running-config | include autonomous-ap' + ), +) +def rule_cve202220761(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20761 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient input validation in the integrated wireless access point (AP) + packet processing of the Cisco 1000 Series Connected Grid Router (CGR1K). An attacker could exploit + this vulnerability by sending crafted traffic to an affected device, causing the integrated AP to stop + processing traffic and resulting in a denial of service condition. + """ + # Extract the output of the command to check AP configuration + ap_output = commands.check_ap + + # Check if integrated AP is configured + ap_configured = 'autonomous-ap' in ap_output + + # Assert that the device is not vulnerable + assert not ap_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20761. " + "The device has integrated wireless access point configured, " + "which could allow an adjacent attacker to cause a denial of service through crafted traffic. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cgr1k-ap-dos-mSZR4QVh" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220919.py b/CVEasy/Cisco/2022/cisco_ios/cve202220919.py new file mode 100644 index 00000000..8e2b3148 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220919.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220919', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_cip='show running-config | include cip enable' + ), +) +def rule_cve202220919(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20919 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient input validation during processing of + Common Industrial Protocol (CIP) packets. + An unauthenticated, remote attacker could exploit this vulnerability by sending + malformed CIP packets to an affected device, + causing it to unexpectedly reload and resulting in a denial of service (DoS) condition. + """ + # Extract the output of the command to check CIP configuration + cip_output = commands.check_cip + + # Check if CIP is enabled + cip_enabled = 'cip enable' in cip_output + + # Assert that the device is not vulnerable + assert not cip_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20919. " + "The device has Common Industrial Protocol (CIP) enabled, " + "which could allow an unauthenticated attacker to cause a denial of service through malformed CIP packets. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-cip-dos-9rTbKLt9" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220920.py b/CVEasy/Cisco/2022/cisco_ios/cve202220920.py new file mode 100644 index 00000000..51f76da3 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220920.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220920', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ssh='show running-config | include ip ssh' + ), +) +def rule_cve202220920(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20920 vulnerability in Cisco IOS Software. + The vulnerability is due to improper handling of resources during an exceptional + situation in the SSH implementation. + An authenticated, remote attacker could exploit this vulnerability by continuously connecting to an affected device + and sending specific SSH requests, causing the device to reload and resulting in a + denial of service (DoS) condition. + """ + # Extract the output of the command to check SSH configuration + ssh_output = commands.check_ssh + + # Check if SSH is enabled + ssh_enabled = 'ip ssh' in ssh_output + + # Assert that the device is not vulnerable + assert not ssh_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20920. " + "The device has SSH enabled, " + "which could allow an authenticated attacker to cause a denial of service through crafted SSH requests. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ssh-excpt-dos-FzOBQTnk" + ) diff --git a/CVEasy/Cisco/2022/cisco_nxos/__init__.py b/CVEasy/Cisco/2022/cisco_nxos/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/CVEasy/Cisco/2022/cisco_nxos/cve202220623.py b/CVEasy/Cisco/2022/cisco_nxos/cve202220623.py new file mode 100644 index 00000000..68d2b466 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_nxos/cve202220623.py @@ -0,0 +1,44 @@ +from comfy import high + + +@high( + name='rule_cve202220623', + platform=['cisco_nxos'], + commands=dict( + show_version='show version', + check_bfd='show running-config | include feature bfd' + ), +) +def rule_cve202220623(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20623 vulnerability in Cisco NX-OS Software. + The vulnerability is due to a logic error in the BFD rate limiter functionality of Nexus 9000 Series Switches. + An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted stream of traffic + through the device, causing BFD traffic to be dropped and resulting in BFD session flaps, route instability, + and a denial of service condition. + """ + # Extract the platform information + platform_output = commands.show_version + + # Check if the device is a Nexus 9000 Series + is_n9k = 'Nexus 9000' in platform_output + + # If not a Nexus 9000 device, it's not vulnerable + if not is_n9k: + return + + # Extract the output of the command to check BFD configuration + bfd_output = commands.check_bfd + + # Check if BFD is enabled + bfd_enabled = 'feature bfd' in bfd_output + + # Assert that the device is not vulnerable + assert not bfd_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20623. " + "The device is a Nexus 9000 Series switch with BFD enabled, " + "which could allow an unauthenticated attacker to cause BFD session flaps and a denial of service " + "through crafted traffic. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-bfd-dos-wGQXrzxn" + ) diff --git a/CVEasy/Cisco/2022/cisco_nxos/cve202220624.py b/CVEasy/Cisco/2022/cisco_nxos/cve202220624.py new file mode 100644 index 00000000..32f2796b --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_nxos/cve202220624.py @@ -0,0 +1,38 @@ +from comfy import high + + +@high( + name='rule_cve202220624', + platform=['cisco_nxos'], + commands=dict( + show_version='show version', + check_cfs='show running-config | include cfs ipv4 distribute' + ), +) +def rule_cve202220624(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20624 vulnerability in Cisco NX-OS Software. + The vulnerability is due to insufficient validation of incoming CFSoIP packets. + An unauthenticated, remote attacker could exploit this vulnerability by sending crafted + CFSoIP packets to an affected device, causing it to reload and resulting in a denial of + service condition. + """ + # Extract the output of the command to check CFS configuration + cfs_output = commands.check_cfs + + # Check if CFSoIP is enabled + cfs_enabled = 'cfs ipv4 distribute' in cfs_output + + # If CFSoIP is not enabled, device is not vulnerable + if not cfs_enabled: + return + + # Assert that the device is not vulnerable + assert not cfs_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20624. " + "The device has Cisco Fabric Services over IP (CFSoIP) enabled, " + "which could allow an unauthenticated attacker to cause a denial of service through crafted " + "CFSoIP packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cfsoip-dos-tpykyDr" + ) diff --git a/CVEasy/Cisco/2022/cisco_nxos/cve202220625.py b/CVEasy/Cisco/2022/cisco_nxos/cve202220625.py new file mode 100644 index 00000000..24ec9eb1 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_nxos/cve202220625.py @@ -0,0 +1,38 @@ +from comfy import high + + +@high( + name='rule_cve202220625', + platform=['cisco_nxos'], + commands=dict( + show_version='show version', + check_cdp='show running-config | include no cdp enable|cdp enable' + ), +) +def rule_cve202220625(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20625 vulnerability in Cisco NX-OS Software. + The vulnerability is due to improper handling of Cisco Discovery Protocol messages. + An unauthenticated, adjacent attacker could exploit this vulnerability by sending + malicious CDP packets to an affected device, causing the CDP service to fail and + restart, and in rare conditions, causing the entire device to restart. + """ + # Extract the output of the command to check CDP configuration + cdp_output = commands.check_cdp + + # Check if CDP is enabled + cdp_enabled = 'cdp enable' in cdp_output + + # If CDP is not enabled, device is not vulnerable + if not cdp_enabled: + return + + # Assert that the device is not vulnerable + assert not cdp_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20625. " + "The device has Cisco Discovery Protocol enabled, " + "which could allow an adjacent attacker to cause a denial of service through " + "malicious CDP packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cdp-dos-G8DPLWYG" + ) diff --git a/CVEasy/Cisco/2022/cisco_nxos/cve202220650.py b/CVEasy/Cisco/2022/cisco_nxos/cve202220650.py new file mode 100644 index 00000000..94e66d00 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_nxos/cve202220650.py @@ -0,0 +1,37 @@ +from comfy import high + + +@high( + name='rule_cve202220650', + platform=['cisco_nxos'], + commands=dict( + show_version='show version', + check_nxapi='show running-config | include feature nxapi' + ), +) +def rule_cve202220650(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20650 vulnerability in Cisco NX-OS Software. + The vulnerability is due to insufficient input validation of user supplied data that is sent to the NX-API. + An authenticated, remote attacker could exploit this vulnerability by sending a crafted HTTP POST request + to the NX-API of an affected device, allowing them to execute arbitrary commands with root privileges. + Note: The NX-API feature is disabled by default. + """ + # Extract the output of the command to check NX-API configuration + nxapi_output = commands.check_nxapi + + # Check if NX-API is enabled + nxapi_enabled = 'feature nxapi' in nxapi_output + + # If NX-API is not enabled, device is not vulnerable + if not nxapi_enabled: + return + + # Assert that the device is not vulnerable + assert not nxapi_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20650. " + "The device has NX-API enabled, which could allow an authenticated attacker " + "to execute arbitrary commands with root privileges through crafted HTTP POST requests. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-nxapi-cmdinject-ULukNMZ2" + ) diff --git a/CVEasy/Cisco/2022/cisco_nxos/cve202220823.py b/CVEasy/Cisco/2022/cisco_nxos/cve202220823.py new file mode 100644 index 00000000..b8a815ac --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_nxos/cve202220823.py @@ -0,0 +1,41 @@ +from comfy import high + + +@high( + name='rule_cve202220823', + platform=['cisco_nxos'], + commands=dict( + show_version='show version', + check_ospfv3='show running-config | include router ospfv3|ipv6 router ospf' + ), +) +def rule_cve202220823(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20823 vulnerability in Cisco NX-OS Software. + The vulnerability is due to incomplete input validation of specific OSPFv3 packets. + An unauthenticated, remote attacker could exploit this vulnerability by sending a malicious + OSPFv3 link-state advertisement (LSA) to an affected device, causing the OSPFv3 process to + crash and restart multiple times, leading to a denial of service condition. + Note: The OSPFv3 feature is disabled by default. + """ + # Extract the output of the command to check OSPFv3 configuration + ospfv3_output = commands.check_ospfv3 + + # Check if OSPFv3 is enabled (either via 'router ospfv3' or 'ipv6 router ospf') + ospfv3_enabled = any(feature in ospfv3_output for feature in [ + 'router ospfv3', + 'ipv6 router ospf' + ]) + + # If OSPFv3 is not enabled, device is not vulnerable + if not ospfv3_enabled: + return + + # Assert that the device is not vulnerable + assert not ospfv3_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20823. " + "The device has OSPFv3 enabled, which could allow an unauthenticated attacker " + "to cause a denial of service through malicious OSPFv3 LSA packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-ospfv3-dos-48qutcu" + ) diff --git a/CVEasy/Cisco/2022/cisco_nxos/cve202220824.py b/CVEasy/Cisco/2022/cisco_nxos/cve202220824.py new file mode 100644 index 00000000..0f036b7e --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_nxos/cve202220824.py @@ -0,0 +1,38 @@ +from comfy import high + + +@high( + name='rule_cve202220824', + platform=['cisco_nxos'], + commands=dict( + show_version='show version', + check_cdp='show running-config | include no cdp enable|cdp enable' + ), +) +def rule_cve202220824(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20824 vulnerability in Cisco NX-OS Software. + The vulnerability is due to improper input validation of specific values within Cisco Discovery Protocol messages. + An unauthenticated, adjacent attacker could exploit this vulnerability by sending malicious CDP packets to an + affected device, allowing them to execute arbitrary code with root privileges or cause a denial of " + "service condition. + Note: CDP is enabled by default, and the attacker must be in the same broadcast domain (Layer 2 adjacent). + """ + # Extract the output of the command to check CDP configuration + cdp_output = commands.check_cdp + + # Check if CDP is enabled + cdp_enabled = 'cdp enable' in cdp_output + + # If CDP is not enabled, device is not vulnerable + if not cdp_enabled: + return + + # Assert that the device is not vulnerable + assert not cdp_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20824. " + "The device has Cisco Discovery Protocol enabled, " + "which could allow an adjacent attacker to execute arbitrary code with root privileges or cause a " + "denial of service. For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-cdp-dos-ce-wWvPucC9" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/__init__.py b/CVEasy/Cisco/2022/cisco_xe/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220676.py b/CVEasy/Cisco/2022/cisco_xe/cve202220676.py new file mode 100644 index 00000000..e4c9db0d --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220676.py @@ -0,0 +1,32 @@ +from comfy import high + + +@high( + name='rule_cve202220676', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_tcl='show running-config | include tclsh' + ), +) +def rule_cve202220676(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20676 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient input validation of data that is passed into the Tcl interpreter. + An authenticated, local attacker with privilege level 15 could exploit this vulnerability by loading + malicious Tcl code on an affected device, allowing them to escalate to root-level privileges. + """ + # Extract the output of the command to check Tcl configuration + tcl_output = commands.check_tcl + + # Check if Tcl shell access is enabled + tcl_enabled = 'tclsh' in tcl_output + + # Assert that the device is not vulnerable + assert not tcl_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20676. " + "The device has Tcl shell access enabled, " + "which could allow an authenticated attacker with privilege level 15 to escalate to root privileges. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-priv-esc-grbtubU" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220678.py b/CVEasy/Cisco/2022/cisco_xe/cve202220678.py new file mode 100644 index 00000000..dd812915 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220678.py @@ -0,0 +1,35 @@ +from comfy import high + + +@high( + name='rule_cve202220678', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_appnav='show running-config | include appnav-controller|service-insertion' + ), +) +def rule_cve202220678(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20678 vulnerability in Cisco IOS XE Software. + The vulnerability is due to incorrect handling of certain TCP segments in the AppNav-XE feature. + An unauthenticated, remote attacker could exploit this vulnerability by sending a stream of crafted + TCP traffic at a high rate through an interface with AppNav interception enabled, causing the device + to reload and resulting in a denial of service (DoS) condition. + """ + # Extract the output of the command to check AppNav configuration + appnav_output = commands.check_appnav + + # Check if AppNav-XE is configured + appnav_configured = any(feature in appnav_output for feature in [ + 'appnav-controller', 'service-insertion' + ]) + + # Assert that the device is not vulnerable + assert not appnav_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20678. " + "The device has AppNav-XE configured, " + "which could allow an unauthenticated attacker to cause a denial of service through crafted TCP traffic. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-appnav-xe-dos-j5MXTR4" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220679.py b/CVEasy/Cisco/2022/cisco_xe/cve202220679.py new file mode 100644 index 00000000..d876fa19 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220679.py @@ -0,0 +1,47 @@ +import re # Add regex module +from comfy import high + + +@high( + name='rule_cve202220679', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_ipsec='show running-config | include crypto ipsec', + check_mtu='show interfaces | include MTU' + ), +) +def rule_cve202220679(configuration, commands, device, devices): + # Convert command outputs to strings to handle None values + ipsec_output = str(commands.check_ipsec or "") + mtu_output = str(commands.check_mtu or "") + + # Check if IPsec is configured + ipsec_configured = 'crypto ipsec' in ipsec_output + + # Check if any interface has MTU >= 1800 using regex + high_mtu = False + for line in mtu_output.splitlines(): + if 'MTU' in line: + # Use regex to find the first sequence of digits after "MTU" + match = re.search(r'MTU.*?(\d+)', line) + if match: + try: + mtu = int(match.group(1)) + if mtu >= 1800: + high_mtu = True + break + except ValueError: + continue + + # Device is vulnerable if both conditions are met + is_vulnerable = ipsec_configured and high_mtu + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20679. " + "The device has IPsec configured and interfaces with MTU >= 1800 bytes, " + "which could allow an attacker to cause a denial of service. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-qfp-ipsec-GQmqvtqV" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220681.py b/CVEasy/Cisco/2022/cisco_xe/cve202220681.py new file mode 100644 index 00000000..a75b1d96 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220681.py @@ -0,0 +1,42 @@ +from comfy import high + + +@high( + name='rule_cve202220681', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis' + ), +) +def rule_cve202220681(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20681 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient validation of user privileges after executing certain CLI commands + on Cisco Catalyst 9000 Family Switches and Wireless Controllers. An authenticated, local attacker with low + privileges could exploit this vulnerability by executing certain CLI commands to elevate their privileges + to level 15. + """ + # Extract the version information from the command output + version_output = commands.show_version + + _ = version_output # intentionally unused + + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a Catalyst 9000 Series + is_cat9k = 'C9' in platform_output + + # If not a Catalyst 9000 device, it's not vulnerable + if not is_cat9k: + return + + # Assert that the device is not vulnerable + assert not is_cat9k, ( + f"Device {device.name} is vulnerable to CVE-2022-20681. " + "The device is a Catalyst 9000 Series switch/wireless controller, " + "which could allow an authenticated attacker to elevate privileges to level 15 through certain CLI commands. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewlc-priv-esc-ybvHKO5" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220682.py b/CVEasy/Cisco/2022/cisco_xe/cve202220682.py new file mode 100644 index 00000000..aa049d38 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220682.py @@ -0,0 +1,47 @@ +from comfy import high + + +@high( + name='rule_cve202220682', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_wireless='show running-config | include wireless|capwap' + ), +) +def rule_cve202220682(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20682 vulnerability in Cisco IOS XE Software. + The vulnerability is due to inadequate input validation of incoming CAPWAP packets encapsulating + multicast DNS (mDNS) queries in the Catalyst 9000 Family Wireless Controllers. An attacker could + exploit this vulnerability by connecting to a wireless network and sending a crafted mDNS query, + which would flow through and be processed by the wireless controller. + """ + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a Catalyst 9000 Series + is_cat9k = 'C9' in platform_output + + # If not a Catalyst 9000 device, it's not vulnerable + if not is_cat9k: + return + + # Extract the output of the command to check wireless/CAPWAP configuration + wireless_output = commands.check_wireless + + # Check if wireless controller and CAPWAP are configured + wireless_configured = any(feature in wireless_output for feature in ['wireless', 'capwap']) + + # Device is vulnerable if it's a Cat9K and has wireless/CAPWAP configured + is_vulnerable = is_cat9k and wireless_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20682. " + "The device is a Catalyst 9000 Series wireless controller with CAPWAP configured, " + "which could allow an unauthenticated attacker to cause a denial of service through crafted mDNS queries. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9800-capwap-mdns-6PSn7gKU" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220683.py b/CVEasy/Cisco/2022/cisco_xe/cve202220683.py new file mode 100644 index 00000000..f75dfa00 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220683.py @@ -0,0 +1,47 @@ +from comfy import high + + +@high( + name='rule_cve202220683', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_fnf='show running-config | include flow|performance monitor' + ), +) +def rule_cve202220683(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20683 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient packet verification for traffic inspected by the AVC feature + in Cisco Catalyst 9800 Series Wireless Controllers. An unauthenticated, remote attacker could exploit + this vulnerability by sending crafted packets from the wired network to a wireless client, causing + the wireless controller to reload and resulting in a denial of service (DoS) condition. + """ + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a Catalyst 9800 Series + is_cat9800 = 'C9800' in platform_output + + # If not a Catalyst 9800 device, it's not vulnerable + if not is_cat9800: + return + + # Extract the output of the command to check AVC/FNF configuration + fnf_output = commands.check_fnf + + # Check if AVC/FNF is configured + fnf_configured = any(feature in fnf_output for feature in ['flow', 'performance monitor']) + + # Device is vulnerable if it's a Cat9800 and has AVC/FNF configured + is_vulnerable = is_cat9800 and fnf_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20683. " + "The device is a Catalyst 9800 Series wireless controller with AVC/FNF configured, " + "which could allow an unauthenticated attacker to cause a denial of service through crafted packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9800-fnf-dos-bOL5vLge" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220684.py b/CVEasy/Cisco/2022/cisco_xe/cve202220684.py new file mode 100644 index 00000000..7652082a --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220684.py @@ -0,0 +1,48 @@ +from comfy import high + + +@high( + name='rule_cve202220684', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_wireless='show running-config | include wireless|snmp-server' + ), +) +def rule_cve202220684(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20684 vulnerability in Cisco IOS XE Software. + The vulnerability is due to a lack of input validation of the information used to generate an SNMP trap + related to a wireless client connection event in Catalyst 9000 Family Wireless Controllers. An attacker + could exploit this vulnerability by sending an 802.1x packet with crafted parameters during the wireless + authentication setup phase of a connection. + """ + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a Catalyst 9000 Series + is_cat9k = 'C9' in platform_output + + # If not a Catalyst 9000 device, it's not vulnerable + if not is_cat9k: + return + + # Extract the output of the command to check wireless and SNMP configuration + wireless_output = commands.check_wireless + + # Check if wireless controller and SNMP traps are configured + wireless_configured = 'wireless' in wireless_output + snmp_configured = 'snmp-server' in wireless_output + + # Device is vulnerable if it's a Cat9K and has both wireless and SNMP configured + is_vulnerable = is_cat9k and wireless_configured and snmp_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20684. " + "The device is a Catalyst 9000 Series wireless controller with SNMP traps configured, " + "which could allow an unauthenticated attacker to cause a denial of service through crafted 802.1x packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9800-snmp-trap-dos-mjent3Ey" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220692.py b/CVEasy/Cisco/2022/cisco_xe/cve202220692.py new file mode 100644 index 00000000..fde47890 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220692.py @@ -0,0 +1,33 @@ +from comfy import high + + +@high( + name='rule_cve202220692', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_netconf='show running-config | include netconf-yang|ssh' + ), +) +def rule_cve202220692(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20692 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient resource management in the NETCONF over SSH feature. + A low-privileged, authenticated, remote attacker could exploit this vulnerability by initiating + a large number of NETCONF over SSH connections, causing the device to reload and resulting in + a denial of service (DoS) condition. + """ + # Extract the output of the command to check NETCONF configuration + netconf_output = commands.check_netconf + + # Check if NETCONF over SSH is enabled + netconf_enabled = 'netconf-yang' in netconf_output and 'ssh' in netconf_output + + # Assert that the device is not vulnerable + assert not netconf_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20692. " + "The device has NETCONF over SSH enabled, " + "which could allow an authenticated attacker to cause a denial of service through multiple connections. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ncossh-dos-ZAkfOdq8" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220693.py b/CVEasy/Cisco/2022/cisco_xe/cve202220693.py new file mode 100644 index 00000000..5ff4d0d2 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220693.py @@ -0,0 +1,38 @@ +from comfy import high + + +@high( + name='rule_cve202220693', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_webui='show running-config | include ip http|restconf' + ), +) +def rule_cve202220693(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20693 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient input validation in the web UI feature. + An authenticated, remote attacker could exploit this vulnerability by sending crafted input + to the web UI API, allowing them to inject commands to the underlying operating system with + root privileges. + """ + # Extract the output of the command to check web UI configuration + webui_output = commands.check_webui + + # Check if web UI or RESTCONF is enabled + webui_enabled = any(feature in webui_output for feature in [ + 'ip http server', + 'ip http secure-server', + 'restconf' + ]) + + # Assert that the device is not vulnerable + assert not webui_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20693. " + "The device has web UI or RESTCONF enabled, " + "which could allow an authenticated attacker to inject commands with root privileges through " + "crafted API input. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webuiapi-inj-Nyrq92Od" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220694.py b/CVEasy/Cisco/2022/cisco_xe/cve202220694.py new file mode 100644 index 00000000..0b3d0cf0 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220694.py @@ -0,0 +1,37 @@ +from comfy import high + + +@high( + name='rule_cve202220694', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_rpki='show running-config | include router bgp|rpki' + ), +) +def rule_cve202220694(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20694 vulnerability in Cisco IOS XE Software. + The vulnerability is due to incorrect handling of RPKI to Router (RTR) Protocol packet headers + in the Resource Public Key Infrastructure (RPKI) feature. An unauthenticated, remote attacker + could exploit this vulnerability by sending crafted RTR packets to cause the BGP process to crash, + resulting in a denial of service (DoS) condition. + """ + # Extract the output of the command to check BGP and RPKI configuration + rpki_output = commands.check_rpki + + # Check if BGP is configured with RPKI + bgp_configured = 'router bgp' in rpki_output + rpki_configured = 'rpki' in rpki_output + + # Device is vulnerable if both BGP and RPKI are configured + is_vulnerable = bgp_configured and rpki_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20694. " + "The device has BGP configured with RPKI, " + "which could allow an unauthenticated attacker to cause a denial of service through crafted RTR packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-rpki-dos-2EgCNeKE" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220810.py b/CVEasy/Cisco/2022/cisco_xe/cve202220810.py new file mode 100644 index 00000000..800e1562 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220810.py @@ -0,0 +1,48 @@ +from comfy import high + + +@high( + name='rule_cve202220810', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_snmp='show running-config | include snmp-server|wireless' + ), +) +def rule_cve202220810(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20810 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient restrictions in the SNMP feature of Catalyst 9000 Family + Wireless Controllers that could allow sensitive configuration details to be disclosed. An authenticated, + remote attacker could exploit this vulnerability by retrieving data through SNMP read-only community access, + allowing them to view SSID preshared keys (PSKs) configured on the device. + """ + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a Catalyst 9000 Series + is_cat9k = 'C9' in platform_output + + # If not a Catalyst 9000 device, it's not vulnerable + if not is_cat9k: + return + + # Extract the output of the command to check SNMP and wireless configuration + snmp_output = commands.check_snmp + + # Check if SNMP and wireless are configured + snmp_configured = 'snmp-server' in snmp_output + wireless_configured = 'wireless' in snmp_output + + # Device is vulnerable if it's a Cat9K and has both SNMP and wireless configured + is_vulnerable = is_cat9k and snmp_configured and wireless_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20810. " + "The device is a Catalyst 9000 Series wireless controller with SNMP configured, " + "which could allow an authenticated attacker to view SSID preshared keys through SNMP read-only access. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cwlc-snmpidv-rnyyQzUZ" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220837.py b/CVEasy/Cisco/2022/cisco_xe/cve202220837.py new file mode 100644 index 00000000..4ad69d65 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220837.py @@ -0,0 +1,38 @@ +from comfy import high + + +@high( + name='rule_cve202220837', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_nat='show running-config | include ip nat|alg' + ), +) +def rule_cve202220837(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20837 vulnerability in Cisco IOS XE Software. + The vulnerability is due to a logic error in the DNS application layer gateway (ALG) functionality + used by Network Address Translation (NAT). An unauthenticated, remote attacker could exploit this + vulnerability by sending crafted IPv4 TCP DNS packets through an affected device that is performing + NAT for DNS packets, causing the device to reload and resulting in a denial of service (DoS) condition. + """ + # Extract the output of the command to check NAT and ALG configuration + nat_output = commands.check_nat + + # Check if NAT is configured with DNS ALG + nat_configured = 'ip nat' in nat_output + alg_enabled = not ('no ip nat service alg dns tcp' in nat_output) # ALG is enabled by default + + # Device is vulnerable if NAT is configured and DNS ALG is not explicitly disabled + is_vulnerable = nat_configured and alg_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20837. " + "The device has NAT configured with DNS ALG enabled, " + "which could allow an unauthenticated attacker to cause a denial of service through crafted " + "IPv4 TCP DNS packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-alg-dos-KU9Z8kFX" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220847.py b/CVEasy/Cisco/2022/cisco_xe/cve202220847.py new file mode 100644 index 00000000..c6208b1e --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220847.py @@ -0,0 +1,48 @@ +from comfy import high + + +@high( + name='rule_cve202220847', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_dhcp='show running-config | include ip dhcp|wireless' + ), +) +def rule_cve202220847(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20847 vulnerability in Cisco IOS XE Software. + The vulnerability is due to improper processing of DHCP messages in Catalyst 9000 Family + Wireless Controllers. An unauthenticated, remote attacker could exploit this vulnerability + by sending malicious DHCP messages to an affected device, causing it to reload and resulting + in a denial of service (DoS) condition. + """ + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a Catalyst 9000 Series + is_cat9k = 'C9' in platform_output + + # If not a Catalyst 9000 device, it's not vulnerable + if not is_cat9k: + return + + # Extract the output of the command to check DHCP and wireless configuration + dhcp_output = commands.check_dhcp + + # Check if DHCP and wireless are configured + dhcp_configured = 'ip dhcp' in dhcp_output + wireless_configured = 'wireless' in dhcp_output + + # Device is vulnerable if it's a Cat9K and has both DHCP and wireless configured + is_vulnerable = is_cat9k and dhcp_configured and wireless_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20847. " + "The device is a Catalyst 9000 Series wireless controller with DHCP configured, " + "which could allow an unauthenticated attacker to cause a denial of service through malicious DHCP messages. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-dhcp-dos-76pCjPxK" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220848.py b/CVEasy/Cisco/2022/cisco_xe/cve202220848.py new file mode 100644 index 00000000..cc4ef75a --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220848.py @@ -0,0 +1,51 @@ +from comfy import high + + +@high( + name='rule_cve202220848', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_wireless='show running-config | include ap|wireless' + ), +) +def rule_cve202220848(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20848 vulnerability in Cisco IOS XE Software. + The vulnerability is due to improper processing of UDP datagrams in Embedded Wireless Controllers + on Catalyst 9100 Series Access Points. An unauthenticated, remote attacker could exploit this + vulnerability by sending malicious UDP datagrams to an affected device, causing it to reload + and resulting in a denial of service (DoS) condition. + """ + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a Catalyst 9100 Series AP + is_cat9100 = 'C91' in platform_output + + # If not a Catalyst 9100 device, it's not vulnerable + if not is_cat9100: + return + + # Extract the output of the command to check wireless configuration + wireless_output = commands.check_wireless + + # Check if device is configured as an embedded wireless controller + wireless_controller_enabled = any(feature in wireless_output for feature in [ + 'ap sso', + 'wireless management interface', + 'wireless controller' + ]) + + # Device is vulnerable if it's a Cat9100 and configured as wireless controller + is_vulnerable = is_cat9100 and wireless_controller_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20848. " + "The device is a Catalyst 9100 Series AP configured as an embedded wireless controller, " + "which could allow an unauthenticated attacker to cause a denial of service through malicious UDP datagrams. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-udp-dos-XDyEwhNz" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220851.py b/CVEasy/Cisco/2022/cisco_xe/cve202220851.py new file mode 100644 index 00000000..23b129aa --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220851.py @@ -0,0 +1,38 @@ +from comfy import high + + +@high( + name='rule_cve202220851', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_webui='show running-config | include ip http|restconf' + ), +) +def rule_cve202220851(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20851 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient input validation in the web UI feature. + An authenticated, remote attacker with Administrator privileges could exploit this + vulnerability by sending crafted input to the web UI API, allowing them to execute + arbitrary commands on the underlying operating system with root privileges. + """ + # Extract the output of the command to check web UI configuration + webui_output = commands.check_webui + + # Check if web UI or RESTCONF is enabled + webui_enabled = any(feature in webui_output for feature in [ + 'ip http server', + 'ip http secure-server', + 'restconf' + ]) + + # Assert that the device is not vulnerable + assert not webui_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20851. " + "The device has web UI or RESTCONF enabled, " + "which could allow an authenticated attacker with Administrator privileges to execute arbitrary " + "commands with root privileges. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webui-cmdinj-Gje47EMn" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220855.py b/CVEasy/Cisco/2022/cisco_xe/cve202220855.py new file mode 100644 index 00000000..2100bb57 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220855.py @@ -0,0 +1,51 @@ +from comfy import high + + +@high( + name='rule_cve202220855', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_wireless='show running-config | include ap|wireless' + ), +) +def rule_cve202220855(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20855 vulnerability in Cisco IOS XE Software. + The vulnerability is due to improper checks throughout the restart of certain system processes + in Embedded Wireless Controllers on Catalyst Access Points. An authenticated, local attacker with + privilege level 15 could exploit this vulnerability by executing certain CLI commands to escape + the restricted controller shell and execute arbitrary commands on the underlying OS as root. + """ + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a Catalyst 9100 Series AP + is_cat9100 = 'C91' in platform_output + + # If not a Catalyst 9100 device, it's not vulnerable + if not is_cat9100: + return + + # Extract the output of the command to check wireless configuration + wireless_output = commands.check_wireless + + # Check if device is configured as an embedded wireless controller + wireless_controller_enabled = any(feature in wireless_output for feature in [ + 'ap sso', + 'wireless management interface', + 'wireless controller' + ]) + + # Device is vulnerable if it's a Cat9100 and configured as wireless controller + is_vulnerable = is_cat9100 and wireless_controller_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20855. " + "The device is a Catalyst 9100 Series AP configured as an embedded wireless controller, " + "which could allow a privileged attacker to execute arbitrary commands as root. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewc-priv-esc-nderYLtK" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220856.py b/CVEasy/Cisco/2022/cisco_xe/cve202220856.py new file mode 100644 index 00000000..01b3ebcd --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220856.py @@ -0,0 +1,49 @@ +from comfy import high + + +@high( + name='rule_cve202220856', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_wireless='show running-config | include wireless|mobility' + ), +) +def rule_cve202220856(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20856 vulnerability in Cisco IOS XE Software. + The vulnerability is due to a logic error and improper management of resources related to + the handling of CAPWAP Mobility messages in Catalyst 9000 Family Wireless Controllers. + An unauthenticated, remote attacker could exploit this vulnerability by sending crafted + CAPWAP Mobility packets to exhaust resources on the affected device, causing it to reload. + """ + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a Catalyst 9000 Series + is_cat9k = 'C9' in platform_output + + # If not a Catalyst 9000 device, it's not vulnerable + if not is_cat9k: + return + + # Extract the output of the command to check wireless and mobility configuration + wireless_output = commands.check_wireless + + # Check if wireless controller and mobility are configured + wireless_configured = 'wireless' in wireless_output + mobility_configured = 'mobility' in wireless_output + + # Device is vulnerable if it's a Cat9K and has both wireless and mobility configured + is_vulnerable = is_cat9k and wireless_configured and mobility_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20856. " + "The device is a Catalyst 9000 Series wireless controller with mobility configured, " + "which could allow an unauthenticated attacker to cause a denial of service through crafted " + "CAPWAP Mobility packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9800-mob-dos-342YAc6J" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220864.py b/CVEasy/Cisco/2022/cisco_xe/cve202220864.py new file mode 100644 index 00000000..c0d1e7a5 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220864.py @@ -0,0 +1,45 @@ +from comfy import high + + +@high( + name='rule_cve202220864', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_password_recovery='show running-config | include no service password-recovery' + ), +) +def rule_cve202220864(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20864 vulnerability in Cisco IOS XE Software. + The vulnerability is due to a problem with the file and boot variable permissions in ROMMON + when password recovery is disabled. An unauthenticated, local attacker could exploit this + vulnerability by rebooting the switch into ROMMON and entering specific commands through + the console to read any file or reset the enable password. + """ + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a Catalyst switch + is_catalyst = 'C9' in platform_output + + # If not a Catalyst switch, it's not vulnerable + if not is_catalyst: + return + + # Extract the output of the command to check password recovery configuration + password_recovery_output = commands.check_password_recovery + + # Check if password recovery is disabled + password_recovery_disabled = 'no service password-recovery' in password_recovery_output + + # Assert that the device is not vulnerable + assert not password_recovery_disabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20864. " + "The device is a Catalyst switch with password recovery disabled, " + "which could allow an unauthenticated attacker with physical access to recover configuration " + "or reset passwords. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-info-disc-nrORXjO" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220870.py b/CVEasy/Cisco/2022/cisco_xe/cve202220870.py new file mode 100644 index 00000000..39da8e08 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220870.py @@ -0,0 +1,47 @@ +from comfy import high + + +@high( + name='rule_cve202220870', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_mpls='show running-config | include mpls' + ), +) +def rule_cve202220870(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20870 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient input validation of IPv4 traffic in the egress MPLS + packet processing function of Catalyst 3650, 3850, and 9000 Family Switches. An unauthenticated, + remote attacker could exploit this vulnerability by sending a malformed packet out of an affected + MPLS-enabled interface, causing the device to reload. + """ + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a vulnerable Catalyst model (3650, 3850, or 9000 series) + is_vulnerable_platform = any(model in platform_output for model in ['C3650', 'C3850', 'C9']) + + # If not a vulnerable Catalyst model, it's not vulnerable + if not is_vulnerable_platform: + return + + # Extract the output of the command to check MPLS configuration + mpls_output = commands.check_mpls + + # Check if MPLS is enabled + mpls_enabled = 'mpls' in mpls_output + + # Device is vulnerable if it's a vulnerable platform and has MPLS enabled + is_vulnerable = is_vulnerable_platform and mpls_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20870. " + "The device is a Catalyst 3650/3850/9000 switch with MPLS enabled, " + "which could allow an unauthenticated attacker to cause a denial of service through malformed packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-mpls-dos-Ab4OUL3" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220915.py b/CVEasy/Cisco/2022/cisco_xe/cve202220915.py new file mode 100644 index 00000000..734d4009 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220915.py @@ -0,0 +1,47 @@ +from comfy import high + + +@high( + name='rule_cve202220915', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_6vpe='show running-config | include vrf|ipv6|zone', + check_zbfw='show running-config | include zone-pair|class-map|policy-map' + ), +) +def rule_cve202220915(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20915 vulnerability in Cisco IOS XE Software. + The vulnerability is due to improper error handling of an IPv6 packet that is forwarded from + an MPLS and ZBFW-enabled interface in a 6VPE deployment. An unauthenticated, adjacent attacker + could exploit this vulnerability by sending a crafted IPv6 packet sourced from a device on the + IPv6-enabled VRF interface through the affected device. + """ + # Extract the output of the commands + vpe_output = commands.check_6vpe + zbfw_output = commands.check_zbfw + + # Check if 6VPE is configured (requires VRF and IPv6) + vrf_configured = 'vrf' in vpe_output + ipv6_configured = 'ipv6' in vpe_output + vpe_configured = vrf_configured and ipv6_configured + + # Check if Zone-Based Firewall is configured + zbfw_configured = any(feature in zbfw_output for feature in [ + 'zone-pair', + 'class-map', + 'policy-map' + ]) + + # Device is vulnerable if both 6VPE and ZBFW are configured + is_vulnerable = vpe_configured and zbfw_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20915. " + "The device has IPv6 VPN over MPLS (6VPE) and Zone-Based Firewall configured, " + "which could allow an adjacent attacker to cause a denial of service through crafted IPv6 packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-6vpe-dos-tJBtf5Zv" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220944.py b/CVEasy/Cisco/2022/cisco_xe/cve202220944.py new file mode 100644 index 00000000..42a825a2 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220944.py @@ -0,0 +1,48 @@ +from comfy import high + + +@high( + name='rule_cve202220944', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_secure_boot='show platform software authenticity' + ), +) +def rule_cve202220944(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20944 vulnerability in Cisco IOS XE Software. + The vulnerability is due to improper verification of digital signatures during the boot process + in Catalyst 9200 Series Switches. An unauthenticated, physical attacker could exploit this + vulnerability by loading unsigned code at system boot time, allowing them to bypass image + verification and execute arbitrary code. + """ + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a Catalyst 9200 Series + is_cat9200 = 'C92' in platform_output + + # If not a Catalyst 9200 device, it's not vulnerable + if not is_cat9200: + return + + # Extract the output of the command to check secure boot status + secure_boot_output = commands.check_secure_boot + + # Check if secure boot is disabled or not properly configured + secure_boot_disabled = ( + 'Image verification is disabled' in secure_boot_output or + 'Secure Boot: disabled' in secure_boot_output or + not secure_boot_output # If no output, assume it's not properly configured + ) + + # Assert that the device is not vulnerable + assert not secure_boot_disabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20944. " + "The device is a Catalyst 9200 Series switch with image verification disabled or not properly configured, " + "which could allow an attacker with physical access to execute unsigned code at boot time. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-xe-cat-verify-D4NEQA6q" + ) diff --git a/CVEasy/Cisco/2022/cisco_xr/__init__.py b/CVEasy/Cisco/2022/cisco_xr/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/CVEasy/Cisco/2022/cisco_xr/cve202220655.py b/CVEasy/Cisco/2022/cisco_xr/cve202220655.py new file mode 100644 index 00000000..d3229321 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xr/cve202220655.py @@ -0,0 +1,54 @@ +from comfy import high + + +@high( + name='rule_cve202220655', + platform=['cisco_xr'], + commands=dict( + show_version='show version', + check_confd='show processes confd' + ), +) +def rule_cve202220655(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20655 vulnerability in Cisco IOS XR Software. + The vulnerability is due to insufficient validation of a process argument in the ConfD CLI. + An authenticated, local attacker could exploit this vulnerability by injecting commands during + the execution of this process, allowing them to execute arbitrary commands on the underlying + operating system with root privileges. + """ + # List of vulnerable versions + vulnerable_versions = [ + '7.0.1', '7.0.2', '7.0.3', '7.1.0', # IOS XR versions + '2.6.5', # Virtual Topology System versions + '4.3.9.1', '4.4.5.6', '4.5.7', '4.6.1.7', '4.7.1', '5.1.0.1', # Network Services Orchestrator versions + '3.12.1', # Enterprise NFV Infrastructure Software versions + '18.4.4', '19.2.1', # Catalyst SD-WAN Manager versions + '16.10.2', '16.12.1b', '17.2.1r', # IOS XE Catalyst SD-WAN versions + '18.4.4', '19.2.1' # SD-WAN vEdge Router versions + ] + + # Extract the version information + version_output = commands.show_version + + # Check if version is vulnerable + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check ConfD process + confd_output = commands.check_confd + + # Check if ConfD is running + confd_running = 'confd' in confd_output + + # Assert that the device is not vulnerable + assert not confd_running, ( + f"Device {device.name} is vulnerable to CVE-2022-20655. " + "The device is running a vulnerable version with ConfD enabled, " + "which could allow an authenticated attacker to execute arbitrary commands with root privileges. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cli-cmdinj-4MttWZPB" + ) diff --git a/CVEasy/Cisco/2022/cisco_xr/cve202220714.py b/CVEasy/Cisco/2022/cisco_xr/cve202220714.py new file mode 100644 index 00000000..c434098d --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xr/cve202220714.py @@ -0,0 +1,33 @@ +from comfy import high + + +@high( + name='rule_cve202220714', + platform=['cisco_xr'], + commands=dict( + show_version='show version', + check_linecard='show inventory | include Lightspeed-Plus' + ), +) +def rule_cve202220714(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20714 vulnerability in Cisco IOS XR Software. + The vulnerability is due to incorrect handling of malformed packets in the data plane microcode + of Lightspeed-Plus line cards for ASR 9000 Series routers. An unauthenticated, remote attacker + could exploit this vulnerability by sending crafted IPv4 or IPv6 packets through an affected device, + causing the line card to reset and resulting in a denial of service condition. + """ + # Extract the output of the command to check for Lightspeed-Plus line cards + linecard_output = commands.check_linecard + + # Check if Lightspeed-Plus line cards are present + lightspeed_plus_present = 'Lightspeed-Plus' in linecard_output + + # Assert that the device is not vulnerable + assert not lightspeed_plus_present, ( + f"Device {device.name} is vulnerable to CVE-2022-20714. " + "The device has Lightspeed-Plus line cards installed, " + "which could allow an unauthenticated attacker to cause a denial of service through crafted IPv4/IPv6 packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-lsplus-Z6AQEOjk" + ) diff --git a/CVEasy/Cisco/2022/cisco_xr/cve202220758.py b/CVEasy/Cisco/2022/cisco_xr/cve202220758.py new file mode 100644 index 00000000..0b8c565f --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xr/cve202220758.py @@ -0,0 +1,38 @@ +from comfy import high + + +@high( + name='rule_cve202220758', + platform=['cisco_xr'], + commands=dict( + show_version='show version', + check_bgp='show running-config | include router bgp|address-family l2vpn evpn' + ), +) +def rule_cve202220758(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20758 vulnerability in Cisco IOS XR Software. + The vulnerability is due to incorrect processing of BGP update messages containing specific EVPN attributes. + An unauthenticated, remote attacker could exploit this vulnerability by sending crafted BGP update messages + through an established trusted peer connection, causing the BGP process to restart and resulting in a + denial of service (DoS) condition. + """ + # Extract the output of the command to check BGP EVPN configuration + bgp_output = commands.check_bgp + + # Check if BGP is configured with L2VPN EVPN address family + bgp_configured = 'router bgp' in bgp_output + evpn_configured = 'address-family l2vpn evpn' in bgp_output + + # Device is vulnerable if both BGP and L2VPN EVPN are configured + is_vulnerable = bgp_configured and evpn_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20758. " + "The device has BGP configured with L2VPN EVPN address-family, " + "which could allow an unauthenticated attacker to cause a denial of service through crafted " + "BGP update messages. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bgpevpn-zWTRtPBb" + ) diff --git a/CVEasy/Cisco/2022/cisco_xr/cve202220821.py b/CVEasy/Cisco/2022/cisco_xr/cve202220821.py new file mode 100644 index 00000000..befbecc7 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xr/cve202220821.py @@ -0,0 +1,39 @@ +from comfy import high + + +@high( + name='rule_cve202220821', + platform=['cisco_xr'], + commands=dict( + show_version='show version', + check_redis='show processes | include redis', + check_port='show processes | include 6379' + ), +) +def rule_cve202220821(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20821 vulnerability in Cisco IOS XR Software. + The vulnerability is due to the health check RPM opening TCP port 6379 by default upon activation. + An unauthenticated, remote attacker could exploit this vulnerability by connecting to the Redis + instance on the open port, allowing them to write to the Redis in-memory database, write arbitrary + files to the container filesystem, and retrieve information about the Redis database. + """ + # Extract the output of the commands + redis_output = commands.check_redis + port_output = commands.check_port + + # Check if Redis is running and port 6379 is open + redis_running = 'redis' in redis_output + port_open = '6379' in port_output + + # Device is vulnerable if Redis is running and port 6379 is open + is_vulnerable = redis_running and port_open + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20821. " + "The device has Redis running with port 6379 open, " + "which could allow an unauthenticated attacker to access and modify the Redis database. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-redis-ABJyE5xK" + ) diff --git a/CVEasy/Cisco/2022/cisco_xr/cve202220845.py b/CVEasy/Cisco/2022/cisco_xr/cve202220845.py new file mode 100644 index 00000000..6687124a --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xr/cve202220845.py @@ -0,0 +1,59 @@ +from comfy import high + + +@high( + name='rule_cve202220845', + platform=['cisco_xr'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_tl1='show processes | include tl1' + ), +) +def rule_cve202220845(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20845 vulnerability in Cisco IOS XR Software. + The vulnerability is due to TL1 not freeing memory under some conditions in NCS 4000 Series devices. + An authenticated, local attacker could exploit this vulnerability by connecting to the device and + issuing TL1 commands, causing the TL1 process to consume large amounts of memory and potentially + leading to a denial of service condition. + """ + # List of vulnerable versions + vulnerable_versions = [ + '6.5.25', '6.5.26', '6.5.28', '6.5.29', '6.5.31', '6.5.32' + ] + + # Extract the version information + version_output = commands.show_version + + # Check if version is vulnerable + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is an NCS 4000 Series + is_ncs4k = 'NCS-4' in platform_output + + # If not an NCS 4000 device, it's not vulnerable + if not is_ncs4k: + return + + # Extract the output of the command to check TL1 process + tl1_output = commands.check_tl1 + + # Check if TL1 process is running + tl1_running = 'tl1' in tl1_output + + # Assert that the device is not vulnerable + assert not tl1_running, ( + f"Device {device.name} is vulnerable to CVE-2022-20845. " + "The device is an NCS 4000 Series running a vulnerable version with TL1 process enabled, " + "which could allow an authenticated attacker to cause a denial of service through memory exhaustion. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ncs4k-tl1-GNnLwC6" + ) diff --git a/CVEasy/Cisco/2022/cisco_xr/cve202220846.py b/CVEasy/Cisco/2022/cisco_xr/cve202220846.py new file mode 100644 index 00000000..80868215 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xr/cve202220846.py @@ -0,0 +1,58 @@ +from comfy import high + + +@high( + name='rule_cve202220846', + platform=['cisco_xr'], + commands=dict( + show_version='show version', + check_cdp='show running-config | include cdp' + ), +) +def rule_cve202220846(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20846 vulnerability in Cisco IOS XR Software. + The vulnerability is due to a heap buffer overflow in certain Cisco Discovery Protocol messages. + An unauthenticated, adjacent attacker could exploit this vulnerability by sending malicious + Cisco Discovery Protocol packets to an affected device, causing the CDP process to reload. + """ + # List of vulnerable versions + vulnerable_versions = [ + '6.5.1', '6.5.2', '6.5.3', '6.5.15', '6.5.25', '6.5.26', '6.5.28', '6.5.29', + '6.5.31', '6.5.32', '6.5.90', '6.5.92', '6.5.93', + '6.6.1', '6.6.2', '6.6.3', '6.6.4', '6.6.11', '6.6.12', '6.6.25', + '6.7.1', '6.7.2', '6.7.3', '6.7.4', '6.7.35', + '6.8.1', '6.8.2', '6.9.1', + '7.0.0', '7.0.1', '7.0.2', '7.0.11', '7.0.12', '7.0.14', '7.0.90', + '7.1.1', '7.1.2', '7.1.3', '7.1.15', '7.1.25', + '7.2.0', '7.2.1', '7.2.2', '7.2.12', + '7.3.1', '7.3.2', '7.3.3', '7.3.4', '7.3.15', '7.3.16', '7.3.27', + '7.4.1', '7.4.2', '7.4.15', '7.4.16', + '7.5.1', '7.5.2', '7.5.12', + '7.6.1', '7.6.15' + ] + + # Extract the version information + version_output = commands.show_version + + # Check if version is vulnerable + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check CDP configuration + cdp_output = commands.check_cdp + + # Check if CDP is enabled (CDP is enabled by default unless explicitly disabled) + cdp_disabled = 'no cdp' in cdp_output + + # Assert that the device is not vulnerable + assert cdp_disabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20846. " + "The device is running a vulnerable version with CDP enabled, " + "which could allow an adjacent attacker to cause a denial of service through malicious CDP packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xr-cdp-wnALzvT2" + ) diff --git a/CVEasy/Cisco/2022/cisco_xr/cve202220849.py b/CVEasy/Cisco/2022/cisco_xr/cve202220849.py new file mode 100644 index 00000000..acc5b32b --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xr/cve202220849.py @@ -0,0 +1,55 @@ +from comfy import high + + +@high( + name='rule_cve202220849', + platform=['cisco_xr'], + commands=dict( + show_version='show version', + check_pppoe='show running-config | include bba-group pppoe|pppoe enable' + ), +) +def rule_cve202220849(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20849 vulnerability in Cisco IOS XR Software. + The vulnerability is due to improper handling of error conditions within specific PPPoE packet + sequences in the Broadband Network Gateway feature. An unauthenticated, adjacent attacker could + exploit this vulnerability by sending a sequence of specific PPPoE packets from controlled CPE, + causing the PPPoE process to continually restart and resulting in a denial of service condition. + """ + # List of vulnerable versions + vulnerable_versions = [ + '6.5.1', '6.5.2', '6.5.3', '6.5.15', '6.6.1', '6.6.2', '6.6.3', '6.6.4', '6.6.25', + '6.7.1', '6.7.2', '6.7.3', '6.7.35', '6.8.1', '6.8.2', '6.9.1', + '7.0.1', '7.0.2', '7.0.90', '7.1.1', '7.1.2', '7.1.3', '7.1.15', '7.1.25', + '7.2.1', '7.2.2', '7.3.1', '7.3.2', '7.3.3', '7.3.4', '7.4.1', '7.4.2', + '7.5.1' + ] + + # Extract the version information + version_output = commands.show_version + + # Check if version is vulnerable + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check PPPoE configuration + pppoe_output = commands.check_pppoe + + # Check if PPPoE is configured + pppoe_configured = any(feature in pppoe_output for feature in [ + 'bba-group pppoe', + 'pppoe enable' + ]) + + # Assert that the device is not vulnerable + assert not pppoe_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20849. " + "The device is running a vulnerable version with PPPoE enabled, " + "which could allow an adjacent attacker to cause a denial of service through crafted PPPoE packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-bng-Gmg5Gxt" + ) diff --git a/CVEasy/Cisco/2023/cisco_ios/__init__.py b/CVEasy/Cisco/2023/cisco_ios/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/CVEasy/Cisco/2023/cisco_ios/cve202320076.py b/CVEasy/Cisco/2023/cisco_ios/cve202320076.py new file mode 100644 index 00000000..ce3db4b3 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_ios/cve202320076.py @@ -0,0 +1,33 @@ +from comfy import high + + +@high( + name='rule_cve202320076', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_iox='show running-config | include iox' + ), +) +def rule_cve202320076(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20076 vulnerability in Cisco IOS Software. + The vulnerability is due to incomplete sanitization of parameters that are passed in for + activation of an application in the Cisco IOx application hosting environment. An attacker + could exploit this vulnerability by deploying and activating an application with a crafted + activation payload file. + """ + # Extract the output of the command to check IOx configuration + iox_output = commands.check_iox + + # Check if IOx is configured + iox_configured = 'iox' in iox_output + + # Assert that the device is not vulnerable + assert not iox_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20076. " + "The device has IOx application hosting configured, " + "which could allow an authenticated attacker to execute arbitrary commands as root. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iox-8whGn5dL" + ) diff --git a/CVEasy/Cisco/2023/cisco_ios/cve202320080.py b/CVEasy/Cisco/2023/cisco_ios/cve202320080.py new file mode 100644 index 00000000..c43652dc --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_ios/cve202320080.py @@ -0,0 +1,32 @@ +from comfy import high + + +@high( + name='rule_cve202320080', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_dhcpv6='show running-config | include ipv6 dhcp' + ), +) +def rule_cve202320080(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20080 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient validation of data boundaries in the IPv6 DHCP (DHCPv6) + relay and server features. An attacker could exploit this vulnerability by sending crafted DHCPv6 + messages to an affected device, causing it to reload unexpectedly. + """ + # Extract the output of the command to check DHCPv6 configuration + dhcpv6_output = commands.check_dhcpv6 + + # Check if DHCPv6 relay or server is configured + dhcpv6_configured = any(feature in dhcpv6_output for feature in ['ipv6 dhcp relay', 'ipv6 dhcp server']) + + # Assert that the device is not vulnerable + assert not dhcpv6_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20080. " + "The device has IPv6 DHCP relay or server configured, " + "which could allow an attacker to cause a denial of service through crafted DHCPv6 messages. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-dhcpv6-dos-44cMvdDK" + ) diff --git a/CVEasy/Cisco/2023/cisco_ios/cve202320081.py b/CVEasy/Cisco/2023/cisco_ios/cve202320081.py new file mode 100644 index 00000000..cdeae6c4 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_ios/cve202320081.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202320081', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_dhcpv6_client='show running-config | include ipv6 dhcp client' + ), +) +def rule_cve202320081(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20081 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient validation of DHCPv6 messages in the DHCPv6 client module. + An attacker could exploit this vulnerability by sending crafted DHCPv6 messages to an affected device, + causing it to reload and resulting in a denial of service (DoS) condition. + Note: To successfully exploit this vulnerability, the attacker would need to either control the DHCPv6 + server or be in a man-in-the-middle position. + """ + # Extract the output of the command to check DHCPv6 client configuration + dhcpv6_output = commands.check_dhcpv6_client + + # Check if DHCPv6 client is configured + dhcpv6_client_configured = 'ipv6 dhcp client' in dhcpv6_output + + # Assert that the device is not vulnerable + assert not dhcpv6_client_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20081. " + "The device has DHCPv6 client configured, " + "which could allow an attacker to cause a denial of service through crafted DHCPv6 messages. " + "For more information,see https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-" + "sa-asaftdios-dhcpv6-cli-Zf3zTv" + ) diff --git a/CVEasy/Cisco/2023/cisco_ios/cve202320109.py b/CVEasy/Cisco/2023/cisco_ios/cve202320109.py new file mode 100644 index 00000000..2aac407a --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_ios/cve202320109.py @@ -0,0 +1,33 @@ +from comfy import high + + +@high( + name='rule_cve202320109', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_getvpn='show running-config | include crypto gdoi' + ), +) +def rule_cve202320109(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20109 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient validation of attributes in the Group Domain of + Interpretation (GDOI) and G-IKEv2 protocols of the GET VPN feature. An attacker could + exploit this vulnerability by either compromising an installed key server or modifying + the configuration of a group member to point to a key server that is controlled by the attacker. + """ + # Extract the output of the command to check GET VPN configuration + getvpn_output = commands.check_getvpn + + # Check if GET VPN (GDOI) is configured + getvpn_configured = 'crypto gdoi' in getvpn_output + + # Assert that the device is not vulnerable + assert not getvpn_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20109. " + "The device has GET VPN (GDOI) configured, " + "which could allow an authenticated attacker to execute arbitrary code or cause a denial of service. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-getvpn-rce-g8qR68sx" + ) diff --git a/CVEasy/Cisco/2023/cisco_ios/cve202320186.py b/CVEasy/Cisco/2023/cisco_ios/cve202320186.py new file mode 100644 index 00000000..d065567d --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_ios/cve202320186.py @@ -0,0 +1,55 @@ +from comfy import high + + +@high( + name='rule_cve202320186', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_aaa='show running-config | include aaa|ip scp' + ), +) +def rule_cve202320186(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20186 vulnerability in Cisco IOS Software. + The vulnerability is due to incorrect processing of SCP commands in AAA command authorization checks. + An attacker with valid credentials and level 15 privileges could exploit this vulnerability by using + SCP to connect to an affected device from an external machine, potentially allowing them to obtain + or change the configuration of the affected device. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions (from CVE details) + vulnerable_versions = [ + '15.0(1)M', '15.1(4)M', '15.2(4)M', '15.3(3)M', '15.4(3)M', '15.5(3)M', + '15.6(3)M', '15.7(3)M', '15.8(3)M', '15.9(3)M', '15.1(2)SG', '15.1(2)SY', + '15.2(1)E', '15.2(2)E', '15.2(3)E', '15.2(4)E', '15.2(5)E', '15.2(6)E', + '15.2(7)E', '15.2(8)E', '15.5(1)SY' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check AAA and SCP configuration + aaa_output = commands.check_aaa + + # Check if AAA authorization and SCP are configured + aaa_configured = 'aaa authorization' in aaa_output + scp_configured = 'ip scp server enable' in aaa_output + + # Device is vulnerable if both AAA authorization and SCP are enabled + is_vulnerable = aaa_configured and scp_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2023-20186. " + "The device is running a vulnerable version AND has both AAA authorization and SCP enabled, " + "which could allow an authenticated attacker to bypass command authorization. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-aaascp-Tyj4fEJm" + ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/__init__.py b/CVEasy/Cisco/2023/cisco_nxos/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320050.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320050.py new file mode 100644 index 00000000..4a33b01a --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_nxos/cve202320050.py @@ -0,0 +1,30 @@ +from comfy import high + + +@high( + name='rule_cve202320050', + platform=['cisco_nxos'], + commands=dict( + check_cli='show running-config | include cli' + ), +) +def rule_cve202320050(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20050 vulnerability in Cisco NX-OS Software. + The vulnerability is due to insufficient validation of arguments that are passed to specific CLI commands. + An attacker could exploit this vulnerability by including crafted input as the argument of an affected command. + """ + # Extract the output of the command to check CLI configuration + cli_output = commands.check_cli + + # Check if CLI command is configured + cli_configured = 'cli' in cli_output + + # Assert that the device is not vulnerable + assert not cli_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20050. " + "The device has CLI command enabled, which could allow an attacker to execute arbitrary commands. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-" + "sa-nxos-cli-cmdinject-euQVK9u" + ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320089.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320089.py new file mode 100644 index 00000000..83e8aca0 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_nxos/cve202320089.py @@ -0,0 +1,31 @@ +from comfy import high + + +@high( + name='rule_cve202320089', + platform=['cisco_nxos'], + commands=dict( + show_version='show version', + check_lldp='show running-config | include lldp' + ), +) +def rule_cve202320089(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20089 vulnerability in Cisco Nexus 9000 Series Fabric Switches in ACI Mode. + The vulnerability is due to incorrect error checking when parsing ingress LLDP packets, which could allow + an unauthenticated, adjacent attacker to cause a memory leak, resulting in a denial of service (DoS) condition. + """ + # Extract the output of the command to check LLDP configuration + lldp_output = commands.check_lldp + + # Check if LLDP is enabled + lldp_enabled = 'lldp' in lldp_output + + # Assert that the device is not vulnerable + assert not lldp_enabled, ( + f"Device {device.name} is vulnerable to CVE-2023-20089. " + "The device is running in ACI Mode AND has LLDP enabled, " + "which could allow an attacker to cause a memory leak and DoS condition. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-aci-lldp-dos-ySCNZOpX" + ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320115.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320115.py new file mode 100644 index 00000000..0e7b51df --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_nxos/cve202320115.py @@ -0,0 +1,51 @@ +from comfy import high + + +@high( + name='rule_cve202320115', + platform=['cisco_nxos'], + commands=dict( + show_version='show version', + check_sftp='show running-config | include sftp' + ), +) +def rule_cve202320115(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20115 vulnerability in Cisco NX-OS Software. + The vulnerability is due to a logic error when verifying the user role when an SFTP connection is opened, + which could allow an authenticated, remote attacker to download or overwrite files from the underlying + operating system of an affected device. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + '9.2(1)', '9.2(2)', '9.2(2t)', '9.2(3)', '9.2(4)', '9.2(2v)', + '9.3(1)', '9.3(2)', '9.3(3)', '9.3(4)', '9.3(5)', '9.3(6)', '9.3(7)', '9.3(7a)', + '9.3(8)', '9.3(9)', '9.3(10)', '9.3(11)', '10.1(1)', '10.1(2)', '10.1(2t)', + '10.2(1)', '10.2(1q)', '10.2(2)', '10.2(3)', '10.2(3t)', '10.2(4)', '10.2(5)', + '10.3(1)', '10.3(2)' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check SFTP configuration + sftp_output = commands.check_sftp + + # Check if SFTP is configured + sftp_configured = 'sftp' in sftp_output + + # Assert that the device is not vulnerable + assert not sftp_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20115. " + "The device is running a vulnerable version AND has SFTP configured, " + "which could allow an attacker to download or overwrite files. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-sftp-xVAp5Hfd" + ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320168.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320168.py new file mode 100644 index 00000000..3ac31e23 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_nxos/cve202320168.py @@ -0,0 +1,127 @@ +from comfy import high + + +@high( + name='rule_cve202320168', + platform=['cisco_nxos'], + commands=dict( + show_version='show version', + check_tacacs_radius='show running-config | include tacacs|radius' + ), +) +def rule_cve202320168(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20168 vulnerability in Cisco NX-OS Software. + The vulnerability is due to incorrect input validation when processing an authentication attempt + if the directed request option is enabled for TACACS+ or RADIUS, which could allow an unauthenticated, + local attacker to cause the device to unexpectedly reload, resulting in a denial of service (DoS) condition. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.2 versions + '4.2(1)SV1(4)', '4.2(1)SV1(4a)', '4.2(1)SV1(4b)', '4.2(1)SV1(5.1)', '4.2(1)SV1(5.1a)', + '4.2(1)SV1(5.2)', '4.2(1)SV1(5.2b)', '4.2(1)SV2(1.1)', '4.2(1)SV2(1.1a)', '4.2(1)SV2(2.1)', + '4.2(1)SV2(2.1a)', '4.2(1)SV2(2.2)', '4.2(1)SV2(2.3)', + # 5.2 versions + '5.2(1)SM1(5.1)', '5.2(1)SM1(5.2)', '5.2(1)SM1(5.2a)', '5.2(1)SM1(5.2b)', '5.2(1)SM1(5.2c)', + '5.2(1)SM3(1.1)', '5.2(1)SM3(1.1a)', '5.2(1)SM3(1.1b)', '5.2(1)SM3(1.1c)', '5.2(1)SM3(2.1)', + '5.2(1)SV3(1.4)', '5.2(1)SV3(1.1)', '5.2(1)SV3(1.3)', '5.2(1)SV3(1.5a)', '5.2(1)SV3(1.5b)', + '5.2(1)SV3(1.6)', '5.2(1)SV3(1.10)', '5.2(1)SV3(1.15)', '5.2(1)SV3(2.1)', '5.2(1)SV3(2.5)', + '5.2(1)SV3(2.8)', '5.2(1)SV3(3.1)', '5.2(1)SV3(1.2)', '5.2(1)SV3(1.4b)', '5.2(1)SV3(3.15)', + '5.2(1)SV3(4.1)', '5.2(1)SV3(4.1a)', '5.2(1)SV3(4.1b)', '5.2(1)SV3(4.1c)', + # 6.0 versions + '6.0(2)A3(1)', '6.0(2)A3(2)', '6.0(2)A3(4)', '6.0(2)A4(1)', '6.0(2)A4(2)', '6.0(2)A4(3)', + '6.0(2)A4(4)', '6.0(2)A4(5)', '6.0(2)A4(6)', '6.0(2)A6(1)', '6.0(2)A6(1a)', '6.0(2)A6(2)', + '6.0(2)A6(2a)', '6.0(2)A6(3)', '6.0(2)A6(3a)', '6.0(2)A6(4)', '6.0(2)A6(4a)', '6.0(2)A6(5)', + '6.0(2)A6(5a)', '6.0(2)A6(5b)', '6.0(2)A6(6)', '6.0(2)A6(7)', '6.0(2)A6(8)', '6.0(2)A7(1)', + '6.0(2)A7(1a)', '6.0(2)A7(2)', '6.0(2)A7(2a)', '6.0(2)A8(1)', '6.0(2)A8(2)', '6.0(2)A8(3)', + '6.0(2)A8(4)', '6.0(2)A8(4a)', '6.0(2)A8(5)', '6.0(2)A8(6)', '6.0(2)A8(7)', '6.0(2)A8(7a)', + '6.0(2)A8(7b)', '6.0(2)A8(8)', '6.0(2)A8(9)', '6.0(2)A8(10a)', '6.0(2)A8(10)', '6.0(2)A8(11)', + '6.0(2)A8(11a)', '6.0(2)A8(11b)', '6.0(2)U2(1)', '6.0(2)U2(2)', '6.0(2)U2(3)', '6.0(2)U2(4)', + '6.0(2)U2(5)', '6.0(2)U2(6)', '6.0(2)U3(1)', '6.0(2)U3(2)', '6.0(2)U3(3)', '6.0(2)U3(4)', + '6.0(2)U3(5)', '6.0(2)U3(6)', '6.0(2)U3(7)', '6.0(2)U3(8)', '6.0(2)U3(9)', '6.0(2)U4(1)', + '6.0(2)U4(2)', '6.0(2)U4(3)', '6.0(2)U4(4)', '6.0(2)U5(1)', '6.0(2)U5(2)', '6.0(2)U5(3)', + '6.0(2)U5(4)', '6.0(2)U6(1)', '6.0(2)U6(2)', '6.0(2)U6(3)', '6.0(2)U6(4)', '6.0(2)U6(5)', + '6.0(2)U6(6)', '6.0(2)U6(7)', '6.0(2)U6(8)', '6.0(2)U6(1a)', '6.0(2)U6(2a)', '6.0(2)U6(3a)', + '6.0(2)U6(4a)', '6.0(2)U6(5a)', '6.0(2)U6(5b)', '6.0(2)U6(5c)', '6.0(2)U6(9)', '6.0(2)U6(10)', + # 6.2 versions + '6.2(2)', '6.2(2a)', '6.2(6)', '6.2(6b)', '6.2(8)', '6.2(8a)', '6.2(8b)', '6.2(10)', + '6.2(12)', '6.2(18)', '6.2(16)', '6.2(14)', '6.2(6a)', '6.2(20)', '6.2(1)', '6.2(3)', + '6.2(5)', '6.2(5a)', '6.2(5b)', '6.2(7)', '6.2(9)', '6.2(9a)', '6.2(9b)', '6.2(9c)', + '6.2(11)', '6.2(11b)', '6.2(11c)', '6.2(11d)', '6.2(11e)', '6.2(13)', '6.2(13a)', '6.2(13b)', + '6.2(15)', '6.2(17)', '6.2(19)', '6.2(21)', '6.2(23)', '6.2(20a)', '6.2(25)', '6.2(22)', + '6.2(27)', '6.2(29)', '6.2(24)', '6.2(31)', '6.2(24a)', '6.2(33)', + # 7.0 versions + '7.0(3)F1(1)', '7.0(3)F2(1)', '7.0(3)F2(2)', '7.0(3)F3(1)', '7.0(3)F3(2)', '7.0(3)F3(3)', + '7.0(3)F3(3a)', '7.0(3)F3(4)', '7.0(3)F3(3c)', '7.0(3)F3(5)', '7.0(3)I2(2a)', '7.0(3)I2(2b)', + '7.0(3)I2(2c)', '7.0(3)I2(2d)', '7.0(3)I2(2e)', '7.0(3)I2(3)', '7.0(3)I2(4)', '7.0(3)I2(5)', + '7.0(3)I2(1)', '7.0(3)I2(1a)', '7.0(3)I2(2)', '7.0(3)I3(1)', '7.0(3)I4(1)', '7.0(3)I4(2)', + '7.0(3)I4(3)', '7.0(3)I4(4)', '7.0(3)I4(5)', '7.0(3)I4(6)', '7.0(3)I4(7)', '7.0(3)I4(8)', + '7.0(3)I4(8a)', '7.0(3)I4(8b)', '7.0(3)I4(8z)', '7.0(3)I4(9)', '7.0(3)I5(1)', '7.0(3)I5(2)', + '7.0(3)I6(1)', '7.0(3)I6(2)', '7.0(3)I7(1)', '7.0(3)I7(2)', '7.0(3)I7(3)', '7.0(3)I7(4)', + '7.0(3)I7(5)', '7.0(3)I7(5a)', '7.0(3)I7(6)', '7.0(3)I7(7)', '7.0(3)I7(8)', '7.0(3)I7(9)', + '7.0(3)I7(10)', + # 7.1 versions + '7.1(0)N1(1a)', '7.1(0)N1(1b)', '7.1(0)N1(1)', '7.1(1)N1(1)', '7.1(2)N1(1)', '7.1(3)N1(1)', + '7.1(3)N1(2)', '7.1(4)N1(1)', '7.1(5)N1(1)', '7.1(5)N1(1b)', + # 7.2 versions + '7.2(0)D1(1)', '7.2(1)D1(1)', '7.2(2)D1(2)', '7.2(2)D1(1)', + # 7.3 versions + '7.3(0)D1(1)', '7.3(0)DX(1)', '7.3(0)DY(1)', '7.3(0)N1(1)', '7.3(1)D1(1)', '7.3(1)DY(1)', + '7.3(1)N1(1)', '7.3(2)D1(1)', '7.3(2)D1(2)', '7.3(2)D1(3)', '7.3(2)D1(3a)', '7.3(2)N1(1)', + '7.3(3)N1(1)', '7.3(4)N1(1)', '7.3(3)D1(1)', '7.3(4)D1(1)', '7.3(5)N1(1)', '7.3(6)N1(1)', + '7.3(5)D1(1)', '7.3(7)N1(1)', '7.3(7)N1(1a)', '7.3(7)N1(1b)', '7.3(6)D1(1)', '7.3(8)N1(1)', + '7.3(7)D1(1)', '7.3(9)N1(1)', '7.3(10)N1(1)', '7.3(8)D1(1)', '7.3(9)D1(1)', '7.3(11)N1(1)', + '7.3(12)N1(1)', '7.3(13)N1(1)', + # 8.0 versions + '8.0(1)', + # 8.1 versions + '8.1(1)', '8.1(2)', '8.1(2a)', '8.1(1a)', '8.1(1b)', + # 8.2 versions + '8.2(1)', '8.2(2)', '8.2(3)', '8.2(4)', '8.2(5)', '8.2(6)', '8.2(7)', '8.2(7a)', '8.2(8)', + '8.2(9)', + # 8.3 versions + '8.3(1)', '8.3(2)', + # 8.4 versions + '8.4(1)', '8.4(1a)', '8.4(2)', '8.4(2a)', '8.4(3)', '8.4(2b)', '8.4(4)', '8.4(2c)', + '8.4(4a)', '8.4(5)', '8.4(2d)', '8.4(6)', '8.4(2e)', '8.4(6a)', '8.4(7)', '8.4(2f)', + # 8.5 versions + '8.5(1)', + # 9.2 versions + '9.2(1)', '9.2(2)', '9.2(2t)', '9.2(3)', '9.2(4)', '9.2(2v)', '9.2(1a)', + # 9.3 versions + '9.3(1)', '9.3(2)', '9.3(3)', '9.3(4)', '9.3(5)', '9.3(6)', '9.3(7)', '9.3(7a)', '9.3(8)', + '9.3(9)', '9.3(10)', '9.3(11)', + # 10.1 versions + '10.1(1)', '10.1(2)', '10.1(2t)', + # 10.2 versions + '10.2(1)', '10.2(1q)', '10.2(2)', '10.2(3)', '10.2(3t)', '10.2(4)', '10.2(5)', + # 10.3 versions + '10.3(1)', '10.3(2)', + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check TACACS+ and RADIUS configuration + tacacs_radius_output = commands.check_tacacs_radius + + # Check if TACACS+ or RADIUS is configured + tacacs_radius_configured = 'tacacs' in tacacs_radius_output or 'radius' in tacacs_radius_output + + # Assert that the device is not vulnerable + assert not tacacs_radius_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20168. " + "The device is running a vulnerable version AND has TACACS+ or RADIUS configured, " + "which could allow an attacker to cause a denial of service. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-" + "sa-nxos-remoteauth-dos-XB6pv74m" + ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320169.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320169.py new file mode 100644 index 00000000..b852e19f --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_nxos/cve202320169.py @@ -0,0 +1,49 @@ +from comfy import high + + +@high( + name='rule_cve202320169', + platform=['cisco_nxos'], + commands=dict( + show_version='show version', + check_isis='show running-config | include router isis' + ), +) +def rule_cve202320169(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20169 vulnerability in Cisco NX-OS Software. + The vulnerability is due to insufficient input validation when parsing an ingress IS-IS packet, + which could allow an unauthenticated, adjacent attacker to cause the IS-IS process to unexpectedly restart, + resulting in a denial of service (DoS) condition. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 10.3 versions + '10.3(2)', + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check IS-IS configuration + isis_output = commands.check_isis + + # Check if IS-IS is configured + isis_configured = 'router isis' in isis_output + + # Assert that the device is not vulnerable + assert not isis_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20169. " + "The device is running a vulnerable version AND has IS-IS configured, " + "which could allow an attacker to cause a denial of service. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-" + "sa-nxos-n3_9k-isis-dos-FTCXB4Vb" + ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320185.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320185.py new file mode 100644 index 00000000..b1f976ab --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_nxos/cve202320185.py @@ -0,0 +1,78 @@ +from comfy import high + + +@high( + name='rule_cve202320185', + platform=['cisco_nxos'], + commands=dict( + show_version='show version', + check_cloudsec='show running-config | include cloudsec' + ), +) +def rule_cve202320185(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20185 vulnerability in Cisco NX-OS System Software in ACI Mode. + The vulnerability is due to an issue with the implementation of the ciphers used by the + CloudSec encryption feature, which could allow an unauthenticated, remote attacker to read or modify + intersite encrypted traffic. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 14.0 versions + '14.0(1h)', '14.0(2c)', '14.0(3d)', '14.0(3c)', + # 14.1 versions + '14.1(1i)', '14.1(1j)', '14.1(1k)', '14.1(1l)', + '14.1(2g)', '14.1(2m)', '14.1(2o)', '14.1(2s)', + '14.1(2u)', '14.1(2w)', '14.1(2x)', + # 14.2 versions + '14.2(1i)', '14.2(1j)', '14.2(1l)', '14.2(2e)', + '14.2(2f)', '14.2(2g)', '14.2(3j)', '14.2(3l)', + '14.2(3n)', '14.2(3q)', '14.2(4i)', '14.2(4k)', + '14.2(4o)', '14.2(4p)', '14.2(5k)', '14.2(5l)', + '14.2(5n)', '14.2(6d)', '14.2(6g)', '14.2(6h)', + '14.2(6l)', '14.2(7f)', '14.2(7l)', '14.2(6o)', + '14.2(7q)', '14.2(7r)', '14.2(7s)', '14.2(7t)', + '14.2(7u)', '14.2(7v)', '14.2(7w)', + # 15.0 versions + '15.0(1k)', '15.0(1l)', '15.0(2e)', '15.0(2h)', + # 15.1 versions + '15.1(1h)', '15.1(2e)', '15.1(3e)', '15.1(4c)', + # 15.2 versions + '15.2(1g)', '15.2(2e)', '15.2(2f)', '15.2(2g)', + '15.2(2h)', '15.2(3e)', '15.2(3f)', '15.2(3g)', + '15.2(4d)', '15.2(4e)', '15.2(5c)', '15.2(5d)', + '15.2(5e)', '15.2(4f)', '15.2(6e)', '15.2(6g)', + '15.2(7f)', '15.2(7g)', '15.2(8d)', '15.2(8e)', + '15.2(8f)', '15.2(8g)', '15.2(8h)', + # 16.0 versions + '16.0(1g)', '16.0(1j)', '16.0(2h)', '16.0(2j)', + '16.0(3d)', '16.0(3e)', + # 15.3 versions + '15.3(1d)', + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check CloudSec configuration + cloudsec_output = commands.check_cloudsec + + # Check if CloudSec is configured + cloudsec_configured = 'cloudsec' in cloudsec_output + + # Assert that the device is not vulnerable + assert not cloudsec_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20185. " + "The device is running a vulnerable version AND has CloudSec configured, " + "which could allow an attacker to read or modify intersite encrypted traffic. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-" + "sa-aci-cloudsec-enc-Vs5Wn2sX" + ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320262.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320262.py new file mode 100644 index 00000000..7a226ec9 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_nxos/cve202320262.py @@ -0,0 +1,80 @@ +from comfy import high + + +@high( + name='rule_cve202320262', + platform=['cisco_sdwan'], + commands=dict( + show_version='show version', + check_ssh='show running-config | include ssh' + ), +) +def rule_cve202320262(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20262 vulnerability in Cisco Catalyst SD-WAN Manager. + The vulnerability is due to insufficient resource management when an affected system is in an error condition, + which could allow an unauthenticated, remote attacker to cause a process crash, resulting in a DoS condition + for SSH access. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 17.2 versions + '17.2.4', '17.2.5', '17.2.6', '17.2.7', '17.2.8', '17.2.9', '17.2.10', + # 18.2 versions + '18.2.0', + # 18.3 versions + '18.3.0', '18.3.1', '18.3.3', '18.3.3.1', '18.3.4', '18.3.5', '18.3.6', '18.3.7', '18.3.8', + # 18.4 versions + '18.4.0', '18.4.0.1', '18.4.1', '18.4.3', '18.4.302', '18.4.303', '18.4.4', '18.4.5', '18.4.6', + # 19.1 versions + '19.1.0', + # 19.2 versions + '19.2.0', '19.2.097', '19.2.099', '19.2.1', '19.2.2', '19.2.3', '19.2.31', '19.2.929', '19.2.4', + # 19.3 versions + '19.3.0', + # 20.1 versions + '20.1.1', '20.1.1.1', '20.1.11', '20.1.12', '20.1.2', '20.1.3', '20.1.3.1', + # 20.3 versions + '20.3.1', '20.3.2', '20.3.2.1', '20.3.3', '20.3.3.1', '20.3.4', '20.3.4.1', '20.3.4.2', '20.3.4.3', + '20.3.5', '20.3.5.1', '20.3.6', + # 20.4 versions + '20.4.1', '20.4.1.1', '20.4.1.2', '20.4.2', '20.4.2.1', '20.4.2.2', '20.4.2.3', + # 20.5 versions + '20.5.1', '20.5.1.1', '20.5.1.2', + # 20.6 versions + '20.6.1', '20.6.1.1', '20.6.1.2', '20.6.2', '20.6.2.1', '20.6.2.2', '20.6.3', '20.6.3.1', '20.6.3.2', + '20.6.3.3', '20.6.3.4', '20.6.4', '20.6.4.1', '20.6.4.2', '20.6.5', '20.6.5.2', '20.6.5.4', '20.6.5.5', + # 20.7 versions + '20.7.1', '20.7.1.1', + # 20.8 versions + '20.8.1', + # 20.9 versions + '20.9.1', '20.9.2.3', + # 20.10 versions + '20.10.1.2' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check SSH configuration + ssh_output = commands.check_ssh + + # Check if SSH is configured + ssh_configured = 'ssh' in ssh_output + + # Assert that the device is not vulnerable + assert not ssh_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20262. " + "The device is running a vulnerable version AND has SSH configured, " + "which could allow an attacker to cause a denial of service. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-vman-sc-LRLfu2z" + ) diff --git a/CVEasy/Cisco/2023/cisco_xe/__init__.py b/CVEasy/Cisco/2023/cisco_xe/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/CVEasy/Cisco/2023/cisco_xe/cve202320027.py b/CVEasy/Cisco/2023/cisco_xe/cve202320027.py new file mode 100644 index 00000000..ab5702a2 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xe/cve202320027.py @@ -0,0 +1,32 @@ +from comfy import high + + +@high( + name='rule_cve202320027', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_vfr='show running-config | include ip virtual-reassembly' + ), +) +def rule_cve202320027(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20027 vulnerability in Cisco IOS XE Software. + The vulnerability is due to improper reassembly of large packets when Virtual Fragmentation + Reassembly (VFR) is enabled on either a tunnel interface or on a physical interface that is + configured with an MTU greater than 4,615 bytes. + """ + # Extract the output of the command to check VFR configuration + vfr_output = commands.check_vfr + + # Check if VFR is configured + vfr_configured = 'ip virtual-reassembly' in vfr_output + + # Assert that the device is not vulnerable + assert not vfr_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20027. " + "The device has Virtual Fragmentation Reassembly (VFR) enabled, " + "which could allow an attacker to cause a denial of service. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipv4-vfr-dos-CXxtFacb" + ) diff --git a/CVEasy/Cisco/2023/cisco_xe/cve202320029.py b/CVEasy/Cisco/2023/cisco_xe/cve202320029.py new file mode 100644 index 00000000..130310ce --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xe/cve202320029.py @@ -0,0 +1,32 @@ +from comfy import high + + +@high( + name='rule_cve202320029', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_meraki='show running-config | include meraki' + ), +) +def rule_cve202320029(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20029 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient memory protection in the Meraki onboarding feature. + An attacker could exploit this vulnerability by modifying the Meraki registration parameters, + which could allow them to elevate privileges to root. + """ + # Extract the output of the command to check Meraki configuration + meraki_output = commands.check_meraki + + # Check if Meraki onboarding is configured + meraki_configured = 'meraki' in meraki_output + + # Assert that the device is not vulnerable + assert not meraki_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20029. " + "The device has Meraki onboarding feature enabled, " + "which could allow an attacker to elevate privileges to root. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-priv-esc-sABD8hcU" + ) diff --git a/CVEasy/Cisco/2023/cisco_xe/cve202320033.py b/CVEasy/Cisco/2023/cisco_xe/cve202320033.py new file mode 100644 index 00000000..879e054d --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xe/cve202320033.py @@ -0,0 +1,59 @@ +from comfy import high + + +@high( + name='rule_cve202320033', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_mgmt='show running-config | include interface GigabitEthernet0' + ), +) +def rule_cve202320033(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20033 vulnerability in Cisco IOS XE Software for + Catalyst 3650/3850 Series Switches. The vulnerability is due to improper resource + management when processing traffic received on the management interface. + An attacker could exploit this vulnerability by sending a high rate of traffic to + the management interface. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 16.3 versions + '16.3.1', '16.3.2', '16.3.3', '16.3.1a', '16.3.4', '16.3.5', '16.3.5b', + '16.3.6', '16.3.7', '16.3.8', '16.3.9', '16.3.10', '16.3.11', + # 16.4-16.9 versions + '16.4.1', '16.5.1', '16.5.1a', '16.6.1', '16.6.2', '16.6.3', '16.6.4', + '16.6.5', '16.6.4a', '16.6.6', '16.6.7', '16.6.8', '16.6.9', '16.6.10', + '16.7.1', '16.8.1', '16.8.1a', '16.8.1s', '16.9.1', '16.9.2', '16.9.1s', + '16.9.3', '16.9.4', '16.9.3a', '16.9.5', '16.9.6', '16.9.7', '16.9.8', + # 16.11-16.12 versions + '16.11.1', '16.11.2', '16.11.1s', '16.12.1', '16.12.1s', '16.12.2', + '16.12.3', '16.12.8', '16.12.4', '16.12.3s', '16.12.3a', '16.12.5', + '16.12.6', '16.12.5b', '16.12.6a', '16.12.7', '16.12.9' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check management interface configuration + mgmt_output = commands.check_mgmt + + # Check if management interface is configured + mgmt_configured = 'interface GigabitEthernet0' in mgmt_output + + # Assert that the device is not vulnerable + assert not mgmt_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20033. " + "The device is running a vulnerable version AND has management interface configured, " + "which could allow an attacker to cause a denial of service. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cat3k-dos-ZZA4Gb3r" + ) diff --git a/CVEasy/Cisco/2023/cisco_xe/cve202320035.py b/CVEasy/Cisco/2023/cisco_xe/cve202320035.py new file mode 100644 index 00000000..64f73331 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xe/cve202320035.py @@ -0,0 +1,32 @@ +from comfy import high + + +@high( + name='rule_cve202320035', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_sdwan='show running-config | include sdwan' + ), +) +def rule_cve202320035(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20035 vulnerability in Cisco IOS XE SD-WAN Software. + The vulnerability is due to insufficient input validation by the system CLI. + An attacker with privileges to run commands could exploit this vulnerability by submitting + crafted input to the system CLI, allowing them to execute commands with root-level privileges. + """ + # Extract the output of the command to check SD-WAN configuration + sdwan_output = commands.check_sdwan + + # Check if SD-WAN is configured + sdwan_configured = 'sdwan' in sdwan_output + + # Assert that the device is not vulnerable + assert not sdwan_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20035. " + "The device has SD-WAN configured with CLI access, " + "which could allow an attacker to execute arbitrary commands with root privileges. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-xe-sdwan-VQAhEjYw" + ) diff --git a/CVEasy/Cisco/2023/cisco_xe/cve202320065.py b/CVEasy/Cisco/2023/cisco_xe/cve202320065.py new file mode 100644 index 00000000..7868db88 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xe/cve202320065.py @@ -0,0 +1,61 @@ +from comfy import high + + +@high( + name='rule_cve202320065', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_iox='show running-config | include iox' + ), +) +def rule_cve202320065(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20065 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient restrictions on the hosted application in the + Cisco IOx application hosting subsystem. An attacker could exploit this vulnerability + by logging in to and then escaping the Cisco IOx application container. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 16.4 versions + '16.4.1', '16.4.2', '16.4.3', + # 17.3 versions + '17.3.1', '17.3.2', '17.3.3', '17.3.1a', '17.3.1w', '17.3.2a', '17.3.1x', + '17.3.1z', '17.3.4', '17.3.5', '17.3.4a', '17.3.6', '17.3.4b', '17.3.4c', + '17.3.5a', '17.3.5b', + # 17.4-17.9 versions + '17.4.1', '17.4.2', '17.4.1a', '17.4.1b', '17.4.2a', + '17.5.1', '17.5.1a', '17.5.1b', '17.5.1c', + '17.6.1', '17.6.2', '17.6.1w', '17.6.1a', '17.6.1x', '17.6.3', '17.6.1y', + '17.6.1z', '17.6.3a', '17.6.4', '17.6.1z1', + '17.7.1', '17.7.1a', '17.7.1b', '17.7.2', + '17.8.1', '17.8.1a', + '17.9.1', '17.9.1w', '17.9.2', '17.9.1a', '17.9.2a' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check IOx configuration + iox_output = commands.check_iox + + # Check if IOx is configured + iox_configured = 'iox' in iox_output + + # Assert that the device is not vulnerable + assert not iox_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20065. " + "The device is running a vulnerable version AND has IOx application hosting configured, " + "which could allow an attacker to elevate privileges to root. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-" + "sa-iox-priv-escalate-Xg8zkyPk" + ) diff --git a/CVEasy/Cisco/2023/cisco_xe/cve202320066.py b/CVEasy/Cisco/2023/cisco_xe/cve202320066.py new file mode 100644 index 00000000..fe5595f2 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xe/cve202320066.py @@ -0,0 +1,32 @@ +from comfy import high + + +@high( + name='rule_cve202320066', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_webui='show running-config | include ip http|webui' + ), +) +def rule_cve202320066(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20066 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient security configuration in the web UI. + An attacker could exploit this vulnerability by sending a crafted request to the web UI, + allowing them to gain read access to files outside the filesystem mountpoint. + """ + # Extract the output of the command to check web UI configuration + webui_output = commands.check_webui + + # Check if web UI is enabled + webui_enabled = any(service in webui_output for service in ['ip http', 'webui']) + + # Assert that the device is not vulnerable + assert not webui_enabled, ( + f"Device {device.name} is vulnerable to CVE-2023-20066. " + "The device has web UI enabled, which could allow an attacker to access files " + "outside the filesystem mountpoint through path traversal. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webui-pthtrv-es7GSb9V" + ) diff --git a/CVEasy/Cisco/2023/cisco_xe/cve202320067.py b/CVEasy/Cisco/2023/cisco_xe/cve202320067.py new file mode 100644 index 00000000..99a14000 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xe/cve202320067.py @@ -0,0 +1,33 @@ +from comfy import high + + +@high( + name='rule_cve202320067', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_wlc='show running-config | include wireless|http client' + ), +) +def rule_cve202320067(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20067 vulnerability in Cisco IOS XE Software for Wireless LAN Controllers. + The vulnerability is due to insufficient input validation of received traffic in the " + "HTTP-based client profiling feature. + An attacker could exploit this vulnerability by sending crafted traffic through a wireless access point, + causing high CPU utilization and a denial of service condition. + """ + # Extract the output of the command to check WLC and HTTP client profiling configuration + wlc_output = commands.check_wlc + + # Check if WLC and HTTP client profiling are configured + wlc_configured = 'wireless' in wlc_output and 'http client' in wlc_output + + # Assert that the device is not vulnerable + assert not wlc_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20067. " + "The device has wireless LAN controller and HTTP client profiling enabled, " + "which could allow an attacker to cause a denial of service condition. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewlc-dos-wFujBHKw" + ) diff --git a/CVEasy/Cisco/2023/cisco_xe/cve202320072.py b/CVEasy/Cisco/2023/cisco_xe/cve202320072.py new file mode 100644 index 00000000..fdc3b154 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xe/cve202320072.py @@ -0,0 +1,32 @@ +from comfy import high + + +@high( + name='rule_cve202320072', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_tunnel='show running-config | include tunnel|gre' + ), +) +def rule_cve202320072(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20072 vulnerability in Cisco IOS XE Software. + The vulnerability is due to improper handling of large fragmented tunnel protocol packets. + An attacker could exploit this vulnerability by sending crafted fragmented packets to an affected system, + causing it to reload and resulting in a denial of service (DoS) condition. + """ + # Extract the output of the command to check tunnel configuration + tunnel_output = commands.check_tunnel + + # Check if any tunnel protocols (like GRE) are configured + tunnel_configured = any(protocol in tunnel_output for protocol in ['tunnel', 'gre']) + + # Assert that the device is not vulnerable + assert not tunnel_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20072. " + "The device has tunnel protocols configured (e.g., GRE), " + "which could allow an attacker to cause a denial of service through crafted fragmented packets. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-gre-crash-p6nE5Sq5" + ) diff --git a/CVEasy/Cisco/2023/cisco_xe/cve202320082.py b/CVEasy/Cisco/2023/cisco_xe/cve202320082.py new file mode 100644 index 00000000..01596507 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xe/cve202320082.py @@ -0,0 +1,40 @@ +from comfy import high + + +@high( + name='rule_cve202320082', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis' + ), +) +def rule_cve202320082(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20082 vulnerability in Cisco IOS XE Software + for Catalyst 9300 Series Switches. The vulnerability is due to errors that occur + when retrieving the public release key used for image signature verification. + An attacker could exploit this vulnerability by modifying specific variables in the + SPI flash memory, allowing them to execute persistent code at boot time and break + the chain of trust. + """ + # Extract the output of the command to check platform type + platform_output = commands.check_platform + + # Check if the device is a Catalyst 9300 Series Switch + is_cat9300 = 'C9300' in platform_output + + # Extract the version information from the command output + version_output = commands.show_version + + # Check if version is before 16.11.1 (more vulnerable) + version_pre_16_11_1 = not any(ver in version_output for ver in ['16.11.1', '16.12', '17.']) + + # Assert that the device is not vulnerable + assert not (is_cat9300 and version_pre_16_11_1), ( + f"Device {device.name} is vulnerable to CVE-2023-20082. " + "The device is a Catalyst 9300 Series Switch running a version before 16.11.1, " + "which could allow an attacker to execute persistent code at boot time. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9300-spi-ace-yejYgnNQ" + ) diff --git a/CVEasy/Cisco/2023/cisco_xe/cve202320100.py b/CVEasy/Cisco/2023/cisco_xe/cve202320100.py new file mode 100644 index 00000000..058d47b6 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xe/cve202320100.py @@ -0,0 +1,33 @@ +from comfy import high + + +@high( + name='rule_cve202320100', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_capwap='show running-config | include wireless|capwap' + ), +) +def rule_cve202320100(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20100 vulnerability in Cisco IOS XE Software for Wireless LAN Controllers. + The vulnerability is due to a logic error in the access point (AP) joining process of the Control and + Provisioning of Wireless Access Points (CAPWAP) protocol. An attacker could exploit this vulnerability + by adding a malicious AP to the network and causing specific conditions during the AP joining process. + """ + # Extract the output of the command to check CAPWAP/wireless configuration + capwap_output = commands.check_capwap + + # Check if wireless/CAPWAP is configured + wireless_configured = 'wireless' in capwap_output and 'capwap' in capwap_output + + # Assert that the device is not vulnerable + assert not wireless_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20100. " + "The device has wireless LAN controller and CAPWAP configured, " + "which could allow an attacker to cause a denial of service through the AP joining process. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-" + "sa-c9800-apjoin-dos-nXRHkt5" + ) diff --git a/CVEasy/Cisco/2023/cisco_xe/cve202320187.py b/CVEasy/Cisco/2023/cisco_xe/cve202320187.py new file mode 100644 index 00000000..3ae0e266 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xe/cve202320187.py @@ -0,0 +1,63 @@ +from comfy import high + + +@high( + name='rule_cve202320187', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include ASR1', + check_ipv6='show running-config | include ipv6 multicast' + ), +) +def rule_cve202320187(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20187 vulnerability in Cisco IOS XE Software for ASR 1000 Series routers. + The vulnerability is due to incorrect handling of certain IPv6 multicast packets when they are fanned out + more than seven times on an affected device. An attacker could exploit this vulnerability by sending + specific IPv6 multicast or IPv6 multicast VPN (MVPNv6) packets through the affected device. + """ + # Extract the output of the command to check platform type + platform_output = commands.check_platform + + # Check if the device is an ASR 1000 Series router + is_asr1000 = 'ASR1' in platform_output + + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions (from CVE details) + vulnerable_versions = [ + '3.7.1S', '3.7.2S', '3.7.3S', '3.7.4S', '3.7.5S', '3.7.6S', '3.7.7S', '3.7.2tS', + '3.8.0S', '3.8.1S', '3.8.2S', '3.9.0S', '3.9.1S', '3.9.2S', + '3.10.0S', '3.10.1S', '3.10.2S', '3.10.3S', '3.10.4S', '3.10.5S', '3.10.6S', + '3.10.7S', '3.10.8S', '3.10.9S', '3.10.10S', '3.10.1xbS', '3.10.8aS', + '3.11.0S', '3.11.1S', '3.11.2S', '3.11.3S', '3.11.4S', + '3.12.0S', '3.12.1S', '3.12.2S', '3.12.3S', '3.12.4S', + '3.13.0S', '3.13.1S', '3.13.2S', '3.13.3S', '3.13.4S', '3.13.5S', '3.13.2aS', + '3.13.5aS', '3.13.6S', '3.13.7S', '3.13.6aS', '3.13.8S', '3.13.9S', '3.13.10S', + '3.14.0S', '3.14.1S', '3.14.2S', '3.14.3S', '3.14.4S', + '3.15.0S', '3.15.1S', '3.15.2S', '3.15.3S', '3.15.4S', + '3.16.0S', '3.16.1aS', '3.16.2S', '3.16.3S', '3.16.2bS', '3.16.4aS', '3.16.4bS', + '3.16.5S', '3.16.6S', '3.16.7S', '3.16.6bS', '3.16.7aS', '3.16.7bS', '3.16.8S', + '3.16.9S', '3.16.10S', + '3.17.0S', '3.17.1S', '3.17.2S', '3.17.1aS', '3.17.3S', '3.17.4S' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # Extract the output of the command to check IPv6 multicast configuration + ipv6_output = commands.check_ipv6 + + # Check if IPv6 multicast is configured + ipv6_multicast_configured = 'ipv6 multicast' in ipv6_output + + # Assert that the device is not vulnerable + assert not (is_asr1000 and version_vulnerable and ipv6_multicast_configured), ( + f"Device {device.name} is vulnerable to CVE-2023-20187. " + "The device is an ASR 1000 Series router running a vulnerable version with IPv6 multicast configured, " + "which could allow an attacker to cause a denial of service. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-mlre-H93FswRz" + ) diff --git a/CVEasy/Cisco/2023/cisco_xe/cve202320198.py b/CVEasy/Cisco/2023/cisco_xe/cve202320198.py new file mode 100644 index 00000000..e97ecf90 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xe/cve202320198.py @@ -0,0 +1,77 @@ +from comfy import high + + +@high( + name='rule_cve202320198', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_webui='show running-config | include ip http|webui' + ), +) +def rule_cve202320198(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20198 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient protection of the web UI feature, which could allow + an unauthenticated, remote attacker to gain privileged access. This vulnerability has been + actively exploited in the wild and has a CVSS score of 10.0 (Critical). + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions (from CVE details) + vulnerable_versions = [ + # 16.1-16.3 versions + '16.1.1', '16.1.2', '16.1.3', '16.2.1', '16.2.2', + '16.3.1', '16.3.2', '16.3.3', '16.3.1a', '16.3.4', '16.3.5', '16.3.5b', + '16.3.6', '16.3.7', '16.3.8', '16.3.9', '16.3.10', '16.3.11', + # 16.4-16.9 versions + '16.4.1', '16.4.2', '16.4.3', '16.5.1', '16.5.1a', '16.5.1b', '16.5.2', '16.5.3', + '16.6.1', '16.6.2', '16.6.3', '16.6.4', '16.6.5', '16.6.4a', '16.6.5a', '16.6.6', + '16.6.7', '16.6.8', '16.6.9', '16.6.10', '16.7.1', '16.7.1a', '16.7.1b', '16.7.2', + '16.7.3', '16.7.4', '16.8.1', '16.8.1a', '16.8.1b', '16.8.1s', '16.8.1c', '16.8.1d', + '16.8.2', '16.8.1e', '16.8.3', '16.9.1', '16.9.2', '16.9.1a', '16.9.1b', '16.9.1s', + '16.9.3', '16.9.4', '16.9.3a', '16.9.5', '16.9.5f', '16.9.6', '16.9.7', '16.9.8', + # 16.10-16.12 versions + '16.10.1', '16.10.1a', '16.10.1b', '16.10.1s', '16.10.1c', '16.10.1e', '16.10.1d', + '16.10.2', '16.10.1f', '16.10.1g', '16.10.3', '16.11.1', '16.11.1a', '16.11.1b', + '16.11.2', '16.11.1s', '16.12.1', '16.12.1s', '16.12.1a', '16.12.1c', '16.12.1w', + '16.12.2', '16.12.1y', '16.12.2a', '16.12.3', '16.12.8', '16.12.2s', '16.12.1x', + '16.12.1t', '16.12.4', '16.12.3s', '16.12.3a', '16.12.4a', '16.12.5', '16.12.6', + '16.12.1z1', '16.12.5a', '16.12.5b', '16.12.1z2', '16.12.6a', '16.12.7', '16.12.9', + '16.12.10', + # 17.1-17.12 versions + '17.1.1', '17.1.1a', '17.1.1s', '17.1.1t', '17.1.3', '17.2.1', '17.2.1r', '17.2.1a', + '17.2.1v', '17.2.2', '17.2.3', '17.3.1', '17.3.2', '17.3.3', '17.3.1a', '17.3.1w', + '17.3.2a', '17.3.1x', '17.3.1z', '17.3.4', '17.3.5', '17.3.4a', '17.3.6', '17.3.4b', + '17.3.4c', '17.3.5a', '17.3.5b', '17.3.7', '17.3.8', '17.4.1', '17.4.2', '17.4.1a', + '17.4.1b', '17.4.2a', '17.5.1', '17.5.1a', '17.5.1b', '17.5.1c', '17.6.1', '17.6.2', + '17.6.1w', '17.6.1a', '17.6.1x', '17.6.3', '17.6.1y', '17.6.1z', '17.6.3a', '17.6.4', + '17.6.1z1', '17.6.5', '17.6.6', '17.7.1', '17.7.1a', '17.7.1b', '17.7.2', '17.8.1', + '17.8.1a', '17.9.1', '17.9.1w', '17.9.2', '17.9.1a', '17.9.1x', '17.9.1y', '17.9.3', + '17.9.2a', '17.9.1x1', '17.9.3a', '17.9.4', '17.9.1y1', '17.10.1', '17.10.1a', + '17.10.1b', '17.11.1', '17.11.1a', '17.12.1', '17.12.1a', '17.11.99SW' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check web UI configuration + webui_output = commands.check_webui + + # Check if web UI is enabled + webui_enabled = any(service in webui_output for service in ['ip http', 'webui']) + + # Assert that the device is not vulnerable + assert not webui_enabled, ( + f"Device {device.name} is vulnerable to CVE-2023-20198. " + "The device is running a vulnerable version AND has web UI enabled, " + "which could allow an attacker to gain privileged access. This vulnerability is being actively exploited. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-" + "sa-iosxe-webui-privesc-j22SaA4z" + ) diff --git a/CVEasy/Cisco/2023/cisco_xe/cve202320202.py b/CVEasy/Cisco/2023/cisco_xe/cve202320202.py new file mode 100644 index 00000000..05ff7fca --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xe/cve202320202.py @@ -0,0 +1,51 @@ +from comfy import high + + +@high( + name='rule_cve202320202', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_wncd='show running-config | include wireless|wncd' + ), +) +def rule_cve202320202(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20202 vulnerability in Cisco IOS XE Software for Wireless LAN Controllers. + The vulnerability is due to improper memory management in the Wireless Network Control daemon (wncd). + An attacker could exploit this vulnerability by sending a series of network requests to an affected device, + causing the wncd process to consume available memory and eventually cause the device to reload. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions (from CVE details) + vulnerable_versions = [ + # 17.9 versions + '17.9.1', '17.9.1w', '17.9.2', '17.9.1a', '17.9.1x', '17.9.1y', + '17.9.2a', '17.9.1x1', + # 17.10 versions + '17.10.1', '17.10.1a', '17.10.1b' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check WNCD configuration + wncd_output = commands.check_wncd + + # Check if wireless/WNCD is configured + wireless_configured = 'wireless' in wncd_output and 'wncd' in wncd_output + + # Assert that the device is not vulnerable + assert not wireless_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20202. " + "The device is running a vulnerable version AND has wireless LAN controller with WNCD configured, " + "which could allow an attacker to cause a denial of service. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-wncd-HFGMsfSD" + ) diff --git a/CVEasy/Cisco/2023/cisco_xe/cve202320226.py b/CVEasy/Cisco/2023/cisco_xe/cve202320226.py new file mode 100644 index 00000000..1c88984b --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xe/cve202320226.py @@ -0,0 +1,54 @@ +from comfy import high + + +@high( + name='rule_cve202320226', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_appqoe_utd='show running-config | include appqoe|utd' + ), +) +def rule_cve202320226(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20226 vulnerability in Cisco IOS XE Software. + The vulnerability is due to the mishandling of a crafted packet stream through the AppQoE or UTD application. + An attacker could exploit this vulnerability by sending a crafted packet stream through an affected device, + causing it to reload and resulting in a denial of service (DoS) condition. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions (from CVE details) + vulnerable_versions = [ + # 17.7 versions + '17.7.1', '17.7.1a', '17.7.2', + # 17.8 versions + '17.8.1', '17.8.1a', + # 17.9 versions + '17.9.1', '17.9.2', '17.9.1a', '17.9.2a', + # 17.10 versions + '17.10.1', '17.10.1a' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check AppQoE and UTD configuration + appqoe_utd_output = commands.check_appqoe_utd + + # Check if AppQoE or UTD is configured + features_configured = any(feature in appqoe_utd_output for feature in ['appqoe', 'utd']) + + # Assert that the device is not vulnerable + assert not features_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20226. " + "The device is running a vulnerable version AND has AppQoE or UTD configured, " + "which could allow an attacker to cause a denial of service. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-appqoe-utd-dos-p8O57p5y" + ) diff --git a/CVEasy/Cisco/2023/cisco_xe/cve202320227.py b/CVEasy/Cisco/2023/cisco_xe/cve202320227.py new file mode 100644 index 00000000..5e7a3547 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xe/cve202320227.py @@ -0,0 +1,67 @@ +from comfy import high + + +@high( + name='rule_cve202320227', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_l2tp='show running-config | include vpdn|l2tp' + ), +) +def rule_cve202320227(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20227 vulnerability in Cisco IOS XE Software. + The vulnerability is due to improper handling of certain L2TP packets. An attacker could + exploit this vulnerability by sending crafted L2TP packets to an affected device, causing + it to reload unexpectedly and resulting in a denial of service (DoS) condition. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions (from CVE details) + vulnerable_versions = [ + # 16.8-16.9 versions + '16.8.1', '16.8.1a', '16.8.1b', '16.8.1s', '16.8.1c', '16.8.1d', + '16.8.2', '16.8.1e', '16.8.3', '16.9.1', '16.9.2', '16.9.1a', + '16.9.1b', '16.9.1s', '16.9.3', '16.9.4', '16.9.5', '16.9.5f', + '16.9.6', '16.9.7', '16.9.8', + # 16.10-16.12 versions + '16.10.1', '16.10.1a', '16.10.1b', '16.10.1s', '16.10.1c', '16.10.1e', + '16.10.1d', '16.10.2', '16.10.1f', '16.10.1g', '16.10.3', '16.11.1', + '16.11.1a', '16.11.1b', '16.11.2', '16.11.1s', '16.12.1', '16.12.1s', + '16.12.1a', '16.12.1c', '16.12.1w', '16.12.2', '16.12.1y', '16.12.2a', + '16.12.3', '16.12.8', '16.12.2s', '16.12.1x', '16.12.1t', '16.12.4', + '16.12.3s', '16.12.4a', '16.12.5', '16.12.6', '16.12.1z1', '16.12.5a', + '16.12.1z2', '16.12.6a', '16.12.7', '16.12.10a', + # 17.1-17.5 versions + '17.1.1', '17.1.1a', '17.1.1s', '17.1.1t', '17.1.3', '17.2.1', '17.2.1r', + '17.2.1a', '17.2.1v', '17.2.2', '17.2.3', '17.3.1', '17.3.2', '17.3.3', + '17.3.1a', '17.3.1w', '17.3.2a', '17.3.1x', '17.3.1z', '17.3.4', '17.3.5', + '17.3.4a', '17.3.6', '17.3.4c', '17.3.5a', '17.3.5b', '17.3.7', '17.4.1', + '17.4.2', '17.4.1a', '17.4.1b', '17.4.2a', '17.5.1', '17.5.1a', '17.5.1b', + '17.5.1c' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check L2TP configuration + l2tp_output = commands.check_l2tp + + # Check if L2TP is configured + l2tp_configured = any(feature in l2tp_output for feature in ['vpdn', 'l2tp']) + + # Assert that the device is not vulnerable + assert not l2tp_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20227. " + "The device is running a vulnerable version AND has L2TP configured, " + "which could allow an attacker to cause a denial of service. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-" + "sa-ios-xe-l2tp-dos-eB5tuFmV" + ) diff --git a/CVEasy/Cisco/2023/cisco_xe/cve202320231.py b/CVEasy/Cisco/2023/cisco_xe/cve202320231.py new file mode 100644 index 00000000..68ad720a --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xe/cve202320231.py @@ -0,0 +1,65 @@ +from comfy import high + + +@high( + name='rule_cve202320231', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_webui='show running-config | include ip http|webui|lobby' + ), +) +def rule_cve202320231(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20231 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient input validation in the web UI. An attacker could + exploit this vulnerability by sending crafted input to the web UI using Lobby Ambassador credentials, + allowing them to execute arbitrary Cisco IOS XE Software CLI commands with level 15 privileges. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions (from CVE details) + vulnerable_versions = [ + # 16.12 versions + '16.12.4', '16.12.4a', '16.12.5', '16.12.5a', '16.12.5b', '16.12.6', + '16.12.6a', '16.12.7', '16.12.8', '16.12.9', + # 17.2-17.3 versions + '17.2.2', '17.2.3', '17.3.1', '17.3.1a', '17.3.1w', '17.3.1x', '17.3.1z', + '17.3.2', '17.3.2a', '17.3.3', '17.3.4', '17.3.4a', '17.3.4b', '17.3.4c', + '17.3.5', '17.3.5a', '17.3.5b', '17.3.6', + # 17.4-17.6 versions + '17.4.1', '17.4.1a', '17.4.1b', '17.4.2', '17.4.2a', + '17.5.1', '17.5.1a', '17.5.1b', '17.5.1c', + '17.6.1', '17.6.1a', '17.6.1w', '17.6.1x', '17.6.1y', '17.6.1z', '17.6.1z1', + '17.6.2', '17.6.3', '17.6.3a', '17.6.4', '17.6.5', '17.6.5a', + # 17.7-17.10 versions + '17.7.1', '17.7.1a', '17.7.1b', '17.7.2', + '17.8.1', '17.8.1a', + '17.9.1', '17.9.1a', '17.9.1w', '17.9.1x', '17.9.1x1', '17.9.1y', '17.9.2', + '17.9.2a', + '17.10.1', '17.10.1a', '17.10.1b' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check web UI and Lobby Ambassador configuration + webui_output = commands.check_webui + + # Check if web UI and Lobby Ambassador are configured + webui_enabled = any(service in webui_output for service in ['ip http', 'webui']) + lobby_configured = 'lobby' in webui_output + + # Assert that the device is not vulnerable + assert not (webui_enabled and lobby_configured), ( + f"Device {device.name} is vulnerable to CVE-2023-20231. " + "The device is running a vulnerable version AND has web UI with Lobby Ambassador configured, " + "which could allow an attacker to execute arbitrary commands with elevated privileges. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webui-cmdij-FzZAeXAy" + ) diff --git a/CVEasy/Cisco/2023/cisco_xe/cve202320235.py b/CVEasy/Cisco/2023/cisco_xe/cve202320235.py new file mode 100644 index 00000000..2b7eafc6 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xe/cve202320235.py @@ -0,0 +1,63 @@ +from comfy import high + + +@high( + name='rule_cve202320235', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_iox='show running-config | include iox|app-hosting' + ), +) +def rule_cve202320235(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20235 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient protection of the on-device application development + workflow feature in the Cisco IOx application hosting infrastructure. An attacker could + exploit this vulnerability by using Docker CLI to access the underlying operating system + as the root user. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions (from CVE details) + vulnerable_versions = [ + # 17.3 versions + '17.3.1', '17.3.2', '17.3.3', '17.3.1a', '17.3.1w', '17.3.2a', '17.3.1x', + '17.3.1z', '17.3.4', '17.3.5', '17.3.4a', '17.3.6', '17.3.4b', '17.3.4c', + '17.3.5a', '17.3.5b', '17.3.7', + # 17.4-17.6 versions + '17.4.1', '17.4.2', '17.4.1a', '17.4.1b', '17.4.2a', + '17.5.1', '17.5.1a', '17.5.1b', '17.5.1c', + '17.6.1', '17.6.2', '17.6.1w', '17.6.1a', '17.6.1x', '17.6.3', '17.6.1y', + '17.6.1z', '17.6.3a', '17.6.4', '17.6.1z1', '17.6.5', '17.6.5a', + # 17.7-17.12 versions + '17.7.1', '17.7.1a', '17.7.1b', '17.7.2', + '17.8.1', '17.8.1a', + '17.9.1', '17.9.1w', '17.9.2', '17.9.1a', '17.9.1x', '17.9.1y', '17.9.3', + '17.9.2a', '17.9.1x1', '17.9.3a', '17.9.4', '17.9.1y1', '17.9.4a', + '17.10.1', '17.10.1a', '17.10.1b', + '17.11.1', '17.11.1a', '17.12.1', '17.12.1a', '17.11.99SW' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check IOx configuration + iox_output = commands.check_iox + + # Check if IOx or app-hosting is configured + iox_configured = any(feature in iox_output for feature in ['iox', 'app-hosting']) + + # Assert that the device is not vulnerable + assert not iox_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20235. " + "The device is running a vulnerable version AND has IOx/app-hosting configured, " + "which could allow an attacker to gain root access to the underlying operating system. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rdocker-uATbukKn" + ) diff --git a/CVEasy/Cisco/2023/cisco_xe/cve202320273.py b/CVEasy/Cisco/2023/cisco_xe/cve202320273.py new file mode 100644 index 00000000..9cd3613a --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xe/cve202320273.py @@ -0,0 +1,79 @@ +from comfy import high + + +@high( + name='rule_cve202320273', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_webui='show running-config | include ip http|webui' + ), +) +def rule_cve202320273(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20273 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient input validation in the web UI feature. + An authenticated, remote attacker could exploit this vulnerability by sending crafted + input to the web UI, allowing them to inject commands to the underlying operating system + with root privileges. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions (from CVE details) + vulnerable_versions = [ + # 16.1-16.3 versions + '16.1.1', '16.1.2', '16.1.3', '16.2.1', '16.2.2', + '16.3.1', '16.3.2', '16.3.3', '16.3.1a', '16.3.4', '16.3.5', '16.3.5b', + '16.3.6', '16.3.7', '16.3.8', '16.3.9', '16.3.10', '16.3.11', + # 16.4-16.9 versions + '16.4.1', '16.4.2', '16.4.3', '16.5.1', '16.5.1a', '16.5.1b', '16.5.2', '16.5.3', + '16.6.1', '16.6.2', '16.6.3', '16.6.4', '16.6.5', '16.6.4a', '16.6.5a', '16.6.6', + '16.6.7', '16.6.8', '16.6.9', '16.6.10', '16.7.1', '16.7.1a', '16.7.1b', '16.7.2', + '16.7.3', '16.7.4', '16.8.1', '16.8.1a', '16.8.1b', '16.8.1s', '16.8.1c', '16.8.1d', + '16.8.2', '16.8.1e', '16.8.3', '16.9.1', '16.9.2', '16.9.1a', '16.9.1b', '16.9.1s', + '16.9.3', '16.9.4', '16.9.3a', '16.9.5', '16.9.5f', '16.9.6', '16.9.7', '16.9.8', + # 16.10-16.12 versions + '16.10.1', '16.10.1a', '16.10.1b', '16.10.1s', '16.10.1c', '16.10.1e', '16.10.1d', + '16.10.2', '16.10.1f', '16.10.1g', '16.10.3', '16.11.1', '16.11.1a', '16.11.1b', + '16.11.2', '16.11.1s', '16.12.1', '16.12.1s', '16.12.1a', '16.12.1c', '16.12.1w', + '16.12.2', '16.12.1y', '16.12.2a', '16.12.3', '16.12.8', '16.12.2s', '16.12.1x', + '16.12.1t', '16.12.4', '16.12.3s', '16.12.3a', '16.12.4a', '16.12.5', '16.12.6', + '16.12.1z1', '16.12.5a', '16.12.5b', '16.12.1z2', '16.12.6a', '16.12.7', '16.12.9', + '16.12.10', + # 17.1-17.12 versions + '17.1.1', '17.1.1a', '17.1.1s', '17.1.1t', '17.1.3', '17.2.1', '17.2.1r', '17.2.1a', + '17.2.1v', '17.2.2', '17.2.3', '17.3.1', '17.3.2', '17.3.3', '17.3.1a', '17.3.1w', + '17.3.2a', '17.3.1x', '17.3.1z', '17.3.4', '17.3.5', '17.3.4a', '17.3.6', '17.3.4b', + '17.3.4c', '17.3.5a', '17.3.5b', '17.3.7', '17.3.8', '17.4.1', '17.4.2', '17.4.1a', + '17.4.1b', '17.4.2a', '17.5.1', '17.5.1a', '17.5.1b', '17.5.1c', '17.6.1', '17.6.2', + '17.6.1w', '17.6.1a', '17.6.1x', '17.6.3', '17.6.1y', '17.6.1z', '17.6.3a', '17.6.4', + '17.6.1z1', '17.6.5', '17.6.6', '17.7.1', '17.7.1a', '17.7.1b', '17.7.2', '17.8.1', + '17.8.1a', '17.9.1', '17.9.1w', '17.9.2', '17.9.1a', '17.9.1x', '17.9.1y', '17.9.3', + '17.9.2a', '17.9.1x1', '17.9.3a', '17.9.4', '17.9.1y1', '17.10.1', '17.10.1a', + '17.10.1b', '17.11.1', '17.11.1a', '17.12.1', '17.12.1a', '17.11.99SW' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check web UI configuration + webui_output = commands.check_webui + + # Check if web UI is enabled + webui_enabled = any(service in webui_output for service in ['ip http', 'webui']) + + # Assert that the device is not vulnerable + assert not webui_enabled, ( + f"Device {device.name} is vulnerable to CVE-2023-20273. " + "The device is running a vulnerable version AND has web UI enabled, " + "which could allow an authenticated attacker to execute arbitrary commands with root privileges. " + "This vulnerability is being actively exploited. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-" + "sa-iosxe-webui-privesc-j22SaA4z" + ) diff --git a/CVEasy/Cisco/2023/cisco_xr/__init__.py b/CVEasy/Cisco/2023/cisco_xr/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/CVEasy/Cisco/2023/cisco_xr/cve202320049.py b/CVEasy/Cisco/2023/cisco_xr/cve202320049.py new file mode 100644 index 00000000..22870325 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xr/cve202320049.py @@ -0,0 +1,32 @@ +from comfy import high + + +@high( + name='rule_cve202320049', + platform=['cisco_xr'], + commands=dict( + show_version='show version', + check_bfd='show running-config | include bfd' + ), +) +def rule_cve202320049(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20049 vulnerability in Cisco IOS XR Software for ASR 9000 Series Routers. + The vulnerability is due to incorrect handling of malformed BFD packets that are received on line cards + where the BFD hardware offload feature is enabled. An attacker could exploit this vulnerability by sending + a crafted IPv4 BFD packet to an affected device, causing a line card to reset and resulting in a DoS condition. + """ + # Extract the output of the command to check BFD configuration + bfd_output = commands.check_bfd + + # Check if BFD hardware offload is configured + bfd_hardware_offload_configured = 'bfd' in bfd_output + + # Assert that the device is not vulnerable + assert not bfd_hardware_offload_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20049. " + "The device has BFD hardware offload configured, " + "which could allow an attacker to cause a denial of service. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bfd-XmRescbT" + ) diff --git a/CVEasy/Cisco/2023/cisco_xr/cve202320064.py b/CVEasy/Cisco/2023/cisco_xr/cve202320064.py new file mode 100644 index 00000000..6155a526 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xr/cve202320064.py @@ -0,0 +1,31 @@ +from comfy import high + + +@high( + name='rule_cve202320064', + platform=['cisco_xr'], + commands=dict( + check_grub='show running-config | include grub' + ), +) +def rule_cve202320064(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20064 vulnerability in Cisco IOS XR Software. + The vulnerability is due to the inclusion of unnecessary commands within the GRUB environment + that allow sensitive files to be viewed. An attacker could exploit this vulnerability by being + connected to the console port of the Cisco IOS XR device when the device is power-cycled. + """ + # Extract the output of the command to check GRUB configuration + grub_output = commands.check_grub + + # Check if GRUB configuration is present + grub_configured = 'grub' in grub_output + + # Assert that the device is not vulnerable + assert not grub_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20064. " + "The device has GRUB configuration that could allow an attacker to view sensitive files. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-" + "sa-iosxr-load-infodisc-9rdOr5Fq" + ) diff --git a/CVEasy/Cisco/2023/cisco_xr/cve202320135.py b/CVEasy/Cisco/2023/cisco_xr/cve202320135.py new file mode 100644 index 00000000..65590181 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xr/cve202320135.py @@ -0,0 +1,56 @@ +from comfy import high + + +@high( + name='rule_cve202320135', + platform=['cisco_xr'], + commands=dict( + show_version='show version', + check_install='show install active summary' + ), +) +def rule_cve202320135(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20135 vulnerability in Cisco IOS XR Software. + The vulnerability is due to a time-of-check, time-of-use (TOCTOU) race condition when an install query + regarding an ISO image is performed during an install operation that uses an ISO image. + An attacker could exploit this vulnerability by modifying an ISO image and then carrying out install + requests in parallel. + A successful exploit could allow the attacker to execute arbitrary code on an affected device. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 7.5 versions + '7.5.2', '7.5.3', '7.5.4', + # 7.7 versions + '7.7.1', '7.7.2', '7.7.21', + # 7.8 versions + '7.8.1', '7.8.2', + # 7.9 versions + '7.9.1', '7.9.2' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check install configuration + install_output = commands.check_install + + # Check if any suspicious install operations are present + install_issue_detected = 'install' in install_output + + # Assert that the device is not vulnerable + assert not install_issue_detected, ( + f"Device {device.name} is vulnerable to CVE-2023-20135. " + "The device is running a vulnerable version AND has suspicious install operations, " + "which could allow an attacker to execute arbitrary code. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-lnt-L9zOkBz5" + ) diff --git a/CVEasy/Cisco/2023/cisco_xr/cve202320190.py b/CVEasy/Cisco/2023/cisco_xr/cve202320190.py new file mode 100644 index 00000000..53c1642a --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xr/cve202320190.py @@ -0,0 +1,90 @@ +from comfy import high + + +@high( + name='rule_cve202320190', + platform=['cisco_xr'], + commands=dict( + show_version='show version', + check_acl='show running-config | include ipv4 access-list' + ), +) +def rule_cve202320190(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20190 vulnerability in Cisco IOS XR Software. + The vulnerability is due to incorrect destination address range encoding in the compression module + of an ACL that is applied to an interface of an affected device. An attacker could exploit this + vulnerability by sending traffic through the affected device that should be denied by the configured ACL. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 5.2 versions + '5.2.0', '5.2.1', '5.2.2', '5.2.3', '5.2.4', '5.2.5', '5.2.47', + # 5.3 versions + '5.3.0', '5.3.1', '5.3.2', '5.3.3', '5.3.4', + # 6.0 versions + '6.0.0', '6.0.1', '6.0.2', + # 6.1 versions + '6.1.1', '6.1.2', '6.1.3', '6.1.4', '6.1.12', '6.1.22', '6.1.32', + '6.1.36', '6.1.42', + # 6.2 versions + '6.2.1', '6.2.2', '6.2.3', '6.2.25', '6.2.11', + # 6.3 versions + '6.3.2', '6.3.3', '6.3.15', + # 6.4 versions + '6.4.1', '6.4.2', '6.4.3', + # 6.5 versions + '6.5.1', '6.5.2', '6.5.3', '6.5.25', '6.5.26', '6.5.28', '6.5.29', + '6.5.32', '6.5.33', + # 6.6 versions + '6.6.2', '6.6.3', '6.6.25', '6.6.4', + # 6.7 versions + '6.7.1', '6.7.2', '6.7.3', '6.7.4', + # 6.8 versions + '6.8.1', '6.8.2', + # 6.9 versions + '6.9.1', '6.9.2', + # 7.0 versions + '7.0.1', '7.0.2', '7.0.12', '7.0.14', + # 7.1 versions + '7.1.1', '7.1.15', '7.1.2', '7.1.3', + # 7.2 versions + '7.2.0', '7.2.1', '7.2.2', + # 7.3 versions + '7.3.1', '7.3.15', '7.3.2', '7.3.3', + # 7.4 versions + '7.4.1', '7.4.2', + # 7.5 versions + '7.5.1', '7.5.2', '7.5.3', + # 7.6 versions + '7.6.1', '7.6.2', + # 7.7 versions + '7.7.1', '7.7.2', + # 7.8 versions + '7.8.1' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check ACL configuration + acl_output = commands.check_acl + + # Check if ACL is configured + acl_configured = 'ipv4 access-list' in acl_output + + # Assert that the device is not vulnerable + assert not acl_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20190. " + "The device is running a vulnerable version AND has ACLs configured, " + "which could allow an attacker to bypass ACL protections. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-comp3acl-vGmp6BQ3" + ) diff --git a/CVEasy/Cisco/2023/cisco_xr/cve202320191.py b/CVEasy/Cisco/2023/cisco_xr/cve202320191.py new file mode 100644 index 00000000..55f1d91b --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xr/cve202320191.py @@ -0,0 +1,72 @@ +from comfy import high + + +@high( + name='rule_cve202320191', + platform=['cisco_xr'], + commands=dict( + show_version='show version', + check_mpls_acl='show running-config | include mpls|access-list' + ), +) +def rule_cve202320191(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20191 vulnerability in Cisco IOS XR Software. + The vulnerability is due to incomplete support for ACL processing on MPLS interfaces in the ingress direction. + An attacker could exploit this vulnerability by attempting to send traffic through an affected device, + which could allow the attacker to bypass an ACL on the affected device. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 6.4 versions + '6.4.1', + # 6.5 versions + '6.5.1', '6.5.2', '6.5.3', + # 6.6 versions + '6.6.2', '6.6.3', '6.6.25', '6.6.4', + # 7.0 versions + '7.0.1', '7.0.2', + # 7.1 versions + '7.1.1', '7.1.2', + # 7.2 versions + '7.2.1', '7.2.2', + # 7.3 versions + '7.3.1', '7.3.2', '7.3.3', '7.3.5', + # 7.4 versions + '7.4.1', '7.4.2', + # 7.5 versions + '7.5.1', '7.5.2', '7.5.3', '7.5.4', + # 7.6 versions + '7.6.1', '7.6.2', + # 7.7 versions + '7.7.1', '7.7.2', + # 7.8 versions + '7.8.1', '7.8.2', + # 7.9 versions + '7.9.1' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check MPLS and ACL configuration + mpls_acl_output = commands.check_mpls_acl + + # Check if MPLS and ACL are configured + mpls_acl_configured = 'mpls' in mpls_acl_output and 'access-list' in mpls_acl_output + + # Assert that the device is not vulnerable + assert not mpls_acl_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20191. " + "The device is running a vulnerable version AND has ACLs configured on MPLS interfaces, " + "which could allow an attacker to bypass ACL protections. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnx-acl-PyzDkeYF" + ) diff --git a/CVEasy/Cisco/2023/cisco_xr/cve202320233.py b/CVEasy/Cisco/2023/cisco_xr/cve202320233.py new file mode 100644 index 00000000..3f5975a8 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xr/cve202320233.py @@ -0,0 +1,84 @@ +from comfy import high + + +@high( + name='rule_cve202320233', + platform=['cisco_xr'], + commands=dict( + show_version='show version', + check_cfm='show running-config | include ethernet cfm' + ), +) +def rule_cve202320233(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20233 vulnerability in Cisco IOS XR Software. + The vulnerability is due to incorrect processing of invalid continuity check messages (CCMs). + An attacker could exploit this vulnerability by sending crafted CCMs to an affected device, + causing the CFM service to crash when a user displays information about maintenance end points (MEPs). + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 5.2 versions + '5.2.0', '5.2.1', '5.2.2', '5.2.3', '5.2.4', '5.2.5', + # 5.3 versions + '5.3.0', '5.3.1', '5.3.2', '5.3.3', '5.3.4', + # 6.1 versions + '6.1.1', '6.1.2', '6.1.3', '6.1.4', + # 6.2 versions + '6.2.1', '6.2.2', '6.2.3', '6.2.25', + # 6.3 versions + '6.3.2', '6.3.3', '6.3.15', + # 6.4 versions + '6.4.1', '6.4.2', '6.4.3', + # 6.5 versions + '6.5.1', '6.5.2', + # 6.6 versions + '6.6.2', '6.6.3', '6.6.25', '6.6.4', + # 6.7 versions + '6.7.1', '6.7.2', '6.7.3', '6.7.4', + # 6.8 versions + '6.8.1', '6.8.2', + # 6.9 versions + '6.9.1', '6.9.2', + # 7.0 versions + '7.0.1', '7.0.2', + # 7.1 versions + '7.1.1', '7.1.15', '7.1.2', '7.1.3', + # 7.2 versions + '7.2.1', '7.2.2', + # 7.3 versions + '7.3.1', '7.3.2', '7.3.3', + # 7.4 versions + '7.4.1', '7.4.2', + # 7.5 versions + '7.5.1', '7.5.2', '7.5.3', + # 7.6 versions + '7.6.1', '7.6.2', + # 7.7 versions + '7.7.1', '7.7.2' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check CFM configuration + cfm_output = commands.check_cfm + + # Check if CFM is configured + cfm_configured = 'ethernet cfm' in cfm_output + + # Assert that the device is not vulnerable + assert not cfm_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20233. " + "The device is running a vulnerable version AND has CFM configured, " + "which could allow an attacker to cause a denial of service. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-xr-cfm-3pWN8MKt" + ) diff --git a/CVEasy/Cisco/2023/cisco_xr/cve202320236.py b/CVEasy/Cisco/2023/cisco_xr/cve202320236.py new file mode 100644 index 00000000..35751d2f --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xr/cve202320236.py @@ -0,0 +1,93 @@ +from comfy import high + + +@high( + name='rule_cve202320236', + platform=['cisco_xr'], + commands=dict( + show_version='show version', + check_ipxe='show running-config | include ipxe' + ), +) +def rule_cve202320236(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20236 vulnerability in Cisco IOS XR Software. + The vulnerability is due to insufficient image verification in the iPXE boot function. + An attacker could exploit this vulnerability by manipulating the boot parameters for image + verification during the iPXE boot process, allowing them to install an unverified software image. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 5.2 versions + '5.2.0', '5.2.1', '5.2.2', '5.2.3', '5.2.4', '5.2.5', '5.2.47', + # 5.3 versions + '5.3.0', '5.3.1', '5.3.2', '5.3.3', '5.3.4', + # 6.0 versions + '6.0.0', '6.0.1', '6.0.2', + # 6.1 versions + '6.1.1', '6.1.2', '6.1.3', '6.1.4', '6.1.12', '6.1.22', '6.1.32', + '6.1.36', '6.1.42', + # 6.2 versions + '6.2.1', '6.2.2', '6.2.3', '6.2.25', '6.2.11', + # 6.3 versions + '6.3.2', '6.3.3', '6.3.15', + # 6.4 versions + '6.4.1', '6.4.2', '6.4.3', + # 6.5 versions + '6.5.1', '6.5.2', '6.5.3', '6.5.25', '6.5.26', '6.5.28', '6.5.29', + '6.5.32', '6.5.33', + # 6.6 versions + '6.6.2', '6.6.3', '6.6.25', '6.6.4', + # 6.7 versions + '6.7.1', '6.7.2', '6.7.3', '6.7.4', + # 6.8 versions + '6.8.1', '6.8.2', + # 6.9 versions + '6.9.1', '6.9.2', + # 7.0 versions + '7.0.1', '7.0.2', '7.0.12', '7.0.14', + # 7.1 versions + '7.1.1', '7.1.15', '7.1.2', '7.1.3', + # 7.2 versions + '7.2.0', '7.2.1', '7.2.2', + # 7.3 versions + '7.3.1', '7.3.15', '7.3.2', '7.3.3', '7.3.5', + # 7.4 versions + '7.4.1', '7.4.2', + # 7.5 versions + '7.5.1', '7.5.2', '7.5.3', '7.5.4', + # 7.6 versions + '7.6.1', '7.6.2', + # 7.7 versions + '7.7.1', '7.7.2', '7.7.21', + # 7.8 versions + '7.8.1', '7.8.2', + # 7.9 versions + '7.9.1', '7.9.2' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check iPXE configuration + ipxe_output = commands.check_ipxe + + # Check if iPXE is configured + ipxe_configured = 'ipxe' in ipxe_output + + # Assert that the device is not vulnerable + assert not ipxe_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20236. " + "The device is running a vulnerable version AND has iPXE configured, " + "which could allow an attacker to install unverified software images. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-" + "sa-iosxr-ipxe-sigbypass-pymfyqgB" + )