From 8db69d23fde7dc39644693e40005cef34dd24be7 Mon Sep 17 00:00:00 2001 From: mailsanjayhere Date: Sun, 1 Jun 2025 18:27:29 +0000 Subject: [PATCH 01/22] arista 2021 cves --- CVEasy/Arista/2021/__init__.py | 0 CVEasy/Arista/2021/cve202128496.py | 70 +++++++++++++++++++++++++++ CVEasy/Arista/2021/cve202128500.py | 77 ++++++++++++++++++++++++++++++ CVEasy/Arista/2021/cve202128501.py | 62 ++++++++++++++++++++++++ CVEasy/Arista/2021/cve202128503.py | 71 +++++++++++++++++++++++++++ CVEasy/Arista/2021/cve202128504.py | 63 ++++++++++++++++++++++++ CVEasy/Arista/2021/cve202128505.py | 65 +++++++++++++++++++++++++ CVEasy/Arista/2021/cve202128506.py | 69 ++++++++++++++++++++++++++ CVEasy/Arista/2021/cve202128507.py | 77 ++++++++++++++++++++++++++++++ CVEasy/Arista/2021/cve202128508.py | 71 +++++++++++++++++++++++++++ CVEasy/Arista/2021/cve202128509.py | 71 +++++++++++++++++++++++++++ CVEasy/Arista/2021/cve202128510.py | 71 +++++++++++++++++++++++++++ CVEasy/Arista/2021/cve202128511.py | 70 +++++++++++++++++++++++++++ 13 files changed, 837 insertions(+) create mode 100644 CVEasy/Arista/2021/__init__.py create mode 100644 CVEasy/Arista/2021/cve202128496.py create mode 100644 CVEasy/Arista/2021/cve202128500.py create mode 100644 CVEasy/Arista/2021/cve202128501.py create mode 100644 CVEasy/Arista/2021/cve202128503.py create mode 100644 CVEasy/Arista/2021/cve202128504.py create mode 100644 CVEasy/Arista/2021/cve202128505.py create mode 100644 CVEasy/Arista/2021/cve202128506.py create mode 100644 CVEasy/Arista/2021/cve202128507.py create mode 100644 CVEasy/Arista/2021/cve202128508.py create mode 100644 CVEasy/Arista/2021/cve202128509.py create mode 100644 CVEasy/Arista/2021/cve202128510.py create mode 100644 CVEasy/Arista/2021/cve202128511.py diff --git a/CVEasy/Arista/2021/__init__.py b/CVEasy/Arista/2021/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/CVEasy/Arista/2021/cve202128496.py b/CVEasy/Arista/2021/cve202128496.py new file mode 100644 index 00000000..b691d052 --- /dev/null +++ b/CVEasy/Arista/2021/cve202128496.py @@ -0,0 +1,70 @@ +from comfy import high + + +@high( + name='rule_cve202128496', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_bfd='show running-config | section bfd', + show_eapi='show management api http-commands' + ), +) +def rule_cve202128496(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28496 vulnerability in Arista EOS devices. + The vulnerability allows BFD shared secret passwords to be leaked when displaying output + over eAPI or other JSON outputs to authenticated users on the device. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.22.x versions (all releases) + '4.22.0', '4.22.12', + # 4.23.x versions (up to 4.23.9) + '4.23.0', '4.23.9', + # 4.24.x versions (up to 4.24.7) + '4.24.0', '4.24.7', + # 4.25.x versions (up to 4.25.4) + '4.25.0', '4.25.4', + # 4.26.x versions (up to 4.26.1) + '4.26.0', '4.26.1' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if BFD is configured with shared secret profiles + bfd_config = commands.show_bfd + has_bfd_secrets = 'profile' in bfd_config and 'key-id' in bfd_config + + # Check if eAPI is enabled + eapi_config = commands.show_eapi + eapi_enabled = 'enabled' in eapi_config.lower() + + # Device is vulnerable if using BFD shared secrets and eAPI is enabled + is_vulnerable = has_bfd_secrets and eapi_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28496. " + "The device is running a vulnerable version AND has BFD shared secret profiles configured " + "with eAPI enabled, which could expose sensitive password information. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.23.10 or later for 4.23.x train\n" + " * 4.24.8 or later for 4.24.x train\n" + " * 4.25.5 or later for 4.25.x train\n" + " * 4.26.2 or later for 4.26.x train\n" + "2. Or apply the appropriate hotfix:\n" + " * For 4.22.0 - 4.25.0: SecurityAdvisory0069Hotfix-4.22-4.25.0.swix\n" + " * For 4.25.1 - 4.26.1: SecurityAdvisory0069Hotfix-4.25.1-4.26.1.swix\n" + "3. As a workaround, restrict access to CLI show commands using role-based authorization\n" + "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/13243-security-advisory-0069" + ) diff --git a/CVEasy/Arista/2021/cve202128500.py b/CVEasy/Arista/2021/cve202128500.py new file mode 100644 index 00000000..63783aa6 --- /dev/null +++ b/CVEasy/Arista/2021/cve202128500.py @@ -0,0 +1,77 @@ +from comfy import high + + +@high( + name='rule_cve202128500', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_users='show running-config | section username', + show_agents='show running-config | include openconfig|terminattr' + ), +) +def rule_cve202128500(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28500 vulnerability in Arista EOS devices. + The vulnerability allows unrestricted access to the device for local users with nopassword + configuration due to incorrect use of EOS's AAA APIs by OpenConfig and TerminAttr agents. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.20.x and earlier versions + '4.20.0', '4.20.15', + # 4.21.x versions + '4.21.0', '4.21.14M', + # 4.22.x versions + '4.22.0', '4.22.11M', + # 4.23.x versions + '4.23.0', '4.23.8M', + # 4.24.x versions + '4.24.0', '4.24.6M', + # 4.25.x versions + '4.25.0', '4.25.4M', + # 4.26.x versions + '4.26.0', '4.26.1F' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if any users are configured with nopassword + users_config = commands.show_users + has_nopassword_users = 'nopassword' in users_config + + # Check if OpenConfig or TerminAttr agents are enabled + agents_config = commands.show_agents + agents_enabled = 'openconfig' in agents_config or 'terminattr' in agents_config + + # Device is vulnerable if it has nopassword users and agents enabled + is_vulnerable = has_nopassword_users and agents_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28500. " + "The device is running a vulnerable version AND has local users with nopassword configuration " + "while OpenConfig/TerminAttr agents are enabled, which could allow unrestricted access. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.26.2F or later for 4.26.x train\n" + " * 4.25.5M or later for 4.25.x train\n" + " * 4.24.7M or later for 4.24.x train\n" + " * 4.23.9M or later for 4.23.x train\n" + " * 4.22.12M or later for 4.22.x train\n" + " * 4.21.15M or later for 4.21.x train\n" + "2. Until upgrade is complete, implement these workarounds:\n" + " * Remove nopassword configuration for local users\n" + " * Or apply the appropriate hotfix:\n" + " - For 32-bit systems: SecurityAdvisory0071Hotfix.i386.swix\n" + " - For 64-bit systems: SecurityAdvisory0071Hotfix.x86_64.swix\n" + "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071" + ) diff --git a/CVEasy/Arista/2021/cve202128501.py b/CVEasy/Arista/2021/cve202128501.py new file mode 100644 index 00000000..17d0f617 --- /dev/null +++ b/CVEasy/Arista/2021/cve202128501.py @@ -0,0 +1,62 @@ +from comfy import high + + +@high( + name='rule_cve202128501', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_terminattr='show running-config | include terminattr', + show_openconfig='show running-config | include openconfig', + show_users='show running-config | section username' + ), +) +def rule_cve202128501(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28501 vulnerability in Arista EOS devices. + The vulnerability allows unrestricted access to the device for local users with nopassword + configuration due to incorrect use of EOS's AAA APIs by OpenConfig and TerminAttr agents. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # TerminAttr versions before 1.16.2 + '1.15.0', '1.15.1', '1.15.2', '1.15.3', + '1.16.0', '1.16.1' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if TerminAttr or OpenConfig agents are enabled + terminattr_config = commands.show_terminattr + openconfig_config = commands.show_openconfig + agents_enabled = bool(terminattr_config or openconfig_config) + + # Check if any users are configured with nopassword + users_config = commands.show_users + has_nopassword_users = 'nopassword' in users_config + + # Device is vulnerable if agents are enabled and has nopassword users + is_vulnerable = agents_enabled and has_nopassword_users + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28501. " + "The device is running a vulnerable version of TerminAttr AND has local users with nopassword configuration " + "while OpenConfig/TerminAttr agents are enabled, which could allow unrestricted access. " + "Recommended fixes:\n" + "1. Upgrade to TerminAttr v1.16.2 or later\n" + "2. Until upgrade is complete, implement these workarounds:\n" + " * Disable OpenConfig gNMI/gNOI and OpenConfig RESTCONF and TerminAttr\n" + " * Or apply the appropriate hotfix with proxy service:\n" + " - For 32-bit systems: SecurityAdvisory0071Hotfix.i386.swix\n" + " - For 64-bit systems: SecurityAdvisory0071Hotfix.x86_64.swix\n" + "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071" + ) diff --git a/CVEasy/Arista/2021/cve202128503.py b/CVEasy/Arista/2021/cve202128503.py new file mode 100644 index 00000000..37aa45b7 --- /dev/null +++ b/CVEasy/Arista/2021/cve202128503.py @@ -0,0 +1,71 @@ +from comfy import high + + +@high( + name='rule_cve202128503', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_eapi='show management api http-commands', + show_cert_auth='show running-config | include certificate user' + ), +) +def rule_cve202128503(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28503 vulnerability in Arista EOS devices. + The vulnerability allows remote attackers to bypass authentication when certificate-based + authentication is used with eAPI, due to improper credential re-evaluation. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.23.x versions before 4.23.10 + '4.23.0', '4.23.1', '4.23.2', '4.23.3', '4.23.4', + '4.23.5', '4.23.6', '4.23.7', '4.23.8', '4.23.9', + # 4.24.x versions before 4.24.8 + '4.24.0', '4.24.1', '4.24.2', '4.24.3', '4.24.4', + '4.24.5', '4.24.6', '4.24.7', + # 4.25.x versions before 4.25.6 + '4.25.0', '4.25.1', '4.25.2', '4.25.3', '4.25.4', '4.25.5', + # 4.26.x versions before 4.26.3 + '4.26.0', '4.26.1', '4.26.2' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if eAPI is enabled + eapi_config = commands.show_eapi + eapi_enabled = 'enabled' in eapi_config.lower() + + # Check if certificate-based authentication is configured + cert_config = commands.show_cert_auth + cert_auth_enabled = 'certificate user' in cert_config + + # Device is vulnerable if both eAPI and certificate auth are enabled + is_vulnerable = eapi_enabled and cert_auth_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28503. " + "The device is running a vulnerable version AND has eAPI enabled with certificate-based authentication, " + "which could allow remote attackers to bypass authentication. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.26.3 or later for 4.26.x train\n" + " * 4.25.6 or later for 4.25.x train\n" + " * 4.24.8 or later for 4.24.x train\n" + " * 4.23.10 or later for 4.23.x train\n" + "2. Until upgrade is complete, implement this workaround:\n" + " * Disable certificate-based authentication for eAPI:\n" + " switch(config)#management security\n" + " switch(config-mgmt-security)#ssl profile profileEAPI\n" + " switch(config-mgmt-sec-ssl-profile-profileEAPI)#no trust certificate user.cert\n" + "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/13605-security-advisory-0072" + ) diff --git a/CVEasy/Arista/2021/cve202128504.py b/CVEasy/Arista/2021/cve202128504.py new file mode 100644 index 00000000..aa5d6924 --- /dev/null +++ b/CVEasy/Arista/2021/cve202128504.py @@ -0,0 +1,63 @@ +from comfy import high + + +@high( + name='rule_cve202128504', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_tcam='show hardware tcam profile', + show_acl='show running-config | section ip access-list' + ), +) +def rule_cve202128504(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28504 vulnerability in Arista EOS devices. + The vulnerability occurs on Strata family products when TCAM profile is enabled and + port IPv4 access-lists contain rules matching VXLAN protocol, causing subsequent rules + to not match IP protocol fields as expected. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.26.x versions before 4.26.4F + '4.26.0', '4.26.1F', '4.26.2F', '4.26.3F', + # 4.27.x versions before 4.27.1M + '4.27.0F' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if TCAM profile feature is enabled + tcam_output = commands.show_tcam + tcam_enabled = 'Profile:' in tcam_output + + # Check if any ACL has VXLAN protocol matching + acl_config = commands.show_acl + has_vxlan_acl = 'protocol vxlan' in acl_config.lower() + + # Device is vulnerable if TCAM profile is enabled and has VXLAN protocol matching in ACLs + is_vulnerable = tcam_enabled and has_vxlan_acl + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28504. " + "The device is running a vulnerable version AND has TCAM profile enabled with ACLs matching VXLAN protocol, " + "which could cause subsequent ACL rules to not match IP protocol fields correctly. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.26.4F or later for 4.26.x train\n" + " * 4.27.1M or later for 4.27.x train\n" + "2. Until upgrade is complete, implement this workaround:\n" + " * Replace 'protocol vxlan' matches in ACLs with:\n" + " - protocol udp\n" + " - destination port 4789 (or configured VXLAN port)\n" + "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/15267-security-advisory-0073" + ) diff --git a/CVEasy/Arista/2021/cve202128505.py b/CVEasy/Arista/2021/cve202128505.py new file mode 100644 index 00000000..cd024844 --- /dev/null +++ b/CVEasy/Arista/2021/cve202128505.py @@ -0,0 +1,65 @@ +from comfy import high + + +@high( + name='rule_cve202128505', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_acl='show running-config | section ip access-list', + show_interfaces='show running-config | section interface' + ), +) +def rule_cve202128505(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28505 vulnerability in Arista EOS devices. + The vulnerability occurs when VXLAN match rules in IPv4 access-lists are applied to + ingress L2/L3 ports or SVIs, causing subsequent ACL rules to ignore IP protocol fields. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.26.x versions before 4.26.4M + '4.26.0', '4.26.1F', '4.26.2F', '4.26.3M', + # 4.27.x versions before 4.27.1F + '4.27.0F' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if any ACL has VXLAN protocol matching + acl_config = commands.show_acl + has_vxlan_acl = 'protocol vxlan' in acl_config.lower() + + # Check if ACLs are applied to ingress L2/L3 ports or SVIs + interface_config = commands.show_interfaces + has_ingress_acl = any(keyword in interface_config.lower() for keyword in [ + 'ip access-group', + 'ipv4 access-group' + ]) + + # Device is vulnerable if it has VXLAN ACLs applied to ingress interfaces + is_vulnerable = has_vxlan_acl and has_ingress_acl + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28505. " + "The device is running a vulnerable version AND has VXLAN match rules in IPv4 ACLs " + "applied to ingress interfaces, which could cause subsequent rules to ignore IP protocol fields. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.26.4M or later for 4.26.x train\n" + " * 4.27.1F or later for 4.27.x train\n" + "2. Until upgrade is complete, implement this workaround:\n" + " * Replace 'protocol vxlan' matches in ACLs with:\n" + " - protocol udp\n" + " - destination port 4789 (or configured VXLAN port)\n" + "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/15267-security-advisory-0073" + ) diff --git a/CVEasy/Arista/2021/cve202128506.py b/CVEasy/Arista/2021/cve202128506.py new file mode 100644 index 00000000..96f10034 --- /dev/null +++ b/CVEasy/Arista/2021/cve202128506.py @@ -0,0 +1,69 @@ +from comfy import high + + +@high( + name='rule_cve202128506', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_gnmi='show management api gnmi', + show_restconf='show management api restconf', + show_gnoi='show management api gnoi' + ), +) +def rule_cve202128506(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28506 vulnerability in Arista EOS devices. + The vulnerability allows unauthenticated attackers to bypass authentication in gNOI APIs, + potentially allowing factory reset of the device. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.24.x versions before 4.24.8M + '4.24.0', '4.24.1F', '4.24.2F', '4.24.3M', '4.24.4M', '4.24.5M', '4.24.6M', '4.24.7M', + # 4.25.x versions before 4.25.6M + '4.25.0', '4.25.1M', '4.25.2M', '4.25.3M', '4.25.4M', '4.25.5M', + # 4.26.x versions before 4.26.3M + '4.26.0', '4.26.1F', '4.26.2F' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if any of the vulnerable APIs are enabled + gnmi_config = commands.show_gnmi + restconf_config = commands.show_restconf + gnoi_config = commands.show_gnoi + + apis_enabled = any([ + 'enabled' in gnmi_config.lower(), + 'enabled' in restconf_config.lower(), + 'enabled' in gnoi_config.lower() + ]) + + # Device is vulnerable if running affected version and has APIs enabled + is_vulnerable = version_vulnerable and apis_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28506. " + "The device is running a vulnerable version AND has gNMI/gNOI/RESTCONF APIs enabled, " + "which could allow unauthenticated attackers to bypass authentication and factory reset the device. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.26.3M or later for 4.26.x train\n" + " * 4.25.6M or later for 4.25.x train\n" + " * 4.24.8M or later for 4.24.x train\n" + "2. Until upgrade is complete, implement this workaround:\n" + " * Apply the appropriate hotfix with proxy service:\n" + " - For 32-bit systems: SecurityAdvisory0071Hotfix.i386.swix\n" + " - For 64-bit systems: SecurityAdvisory0071Hotfix.x86_64.swix\n" + "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071" + ) diff --git a/CVEasy/Arista/2021/cve202128507.py b/CVEasy/Arista/2021/cve202128507.py new file mode 100644 index 00000000..77814911 --- /dev/null +++ b/CVEasy/Arista/2021/cve202128507.py @@ -0,0 +1,77 @@ +from comfy import high + + +@high( + name='rule_cve202128507', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_openconfig='show running-config | include openconfig', + show_restconf='show management api restconf', + show_acl='show running-config | section service-acl' + ), +) +def rule_cve202128507(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28507 vulnerability in Arista EOS devices. + The vulnerability allows service ACL bypass in OpenConfig gNOI and RESTCONF APIs, + which could result in denied requests being forwarded to the agent. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.21.x and earlier versions + '4.21.', '4.20.', '4.19.', '4.18.', + # 4.22.x versions + '4.22.0', '4.22.1', '4.22.2', '4.22.3', + # 4.23.x versions before 4.23.10M + '4.23.0', '4.23.1', '4.23.2', '4.23.3', '4.23.4', + '4.23.5', '4.23.6', '4.23.7', '4.23.8', '4.23.9', + # 4.24.x versions before 4.24.8M + '4.24.0', '4.24.1', '4.24.2', '4.24.3', '4.24.4', + '4.24.5', '4.24.6', '4.24.7', + # 4.25.x versions before 4.25.6M + '4.25.0', '4.25.1', '4.25.2', '4.25.3', '4.25.4', '4.25.5', + # 4.26.x versions before 4.26.3M + '4.26.0', '4.26.1', '4.26.2' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if OpenConfig or RESTCONF is enabled + openconfig_config = commands.show_openconfig + restconf_config = commands.show_restconf + apis_enabled = bool(openconfig_config or 'enabled' in restconf_config.lower()) + + # Check if service ACLs are configured + acl_config = commands.show_acl + has_service_acl = 'service-acl' in acl_config + + # Device is vulnerable if APIs are enabled and using service ACLs + is_vulnerable = apis_enabled and has_service_acl + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28507. " + "The device is running a vulnerable version AND has OpenConfig/RESTCONF APIs enabled with service ACLs, " + "which could allow denied requests to bypass ACLs and reach the agent. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.26.3M or later for 4.26.x train\n" + " * 4.25.6M or later for 4.25.x train\n" + " * 4.24.8M or later for 4.24.x train\n" + " * 4.23.10M or later for 4.23.x train\n" + "2. Until upgrade is complete, implement these workarounds:\n" + " * Disable OpenConfig gNMI/gNOI and OpenConfig RESTCONF\n" + " * Or apply the appropriate hotfix with proxy service:\n" + " - For 32-bit systems: SecurityAdvisory0071Hotfix.i386.swix\n" + " - For 64-bit systems: SecurityAdvisory0071Hotfix.x86_64.swix\n" + "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071" + ) diff --git a/CVEasy/Arista/2021/cve202128508.py b/CVEasy/Arista/2021/cve202128508.py new file mode 100644 index 00000000..b7256b90 --- /dev/null +++ b/CVEasy/Arista/2021/cve202128508.py @@ -0,0 +1,71 @@ +from comfy import high + + +@high( + name='rule_cve202128508', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_terminattr='show running-config | include terminattr', + show_ipsec='show running-config | section crypto ipsec' + ), +) +def rule_cve202128508(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28508 vulnerability in Arista EOS devices. + The vulnerability allows TerminAttr to leak IPsec sensitive data in clear text to CVP, + which could allow authorized users to decrypt or modify IPsec traffic. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.23.x versions before 4.23.11 + '4.23.0', '4.23.1', '4.23.2', '4.23.3', '4.23.4', '4.23.5', + '4.23.6', '4.23.7', '4.23.8', '4.23.9', '4.23.10', + # 4.24.x versions before 4.24.10 + '4.24.0', '4.24.1', '4.24.2', '4.24.3', '4.24.4', '4.24.5', + '4.24.6', '4.24.7', '4.24.8', '4.24.9', + # 4.25.x versions before 4.25.8 + '4.25.0', '4.25.1', '4.25.2', '4.25.3', '4.25.4', '4.25.5', + '4.25.6', '4.25.7', + # 4.26.x versions before 4.26.6 + '4.26.0', '4.26.1', '4.26.2', '4.26.3', '4.26.4', '4.26.5', + # 4.27.x versions before 4.27.2 + '4.27.0', '4.27.1' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if TerminAttr is enabled + terminattr_config = commands.show_terminattr + terminattr_enabled = bool(terminattr_config) + + # Check if IPsec is configured + ipsec_config = commands.show_ipsec + ipsec_configured = bool(ipsec_config) + + # Device is vulnerable if both TerminAttr and IPsec are enabled + is_vulnerable = terminattr_enabled and ipsec_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28508. " + "The device is running a vulnerable version AND has both TerminAttr and IPsec enabled, " + "which could allow IPsec sensitive data to leak in clear text to CVP. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.27.2 or later for 4.27.x train\n" + " * 4.26.6 or later for 4.26.x train\n" + " * 4.25.8 or later for 4.25.x train\n" + " * 4.24.10 or later for 4.24.x train\n" + "2. Until upgrade is complete, implement this workaround:\n" + " * Disable TerminAttr agent\n" + "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/15484-security-advisory-0077" + ) diff --git a/CVEasy/Arista/2021/cve202128509.py b/CVEasy/Arista/2021/cve202128509.py new file mode 100644 index 00000000..a577c7c3 --- /dev/null +++ b/CVEasy/Arista/2021/cve202128509.py @@ -0,0 +1,71 @@ +from comfy import high + + +@high( + name='rule_cve202128509', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_terminattr='show running-config | include terminattr', + show_macsec='show running-config | section macsec' + ), +) +def rule_cve202128509(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28509 vulnerability in Arista EOS devices. + The vulnerability allows TerminAttr to leak MACsec sensitive data in clear text to CVP, + which could allow authorized users to decrypt or modify MACsec traffic. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.23.x versions before 4.23.12 + '4.23.0', '4.23.1', '4.23.2', '4.23.3', '4.23.4', '4.23.5', + '4.23.6', '4.23.7', '4.23.8', '4.23.9', '4.23.10', '4.23.11', + # 4.24.x versions before 4.24.10 + '4.24.0', '4.24.1', '4.24.2', '4.24.3', '4.24.4', '4.24.5', + '4.24.6', '4.24.7', '4.24.8', '4.24.9', + # 4.25.x versions before 4.25.8 + '4.25.0', '4.25.1', '4.25.2', '4.25.3', '4.25.4', '4.25.5', + '4.25.6', '4.25.7', + # 4.26.x versions before 4.26.6 + '4.26.0', '4.26.1', '4.26.2', '4.26.3', '4.26.4', '4.26.5', + # 4.27.x versions before 4.27.4 + '4.27.0', '4.27.1', '4.27.2', '4.27.3' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if TerminAttr is enabled + terminattr_config = commands.show_terminattr + terminattr_enabled = 'terminattr' in terminattr_config.lower() + + # Check if MACsec is configured + macsec_config = commands.show_macsec + macsec_configured = 'macsec' in macsec_config.lower() + + # Device is vulnerable if both TerminAttr and MACsec are enabled + is_vulnerable = terminattr_enabled and macsec_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28509. " + "The device is running a vulnerable version AND has both TerminAttr and MACsec enabled, " + "which could allow MACsec sensitive data to leak in clear text to CVP. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.27.4 or later for 4.27.x train\n" + " * 4.26.6 or later for 4.26.x train\n" + " * 4.25.8 or later for 4.25.x train\n" + " * 4.24.10 or later for 4.24.x train\n" + "2. Until upgrade is complete, implement this workaround:\n" + " * Disable TerminAttr agent\n" + "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/15484-security-advisory-0077" + ) diff --git a/CVEasy/Arista/2021/cve202128510.py b/CVEasy/Arista/2021/cve202128510.py new file mode 100644 index 00000000..32fbf3aa --- /dev/null +++ b/CVEasy/Arista/2021/cve202128510.py @@ -0,0 +1,71 @@ +from comfy import high + + +@high( + name='rule_cve202128510', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_ptp='show running-config | section ptp' + ), +) +def rule_cve202128510(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28510 vulnerability in Arista EOS devices. + The vulnerability allows an unauthenticated attacker to cause a DoS condition by sending + malformed PTP packets with invalid TLV values, causing the PTP agent to restart repeatedly. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.23.x versions before 4.23.11 + '4.23.0', '4.23.1', '4.23.2', '4.23.3', '4.23.4', '4.23.5', + '4.23.6', '4.23.7', '4.23.8', '4.23.9', '4.23.10', + # 4.24.x versions before 4.24.9 + '4.24.0', '4.24.1', '4.24.2', '4.24.3', '4.24.4', '4.24.5', + '4.24.6', '4.24.7', '4.24.8', + # 4.25.x versions before 4.25.7 + '4.25.0', '4.25.1', '4.25.2', '4.25.3', '4.25.4', '4.25.5', + '4.25.6', + # 4.26.x versions before 4.26.5 + '4.26.0', '4.26.1', '4.26.2', '4.26.3', '4.26.4', + # 4.27.x versions before 4.27.2 + '4.27.0', '4.27.1' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if PTP is configured + ptp_config = commands.show_ptp + ptp_enabled = 'ptp' in ptp_config.lower() + + # Device is vulnerable if running affected version and PTP is enabled + is_vulnerable = version_vulnerable and ptp_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28510. " + "The device is running a vulnerable version AND has PTP enabled, " + "which could allow an attacker to cause a denial of service by sending malformed PTP packets. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.27.2 or later for 4.27.x train\n" + " * 4.26.5 or later for 4.26.x train\n" + " * 4.25.7 or later for 4.25.x train\n" + " * 4.24.9 or later for 4.24.x train\n" + " * 4.23.11 or later for 4.23.x train\n" + "2. Until upgrade is complete, implement this workaround:\n" + " * Install ACL rules to drop PTP packets from untrusted sources\n" + " * Block access to untrusted (non-management) networks\n" + "3. A hotfix is available:\n" + " * SecurityAdvisory76_CVE-2021-28510_Hotfix.swix\n" + " * Note: Installing/uninstalling will cause PTP agent to restart\n" + "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/15439-security-advisory-0076" + ) diff --git a/CVEasy/Arista/2021/cve202128511.py b/CVEasy/Arista/2021/cve202128511.py new file mode 100644 index 00000000..e3a4df2f --- /dev/null +++ b/CVEasy/Arista/2021/cve202128511.py @@ -0,0 +1,70 @@ +from comfy import high + + +@high( + name='rule_cve202128511', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_nat='show running-config | section ip nat', + show_acl='show running-config | section ip access-list' + ), +) +def rule_cve202128511(configuration, commands, device, devices): + """ + This rule checks for CVE-2021-28511 vulnerability in Arista EOS devices. + The vulnerability allows security ACL bypass if a NAT ACL rule filter with permit action + matches a packet flow that should be denied by a security ACL. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.24.x versions before 4.24.10 + '4.24.0', '4.24.1', '4.24.2', '4.24.3', '4.24.4', '4.24.5', + '4.24.6', '4.24.7', '4.24.8', '4.24.9', + # 4.25.x versions before 4.25.9 + '4.25.0', '4.25.1', '4.25.2', '4.25.3', '4.25.4', '4.25.5', + '4.25.6', '4.25.7', '4.25.8', + # 4.26.x versions before 4.26.6 + '4.26.0', '4.26.1', '4.26.2', '4.26.3', '4.26.4', '4.26.5', + # 4.27.x versions before 4.27.4 + '4.27.0', '4.27.1', '4.27.2', '4.27.3' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if NAT is configured + nat_config = commands.show_nat + nat_enabled = 'ip nat' in nat_config.lower() + + # Check if security ACLs are configured + acl_config = commands.show_acl + security_acl_enabled = 'ip access-list' in acl_config.lower() + + # Device is vulnerable if both NAT and security ACLs are enabled + is_vulnerable = nat_enabled and security_acl_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2021-28511. " + "The device is running a vulnerable version AND has both NAT and security ACLs configured, " + "which could allow security ACL bypass through NAT permit rules. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * 4.28.0 or later for 4.28.x train\n" + " * 4.27.4 or later for 4.27.x train\n" + " * 4.26.6 or later for 4.26.x train\n" + " * 4.25.9 or later for 4.25.x train\n" + " * 4.24.10 or later for 4.24.x train\n" + "2. Until upgrade is complete, implement this workaround:\n" + " * Configure a NAT 'drop' ACL rule for each security ACL 'drop' rule\n" + " * Apply these rules to interfaces with NAT configured\n" + "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/15862-security-advisory-0078" + ) From 9b12ab2891fc2efc2b16e9ad1ab23a6277171f72 Mon Sep 17 00:00:00 2001 From: mailsanjayhere Date: Sun, 1 Jun 2025 19:07:56 +0000 Subject: [PATCH 02/22] Fix flake8 and syntax errors in Arista CVE scripts --- CVEasy/Arista/2021/cve202128496.py | 5 +++-- CVEasy/Arista/2021/cve202128500.py | 5 +++-- CVEasy/Arista/2021/cve202128501.py | 5 +++-- CVEasy/Arista/2021/cve202128503.py | 5 +++-- CVEasy/Arista/2021/cve202128504.py | 7 ++++--- CVEasy/Arista/2021/cve202128505.py | 5 +++-- CVEasy/Arista/2021/cve202128506.py | 3 ++- CVEasy/Arista/2021/cve202128507.py | 3 ++- CVEasy/Arista/2021/cve202128508.py | 3 ++- CVEasy/Arista/2021/cve202128509.py | 3 ++- CVEasy/Arista/2021/cve202128510.py | 3 ++- CVEasy/Arista/2021/cve202128511.py | 3 ++- 12 files changed, 31 insertions(+), 19 deletions(-) diff --git a/CVEasy/Arista/2021/cve202128496.py b/CVEasy/Arista/2021/cve202128496.py index b691d052..0c636c99 100644 --- a/CVEasy/Arista/2021/cve202128496.py +++ b/CVEasy/Arista/2021/cve202128496.py @@ -13,7 +13,7 @@ def rule_cve202128496(configuration, commands, device, devices): """ This rule checks for CVE-2021-28496 vulnerability in Arista EOS devices. - The vulnerability allows BFD shared secret passwords to be leaked when displaying output + The vulnerability allows BFD shared secret passwords to be leaked when displaying output over eAPI or other JSON outputs to authenticated users on the device. """ # Extract the version information from the command output @@ -66,5 +66,6 @@ def rule_cve202128496(configuration, commands, device, devices): " * For 4.22.0 - 4.25.0: SecurityAdvisory0069Hotfix-4.22-4.25.0.swix\n" " * For 4.25.1 - 4.26.1: SecurityAdvisory0069Hotfix-4.25.1-4.26.1.swix\n" "3. As a workaround, restrict access to CLI show commands using role-based authorization\n" - "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/13243-security-advisory-0069" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/13243-security-advisory-0069" ) diff --git a/CVEasy/Arista/2021/cve202128500.py b/CVEasy/Arista/2021/cve202128500.py index 63783aa6..95ebee4b 100644 --- a/CVEasy/Arista/2021/cve202128500.py +++ b/CVEasy/Arista/2021/cve202128500.py @@ -13,7 +13,7 @@ def rule_cve202128500(configuration, commands, device, devices): """ This rule checks for CVE-2021-28500 vulnerability in Arista EOS devices. - The vulnerability allows unrestricted access to the device for local users with nopassword + The vulnerability allows unrestricted access to the device for local users with nopassword configuration due to incorrect use of EOS's AAA APIs by OpenConfig and TerminAttr agents. """ # Extract the version information from the command output @@ -73,5 +73,6 @@ def rule_cve202128500(configuration, commands, device, devices): " * Or apply the appropriate hotfix:\n" " - For 32-bit systems: SecurityAdvisory0071Hotfix.i386.swix\n" " - For 64-bit systems: SecurityAdvisory0071Hotfix.x86_64.swix\n" - "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071" + "For more information, see " + "https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071" ) diff --git a/CVEasy/Arista/2021/cve202128501.py b/CVEasy/Arista/2021/cve202128501.py index 17d0f617..5c1db418 100644 --- a/CVEasy/Arista/2021/cve202128501.py +++ b/CVEasy/Arista/2021/cve202128501.py @@ -14,7 +14,7 @@ def rule_cve202128501(configuration, commands, device, devices): """ This rule checks for CVE-2021-28501 vulnerability in Arista EOS devices. - The vulnerability allows unrestricted access to the device for local users with nopassword + The vulnerability allows unrestricted access to the device for local users with nopassword configuration due to incorrect use of EOS's AAA APIs by OpenConfig and TerminAttr agents. """ # Extract the version information from the command output @@ -58,5 +58,6 @@ def rule_cve202128501(configuration, commands, device, devices): " * Or apply the appropriate hotfix with proxy service:\n" " - For 32-bit systems: SecurityAdvisory0071Hotfix.i386.swix\n" " - For 64-bit systems: SecurityAdvisory0071Hotfix.x86_64.swix\n" - "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071" ) diff --git a/CVEasy/Arista/2021/cve202128503.py b/CVEasy/Arista/2021/cve202128503.py index 37aa45b7..40986559 100644 --- a/CVEasy/Arista/2021/cve202128503.py +++ b/CVEasy/Arista/2021/cve202128503.py @@ -13,7 +13,7 @@ def rule_cve202128503(configuration, commands, device, devices): """ This rule checks for CVE-2021-28503 vulnerability in Arista EOS devices. - The vulnerability allows remote attackers to bypass authentication when certificate-based + The vulnerability allows remote attackers to bypass authentication when certificate-based authentication is used with eAPI, due to improper credential re-evaluation. """ # Extract the version information from the command output @@ -67,5 +67,6 @@ def rule_cve202128503(configuration, commands, device, devices): " switch(config)#management security\n" " switch(config-mgmt-security)#ssl profile profileEAPI\n" " switch(config-mgmt-sec-ssl-profile-profileEAPI)#no trust certificate user.cert\n" - "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/13605-security-advisory-0072" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/13605-security-advisory-0072" ) diff --git a/CVEasy/Arista/2021/cve202128504.py b/CVEasy/Arista/2021/cve202128504.py index aa5d6924..6f0aed1e 100644 --- a/CVEasy/Arista/2021/cve202128504.py +++ b/CVEasy/Arista/2021/cve202128504.py @@ -13,8 +13,8 @@ def rule_cve202128504(configuration, commands, device, devices): """ This rule checks for CVE-2021-28504 vulnerability in Arista EOS devices. - The vulnerability occurs on Strata family products when TCAM profile is enabled and - port IPv4 access-lists contain rules matching VXLAN protocol, causing subsequent rules + The vulnerability occurs on Strata family products when TCAM profile is enabled and + port IPv4 access-lists contain rules matching VXLAN protocol, causing subsequent rules to not match IP protocol fields as expected. """ # Extract the version information from the command output @@ -59,5 +59,6 @@ def rule_cve202128504(configuration, commands, device, devices): " * Replace 'protocol vxlan' matches in ACLs with:\n" " - protocol udp\n" " - destination port 4789 (or configured VXLAN port)\n" - "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/15267-security-advisory-0073" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/15267-security-advisory-0073" ) diff --git a/CVEasy/Arista/2021/cve202128505.py b/CVEasy/Arista/2021/cve202128505.py index cd024844..2ff97f87 100644 --- a/CVEasy/Arista/2021/cve202128505.py +++ b/CVEasy/Arista/2021/cve202128505.py @@ -13,7 +13,7 @@ def rule_cve202128505(configuration, commands, device, devices): """ This rule checks for CVE-2021-28505 vulnerability in Arista EOS devices. - The vulnerability occurs when VXLAN match rules in IPv4 access-lists are applied to + The vulnerability occurs when VXLAN match rules in IPv4 access-lists are applied to ingress L2/L3 ports or SVIs, causing subsequent ACL rules to ignore IP protocol fields. """ # Extract the version information from the command output @@ -61,5 +61,6 @@ def rule_cve202128505(configuration, commands, device, devices): " * Replace 'protocol vxlan' matches in ACLs with:\n" " - protocol udp\n" " - destination port 4789 (or configured VXLAN port)\n" - "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/15267-security-advisory-0073" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/15267-security-advisory-0073" ) diff --git a/CVEasy/Arista/2021/cve202128506.py b/CVEasy/Arista/2021/cve202128506.py index 96f10034..f60d7bb9 100644 --- a/CVEasy/Arista/2021/cve202128506.py +++ b/CVEasy/Arista/2021/cve202128506.py @@ -65,5 +65,6 @@ def rule_cve202128506(configuration, commands, device, devices): " * Apply the appropriate hotfix with proxy service:\n" " - For 32-bit systems: SecurityAdvisory0071Hotfix.i386.swix\n" " - For 64-bit systems: SecurityAdvisory0071Hotfix.x86_64.swix\n" - "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071" ) diff --git a/CVEasy/Arista/2021/cve202128507.py b/CVEasy/Arista/2021/cve202128507.py index 77814911..07a65c07 100644 --- a/CVEasy/Arista/2021/cve202128507.py +++ b/CVEasy/Arista/2021/cve202128507.py @@ -73,5 +73,6 @@ def rule_cve202128507(configuration, commands, device, devices): " * Or apply the appropriate hotfix with proxy service:\n" " - For 32-bit systems: SecurityAdvisory0071Hotfix.i386.swix\n" " - For 64-bit systems: SecurityAdvisory0071Hotfix.x86_64.swix\n" - "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/13449-security-advisory-0071" ) diff --git a/CVEasy/Arista/2021/cve202128508.py b/CVEasy/Arista/2021/cve202128508.py index b7256b90..1badbc3e 100644 --- a/CVEasy/Arista/2021/cve202128508.py +++ b/CVEasy/Arista/2021/cve202128508.py @@ -67,5 +67,6 @@ def rule_cve202128508(configuration, commands, device, devices): " * 4.24.10 or later for 4.24.x train\n" "2. Until upgrade is complete, implement this workaround:\n" " * Disable TerminAttr agent\n" - "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/15484-security-advisory-0077" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/15484-security-advisory-0077" ) diff --git a/CVEasy/Arista/2021/cve202128509.py b/CVEasy/Arista/2021/cve202128509.py index a577c7c3..ec3f020f 100644 --- a/CVEasy/Arista/2021/cve202128509.py +++ b/CVEasy/Arista/2021/cve202128509.py @@ -67,5 +67,6 @@ def rule_cve202128509(configuration, commands, device, devices): " * 4.24.10 or later for 4.24.x train\n" "2. Until upgrade is complete, implement this workaround:\n" " * Disable TerminAttr agent\n" - "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/15484-security-advisory-0077" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/15484-security-advisory-0077" ) diff --git a/CVEasy/Arista/2021/cve202128510.py b/CVEasy/Arista/2021/cve202128510.py index 32fbf3aa..844c01c5 100644 --- a/CVEasy/Arista/2021/cve202128510.py +++ b/CVEasy/Arista/2021/cve202128510.py @@ -67,5 +67,6 @@ def rule_cve202128510(configuration, commands, device, devices): "3. A hotfix is available:\n" " * SecurityAdvisory76_CVE-2021-28510_Hotfix.swix\n" " * Note: Installing/uninstalling will cause PTP agent to restart\n" - "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/15439-security-advisory-0076" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/15439-security-advisory-0076" ) diff --git a/CVEasy/Arista/2021/cve202128511.py b/CVEasy/Arista/2021/cve202128511.py index e3a4df2f..9c1252f8 100644 --- a/CVEasy/Arista/2021/cve202128511.py +++ b/CVEasy/Arista/2021/cve202128511.py @@ -66,5 +66,6 @@ def rule_cve202128511(configuration, commands, device, devices): "2. Until upgrade is complete, implement this workaround:\n" " * Configure a NAT 'drop' ACL rule for each security ACL 'drop' rule\n" " * Apply these rules to interfaces with NAT configured\n" - "For more information, see https://www.arista.com/en/support/advisories-notices/security-advisory/15862-security-advisory-0078" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/15862-security-advisory-0078" ) From eb48f51858732f0bd0d4c7987e125b454dddfa54 Mon Sep 17 00:00:00 2001 From: mailsanjayhere Date: Sun, 1 Jun 2025 19:22:24 +0000 Subject: [PATCH 03/22] cisco_ios 2022 cves --- CVEasy/Cisco/2022/__init__.py | 0 CVEasy/Cisco/2022/cisco_ios/__init__.py | 0 CVEasy/Cisco/2022/cisco_ios/cve202220677.py | 34 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_ios/cve202220697.py | 32 +++++++++++++++++++ CVEasy/Cisco/2022/cisco_ios/cve202220718.py | 34 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_ios/cve202220719.py | 35 +++++++++++++++++++++ CVEasy/Cisco/2022/cisco_ios/cve202220720.py | 35 +++++++++++++++++++++ CVEasy/Cisco/2022/cisco_ios/cve202220721.py | 34 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_ios/cve202220722.py | 34 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_ios/cve202220723.py | 34 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_ios/cve202220724.py | 34 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_ios/cve202220725.py | 34 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_ios/cve202220726.py | 34 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_ios/cve202220727.py | 34 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_ios/cve202220761.py | 33 +++++++++++++++++++ CVEasy/Cisco/2022/cisco_ios/cve202220919.py | 34 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_ios/cve202220920.py | 34 ++++++++++++++++++++ 17 files changed, 509 insertions(+) create mode 100644 CVEasy/Cisco/2022/__init__.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/__init__.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/cve202220677.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/cve202220697.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/cve202220718.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/cve202220719.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/cve202220720.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/cve202220721.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/cve202220722.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/cve202220723.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/cve202220724.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/cve202220725.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/cve202220726.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/cve202220727.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/cve202220761.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/cve202220919.py create mode 100644 CVEasy/Cisco/2022/cisco_ios/cve202220920.py diff --git a/CVEasy/Cisco/2022/__init__.py b/CVEasy/Cisco/2022/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/CVEasy/Cisco/2022/cisco_ios/__init__.py b/CVEasy/Cisco/2022/cisco_ios/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220677.py b/CVEasy/Cisco/2022/cisco_ios/cve202220677.py new file mode 100644 index 00000000..1031e83b --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220677.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220677', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220677(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20677 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application hosting environment. + An attacker could exploit this vulnerability to inject arbitrary commands into the underlying host + operating system, execute arbitrary code, install applications without authentication, or conduct + cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20677. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220697.py b/CVEasy/Cisco/2022/cisco_ios/cve202220697.py new file mode 100644 index 00000000..1804c43a --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220697.py @@ -0,0 +1,32 @@ +from comfy import high + + +@high( + name='rule_cve202220697', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_http='show running-config | include ip http' + ), +) +def rule_cve202220697(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20697 vulnerability in Cisco IOS Software. + The vulnerability is due to improper resource management in the HTTP server code. + An attacker could exploit this vulnerability by sending a large number of HTTP requests + to an affected device, causing it to reload and resulting in a denial of service (DoS) condition. + """ + # Extract the output of the command to check HTTP configuration + http_output = commands.check_http + + # Check if HTTP server is enabled + http_enabled = any(service in http_output for service in ['ip http server', 'ip http secure-server']) + + # Assert that the device is not vulnerable + assert not http_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20697. " + "The device has HTTP/HTTPS server enabled, " + "which could allow an attacker to cause a denial of service through crafted HTTP requests. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http-dos-svOdkdBS" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220718.py b/CVEasy/Cisco/2022/cisco_ios/cve202220718.py new file mode 100644 index 00000000..3abeec7e --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220718.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220718', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220718(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20718 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application hosting environment. + Multiple vulnerabilities could allow an attacker to inject arbitrary commands into the underlying host + operating system, execute arbitrary code, install applications without authentication, or conduct + cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20718. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220719.py b/CVEasy/Cisco/2022/cisco_ios/cve202220719.py new file mode 100644 index 00000000..e3665251 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220719.py @@ -0,0 +1,35 @@ +from comfy import high + + +@high( + name='rule_cve202220719', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220719(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20719 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application + hosting environment. Multiple vulnerabilities could allow an attacker to inject + arbitrary commands into the underlying host operating system, execute arbitrary + code, install applications without authentication, or conduct cross-site + scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20719. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220720.py b/CVEasy/Cisco/2022/cisco_ios/cve202220720.py new file mode 100644 index 00000000..ecea6ab3 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220720.py @@ -0,0 +1,35 @@ +from comfy import high + + +@high( + name='rule_cve202220720', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220720(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20720 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application + hosting environment. + Multiple vulnerabilities could allow an attacker to inject arbitrary commands + into the underlying host operating system, execute arbitrary code, install + applications without authentication, or conduct cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20720. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220721.py b/CVEasy/Cisco/2022/cisco_ios/cve202220721.py new file mode 100644 index 00000000..fa410727 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220721.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220721', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220721(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20721 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application hosting environment. + Multiple vulnerabilities could allow an attacker to inject arbitrary commands into the underlying host + operating system, execute arbitrary code, install applications without authentication, or conduct + cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20721. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220722.py b/CVEasy/Cisco/2022/cisco_ios/cve202220722.py new file mode 100644 index 00000000..e5d99e25 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220722.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220722', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220722(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20722 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application hosting environment. + Multiple vulnerabilities could allow an attacker to inject arbitrary commands into the underlying host + operating system, execute arbitrary code, install applications without authentication, or conduct + cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20722. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220723.py b/CVEasy/Cisco/2022/cisco_ios/cve202220723.py new file mode 100644 index 00000000..fe189087 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220723.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220723', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220723(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20723 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application hosting environment. + Multiple vulnerabilities could allow an attacker to inject arbitrary commands into the underlying host + operating system, execute arbitrary code, install applications without authentication, or conduct + cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20723. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220724.py b/CVEasy/Cisco/2022/cisco_ios/cve202220724.py new file mode 100644 index 00000000..293118d4 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220724.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220724', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220724(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20724 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application hosting environment. + Multiple vulnerabilities could allow an attacker to inject arbitrary commands into the underlying host + operating system, execute arbitrary code, install applications without authentication, or conduct + cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20724. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220725.py b/CVEasy/Cisco/2022/cisco_ios/cve202220725.py new file mode 100644 index 00000000..c7994a30 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220725.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220725', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220725(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20725 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application hosting environment. + Multiple vulnerabilities could allow an attacker to inject arbitrary commands into the underlying host + operating system, execute arbitrary code, install applications without authentication, or conduct + cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20725. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220726.py b/CVEasy/Cisco/2022/cisco_ios/cve202220726.py new file mode 100644 index 00000000..c5b607ff --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220726.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220726', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220726(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20726 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application hosting environment. + Multiple vulnerabilities could allow an attacker to inject arbitrary commands into the underlying host + operating system, execute arbitrary code, install applications without authentication, or conduct + cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20726. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220727.py b/CVEasy/Cisco/2022/cisco_ios/cve202220727.py new file mode 100644 index 00000000..e87b64e3 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220727.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220727', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ios='show running-config | include ios' + ), +) +def rule_cve202220727(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20727 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient protection in the Cisco IOS application hosting environment. + Multiple vulnerabilities could allow an attacker to inject arbitrary commands into the underlying host + operating system, execute arbitrary code, install applications without authentication, or conduct + cross-site scripting (XSS) attacks. + """ + # Extract the output of the command to check IOS configuration + ios_output = commands.check_ios + + # Check if IOS is configured + ios_configured = 'ios' in ios_output + + # Assert that the device is not vulnerable + assert not ios_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20727. " + "The device has IOS application hosting configured, " + "which could allow an attacker to execute arbitrary commands, install unauthorized applications, " + "or conduct XSS attacks. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-yuXQ6hFj" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220761.py b/CVEasy/Cisco/2022/cisco_ios/cve202220761.py new file mode 100644 index 00000000..2811f670 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220761.py @@ -0,0 +1,33 @@ +from comfy import high + + +@high( + name='rule_cve202220761', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ap='show running-config | include autonomous-ap' + ), +) +def rule_cve202220761(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20761 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient input validation in the integrated wireless access point (AP) + packet processing of the Cisco 1000 Series Connected Grid Router (CGR1K). An attacker could exploit + this vulnerability by sending crafted traffic to an affected device, causing the integrated AP to stop + processing traffic and resulting in a denial of service condition. + """ + # Extract the output of the command to check AP configuration + ap_output = commands.check_ap + + # Check if integrated AP is configured + ap_configured = 'autonomous-ap' in ap_output + + # Assert that the device is not vulnerable + assert not ap_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20761. " + "The device has integrated wireless access point configured, " + "which could allow an adjacent attacker to cause a denial of service through crafted traffic. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cgr1k-ap-dos-mSZR4QVh" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220919.py b/CVEasy/Cisco/2022/cisco_ios/cve202220919.py new file mode 100644 index 00000000..8e2b3148 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220919.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220919', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_cip='show running-config | include cip enable' + ), +) +def rule_cve202220919(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20919 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient input validation during processing of + Common Industrial Protocol (CIP) packets. + An unauthenticated, remote attacker could exploit this vulnerability by sending + malformed CIP packets to an affected device, + causing it to unexpectedly reload and resulting in a denial of service (DoS) condition. + """ + # Extract the output of the command to check CIP configuration + cip_output = commands.check_cip + + # Check if CIP is enabled + cip_enabled = 'cip enable' in cip_output + + # Assert that the device is not vulnerable + assert not cip_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20919. " + "The device has Common Industrial Protocol (CIP) enabled, " + "which could allow an unauthenticated attacker to cause a denial of service through malformed CIP packets. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-cip-dos-9rTbKLt9" + ) diff --git a/CVEasy/Cisco/2022/cisco_ios/cve202220920.py b/CVEasy/Cisco/2022/cisco_ios/cve202220920.py new file mode 100644 index 00000000..51f76da3 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_ios/cve202220920.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202220920', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_ssh='show running-config | include ip ssh' + ), +) +def rule_cve202220920(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20920 vulnerability in Cisco IOS Software. + The vulnerability is due to improper handling of resources during an exceptional + situation in the SSH implementation. + An authenticated, remote attacker could exploit this vulnerability by continuously connecting to an affected device + and sending specific SSH requests, causing the device to reload and resulting in a + denial of service (DoS) condition. + """ + # Extract the output of the command to check SSH configuration + ssh_output = commands.check_ssh + + # Check if SSH is enabled + ssh_enabled = 'ip ssh' in ssh_output + + # Assert that the device is not vulnerable + assert not ssh_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20920. " + "The device has SSH enabled, " + "which could allow an authenticated attacker to cause a denial of service through crafted SSH requests. " + "For more information, see " + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ssh-excpt-dos-FzOBQTnk" + ) From 8720e4e29c9b5049f3e4b7b8a6c52fd7d49a9add Mon Sep 17 00:00:00 2001 From: mailsanjayhere Date: Sun, 1 Jun 2025 19:45:01 +0000 Subject: [PATCH 04/22] cisco_xe 2022 cves --- CVEasy/Cisco/2022/cisco_xe/__init__.py | 0 CVEasy/Cisco/2022/cisco_xe/cve202220676.py | 32 ++++++++++++++ CVEasy/Cisco/2022/cisco_xe/cve202220678.py | 35 +++++++++++++++ CVEasy/Cisco/2022/cisco_xe/cve202220679.py | 47 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_xe/cve202220681.py | 40 +++++++++++++++++ CVEasy/Cisco/2022/cisco_xe/cve202220682.py | 47 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_xe/cve202220683.py | 47 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_xe/cve202220684.py | 48 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_xe/cve202220692.py | 33 ++++++++++++++ CVEasy/Cisco/2022/cisco_xe/cve202220693.py | 37 ++++++++++++++++ CVEasy/Cisco/2022/cisco_xe/cve202220694.py | 37 ++++++++++++++++ CVEasy/Cisco/2022/cisco_xe/cve202220810.py | 47 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_xe/cve202220837.py | 37 ++++++++++++++++ CVEasy/Cisco/2022/cisco_xe/cve202220847.py | 48 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_xe/cve202220848.py | 51 ++++++++++++++++++++++ CVEasy/Cisco/2022/cisco_xe/cve202220851.py | 37 ++++++++++++++++ CVEasy/Cisco/2022/cisco_xe/cve202220855.py | 51 ++++++++++++++++++++++ CVEasy/Cisco/2022/cisco_xe/cve202220856.py | 48 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_xe/cve202220864.py | 44 +++++++++++++++++++ CVEasy/Cisco/2022/cisco_xe/cve202220870.py | 47 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_xe/cve202220915.py | 47 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_xe/cve202220944.py | 48 ++++++++++++++++++++ 22 files changed, 908 insertions(+) create mode 100644 CVEasy/Cisco/2022/cisco_xe/__init__.py create mode 100644 CVEasy/Cisco/2022/cisco_xe/cve202220676.py create mode 100644 CVEasy/Cisco/2022/cisco_xe/cve202220678.py create mode 100644 CVEasy/Cisco/2022/cisco_xe/cve202220679.py create mode 100644 CVEasy/Cisco/2022/cisco_xe/cve202220681.py create mode 100644 CVEasy/Cisco/2022/cisco_xe/cve202220682.py create mode 100644 CVEasy/Cisco/2022/cisco_xe/cve202220683.py create mode 100644 CVEasy/Cisco/2022/cisco_xe/cve202220684.py create mode 100644 CVEasy/Cisco/2022/cisco_xe/cve202220692.py create mode 100644 CVEasy/Cisco/2022/cisco_xe/cve202220693.py create mode 100644 CVEasy/Cisco/2022/cisco_xe/cve202220694.py create mode 100644 CVEasy/Cisco/2022/cisco_xe/cve202220810.py create mode 100644 CVEasy/Cisco/2022/cisco_xe/cve202220837.py create mode 100644 CVEasy/Cisco/2022/cisco_xe/cve202220847.py create mode 100644 CVEasy/Cisco/2022/cisco_xe/cve202220848.py create mode 100644 CVEasy/Cisco/2022/cisco_xe/cve202220851.py create mode 100644 CVEasy/Cisco/2022/cisco_xe/cve202220855.py create mode 100644 CVEasy/Cisco/2022/cisco_xe/cve202220856.py create mode 100644 CVEasy/Cisco/2022/cisco_xe/cve202220864.py create mode 100644 CVEasy/Cisco/2022/cisco_xe/cve202220870.py create mode 100644 CVEasy/Cisco/2022/cisco_xe/cve202220915.py create mode 100644 CVEasy/Cisco/2022/cisco_xe/cve202220944.py diff --git a/CVEasy/Cisco/2022/cisco_xe/__init__.py b/CVEasy/Cisco/2022/cisco_xe/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220676.py b/CVEasy/Cisco/2022/cisco_xe/cve202220676.py new file mode 100644 index 00000000..e4c9db0d --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220676.py @@ -0,0 +1,32 @@ +from comfy import high + + +@high( + name='rule_cve202220676', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_tcl='show running-config | include tclsh' + ), +) +def rule_cve202220676(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20676 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient input validation of data that is passed into the Tcl interpreter. + An authenticated, local attacker with privilege level 15 could exploit this vulnerability by loading + malicious Tcl code on an affected device, allowing them to escalate to root-level privileges. + """ + # Extract the output of the command to check Tcl configuration + tcl_output = commands.check_tcl + + # Check if Tcl shell access is enabled + tcl_enabled = 'tclsh' in tcl_output + + # Assert that the device is not vulnerable + assert not tcl_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20676. " + "The device has Tcl shell access enabled, " + "which could allow an authenticated attacker with privilege level 15 to escalate to root privileges. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-priv-esc-grbtubU" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220678.py b/CVEasy/Cisco/2022/cisco_xe/cve202220678.py new file mode 100644 index 00000000..dd812915 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220678.py @@ -0,0 +1,35 @@ +from comfy import high + + +@high( + name='rule_cve202220678', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_appnav='show running-config | include appnav-controller|service-insertion' + ), +) +def rule_cve202220678(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20678 vulnerability in Cisco IOS XE Software. + The vulnerability is due to incorrect handling of certain TCP segments in the AppNav-XE feature. + An unauthenticated, remote attacker could exploit this vulnerability by sending a stream of crafted + TCP traffic at a high rate through an interface with AppNav interception enabled, causing the device + to reload and resulting in a denial of service (DoS) condition. + """ + # Extract the output of the command to check AppNav configuration + appnav_output = commands.check_appnav + + # Check if AppNav-XE is configured + appnav_configured = any(feature in appnav_output for feature in [ + 'appnav-controller', 'service-insertion' + ]) + + # Assert that the device is not vulnerable + assert not appnav_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20678. " + "The device has AppNav-XE configured, " + "which could allow an unauthenticated attacker to cause a denial of service through crafted TCP traffic. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-appnav-xe-dos-j5MXTR4" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220679.py b/CVEasy/Cisco/2022/cisco_xe/cve202220679.py new file mode 100644 index 00000000..0654fb70 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220679.py @@ -0,0 +1,47 @@ +import re # Add regex module +from comfy import high + + +@high( + name='rule_cve202220679', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_ipsec='show running-config | include crypto ipsec', + check_mtu='show interfaces | include MTU' + ), +) +def rule_cve202220679(configuration, commands, device, devices): + # Convert command outputs to strings to handle None values + ipsec_output = str(commands.check_ipsec or "") + mtu_output = str(commands.check_mtu or "") + + # Check if IPsec is configured + ipsec_configured = 'crypto ipsec' in ipsec_output + + # Check if any interface has MTU >= 1800 using regex + high_mtu = False + for line in mtu_output.splitlines(): + if 'MTU' in line: + # Use regex to find the first sequence of digits after "MTU" + match = re.search(r'MTU.*?(\d+)', line) + if match: + try: + mtu = int(match.group(1)) + if mtu >= 1800: + high_mtu = True + break + except ValueError: + continue + + # Device is vulnerable if both conditions are met + is_vulnerable = ipsec_configured and high_mtu + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20679. " + "The device has IPsec configured and interfaces with MTU >= 1800 bytes, " + "which could allow an attacker to cause a denial of service. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-qfp-ipsec-GQmqvtqV" + ) \ No newline at end of file diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220681.py b/CVEasy/Cisco/2022/cisco_xe/cve202220681.py new file mode 100644 index 00000000..42aa3f4a --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220681.py @@ -0,0 +1,40 @@ +from comfy import high + + +@high( + name='rule_cve202220681', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis' + ), +) +def rule_cve202220681(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20681 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient validation of user privileges after executing certain CLI commands + on Cisco Catalyst 9000 Family Switches and Wireless Controllers. An authenticated, local attacker with low + privileges could exploit this vulnerability by executing certain CLI commands to elevate their privileges + to level 15. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a Catalyst 9000 Series + is_cat9k = 'C9' in platform_output + + # If not a Catalyst 9000 device, it's not vulnerable + if not is_cat9k: + return + + # Assert that the device is not vulnerable + assert not is_cat9k, ( + f"Device {device.name} is vulnerable to CVE-2022-20681. " + "The device is a Catalyst 9000 Series switch/wireless controller, " + "which could allow an authenticated attacker to elevate privileges to level 15 through certain CLI commands. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewlc-priv-esc-ybvHKO5" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220682.py b/CVEasy/Cisco/2022/cisco_xe/cve202220682.py new file mode 100644 index 00000000..aa049d38 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220682.py @@ -0,0 +1,47 @@ +from comfy import high + + +@high( + name='rule_cve202220682', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_wireless='show running-config | include wireless|capwap' + ), +) +def rule_cve202220682(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20682 vulnerability in Cisco IOS XE Software. + The vulnerability is due to inadequate input validation of incoming CAPWAP packets encapsulating + multicast DNS (mDNS) queries in the Catalyst 9000 Family Wireless Controllers. An attacker could + exploit this vulnerability by connecting to a wireless network and sending a crafted mDNS query, + which would flow through and be processed by the wireless controller. + """ + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a Catalyst 9000 Series + is_cat9k = 'C9' in platform_output + + # If not a Catalyst 9000 device, it's not vulnerable + if not is_cat9k: + return + + # Extract the output of the command to check wireless/CAPWAP configuration + wireless_output = commands.check_wireless + + # Check if wireless controller and CAPWAP are configured + wireless_configured = any(feature in wireless_output for feature in ['wireless', 'capwap']) + + # Device is vulnerable if it's a Cat9K and has wireless/CAPWAP configured + is_vulnerable = is_cat9k and wireless_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20682. " + "The device is a Catalyst 9000 Series wireless controller with CAPWAP configured, " + "which could allow an unauthenticated attacker to cause a denial of service through crafted mDNS queries. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9800-capwap-mdns-6PSn7gKU" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220683.py b/CVEasy/Cisco/2022/cisco_xe/cve202220683.py new file mode 100644 index 00000000..f75dfa00 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220683.py @@ -0,0 +1,47 @@ +from comfy import high + + +@high( + name='rule_cve202220683', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_fnf='show running-config | include flow|performance monitor' + ), +) +def rule_cve202220683(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20683 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient packet verification for traffic inspected by the AVC feature + in Cisco Catalyst 9800 Series Wireless Controllers. An unauthenticated, remote attacker could exploit + this vulnerability by sending crafted packets from the wired network to a wireless client, causing + the wireless controller to reload and resulting in a denial of service (DoS) condition. + """ + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a Catalyst 9800 Series + is_cat9800 = 'C9800' in platform_output + + # If not a Catalyst 9800 device, it's not vulnerable + if not is_cat9800: + return + + # Extract the output of the command to check AVC/FNF configuration + fnf_output = commands.check_fnf + + # Check if AVC/FNF is configured + fnf_configured = any(feature in fnf_output for feature in ['flow', 'performance monitor']) + + # Device is vulnerable if it's a Cat9800 and has AVC/FNF configured + is_vulnerable = is_cat9800 and fnf_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20683. " + "The device is a Catalyst 9800 Series wireless controller with AVC/FNF configured, " + "which could allow an unauthenticated attacker to cause a denial of service through crafted packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9800-fnf-dos-bOL5vLge" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220684.py b/CVEasy/Cisco/2022/cisco_xe/cve202220684.py new file mode 100644 index 00000000..7652082a --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220684.py @@ -0,0 +1,48 @@ +from comfy import high + + +@high( + name='rule_cve202220684', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_wireless='show running-config | include wireless|snmp-server' + ), +) +def rule_cve202220684(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20684 vulnerability in Cisco IOS XE Software. + The vulnerability is due to a lack of input validation of the information used to generate an SNMP trap + related to a wireless client connection event in Catalyst 9000 Family Wireless Controllers. An attacker + could exploit this vulnerability by sending an 802.1x packet with crafted parameters during the wireless + authentication setup phase of a connection. + """ + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a Catalyst 9000 Series + is_cat9k = 'C9' in platform_output + + # If not a Catalyst 9000 device, it's not vulnerable + if not is_cat9k: + return + + # Extract the output of the command to check wireless and SNMP configuration + wireless_output = commands.check_wireless + + # Check if wireless controller and SNMP traps are configured + wireless_configured = 'wireless' in wireless_output + snmp_configured = 'snmp-server' in wireless_output + + # Device is vulnerable if it's a Cat9K and has both wireless and SNMP configured + is_vulnerable = is_cat9k and wireless_configured and snmp_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20684. " + "The device is a Catalyst 9000 Series wireless controller with SNMP traps configured, " + "which could allow an unauthenticated attacker to cause a denial of service through crafted 802.1x packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9800-snmp-trap-dos-mjent3Ey" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220692.py b/CVEasy/Cisco/2022/cisco_xe/cve202220692.py new file mode 100644 index 00000000..fde47890 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220692.py @@ -0,0 +1,33 @@ +from comfy import high + + +@high( + name='rule_cve202220692', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_netconf='show running-config | include netconf-yang|ssh' + ), +) +def rule_cve202220692(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20692 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient resource management in the NETCONF over SSH feature. + A low-privileged, authenticated, remote attacker could exploit this vulnerability by initiating + a large number of NETCONF over SSH connections, causing the device to reload and resulting in + a denial of service (DoS) condition. + """ + # Extract the output of the command to check NETCONF configuration + netconf_output = commands.check_netconf + + # Check if NETCONF over SSH is enabled + netconf_enabled = 'netconf-yang' in netconf_output and 'ssh' in netconf_output + + # Assert that the device is not vulnerable + assert not netconf_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20692. " + "The device has NETCONF over SSH enabled, " + "which could allow an authenticated attacker to cause a denial of service through multiple connections. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ncossh-dos-ZAkfOdq8" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220693.py b/CVEasy/Cisco/2022/cisco_xe/cve202220693.py new file mode 100644 index 00000000..173c821e --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220693.py @@ -0,0 +1,37 @@ +from comfy import high + + +@high( + name='rule_cve202220693', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_webui='show running-config | include ip http|restconf' + ), +) +def rule_cve202220693(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20693 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient input validation in the web UI feature. + An authenticated, remote attacker could exploit this vulnerability by sending crafted input + to the web UI API, allowing them to inject commands to the underlying operating system with + root privileges. + """ + # Extract the output of the command to check web UI configuration + webui_output = commands.check_webui + + # Check if web UI or RESTCONF is enabled + webui_enabled = any(feature in webui_output for feature in [ + 'ip http server', + 'ip http secure-server', + 'restconf' + ]) + + # Assert that the device is not vulnerable + assert not webui_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20693. " + "The device has web UI or RESTCONF enabled, " + "which could allow an authenticated attacker to inject commands with root privileges through crafted API input. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webuiapi-inj-Nyrq92Od" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220694.py b/CVEasy/Cisco/2022/cisco_xe/cve202220694.py new file mode 100644 index 00000000..0b3d0cf0 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220694.py @@ -0,0 +1,37 @@ +from comfy import high + + +@high( + name='rule_cve202220694', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_rpki='show running-config | include router bgp|rpki' + ), +) +def rule_cve202220694(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20694 vulnerability in Cisco IOS XE Software. + The vulnerability is due to incorrect handling of RPKI to Router (RTR) Protocol packet headers + in the Resource Public Key Infrastructure (RPKI) feature. An unauthenticated, remote attacker + could exploit this vulnerability by sending crafted RTR packets to cause the BGP process to crash, + resulting in a denial of service (DoS) condition. + """ + # Extract the output of the command to check BGP and RPKI configuration + rpki_output = commands.check_rpki + + # Check if BGP is configured with RPKI + bgp_configured = 'router bgp' in rpki_output + rpki_configured = 'rpki' in rpki_output + + # Device is vulnerable if both BGP and RPKI are configured + is_vulnerable = bgp_configured and rpki_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20694. " + "The device has BGP configured with RPKI, " + "which could allow an unauthenticated attacker to cause a denial of service through crafted RTR packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-rpki-dos-2EgCNeKE" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220810.py b/CVEasy/Cisco/2022/cisco_xe/cve202220810.py new file mode 100644 index 00000000..d68c49c9 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220810.py @@ -0,0 +1,47 @@ +from comfy import high + +@high( + name='rule_cve202220810', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_snmp='show running-config | include snmp-server|wireless' + ), +) +def rule_cve202220810(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20810 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient restrictions in the SNMP feature of Catalyst 9000 Family + Wireless Controllers that could allow sensitive configuration details to be disclosed. An authenticated, + remote attacker could exploit this vulnerability by retrieving data through SNMP read-only community access, + allowing them to view SSID preshared keys (PSKs) configured on the device. + """ + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a Catalyst 9000 Series + is_cat9k = 'C9' in platform_output + + # If not a Catalyst 9000 device, it's not vulnerable + if not is_cat9k: + return + + # Extract the output of the command to check SNMP and wireless configuration + snmp_output = commands.check_snmp + + # Check if SNMP and wireless are configured + snmp_configured = 'snmp-server' in snmp_output + wireless_configured = 'wireless' in snmp_output + + # Device is vulnerable if it's a Cat9K and has both SNMP and wireless configured + is_vulnerable = is_cat9k and snmp_configured and wireless_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20810. " + "The device is a Catalyst 9000 Series wireless controller with SNMP configured, " + "which could allow an authenticated attacker to view SSID preshared keys through SNMP read-only access. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cwlc-snmpidv-rnyyQzUZ" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220837.py b/CVEasy/Cisco/2022/cisco_xe/cve202220837.py new file mode 100644 index 00000000..e0714f58 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220837.py @@ -0,0 +1,37 @@ +from comfy import high + + +@high( + name='rule_cve202220837', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_nat='show running-config | include ip nat|alg' + ), +) +def rule_cve202220837(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20837 vulnerability in Cisco IOS XE Software. + The vulnerability is due to a logic error in the DNS application layer gateway (ALG) functionality + used by Network Address Translation (NAT). An unauthenticated, remote attacker could exploit this + vulnerability by sending crafted IPv4 TCP DNS packets through an affected device that is performing + NAT for DNS packets, causing the device to reload and resulting in a denial of service (DoS) condition. + """ + # Extract the output of the command to check NAT and ALG configuration + nat_output = commands.check_nat + + # Check if NAT is configured with DNS ALG + nat_configured = 'ip nat' in nat_output + alg_enabled = not ('no ip nat service alg dns tcp' in nat_output) # ALG is enabled by default + + # Device is vulnerable if NAT is configured and DNS ALG is not explicitly disabled + is_vulnerable = nat_configured and alg_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20837. " + "The device has NAT configured with DNS ALG enabled, " + "which could allow an unauthenticated attacker to cause a denial of service through crafted IPv4 TCP DNS packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-alg-dos-KU9Z8kFX" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220847.py b/CVEasy/Cisco/2022/cisco_xe/cve202220847.py new file mode 100644 index 00000000..c6208b1e --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220847.py @@ -0,0 +1,48 @@ +from comfy import high + + +@high( + name='rule_cve202220847', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_dhcp='show running-config | include ip dhcp|wireless' + ), +) +def rule_cve202220847(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20847 vulnerability in Cisco IOS XE Software. + The vulnerability is due to improper processing of DHCP messages in Catalyst 9000 Family + Wireless Controllers. An unauthenticated, remote attacker could exploit this vulnerability + by sending malicious DHCP messages to an affected device, causing it to reload and resulting + in a denial of service (DoS) condition. + """ + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a Catalyst 9000 Series + is_cat9k = 'C9' in platform_output + + # If not a Catalyst 9000 device, it's not vulnerable + if not is_cat9k: + return + + # Extract the output of the command to check DHCP and wireless configuration + dhcp_output = commands.check_dhcp + + # Check if DHCP and wireless are configured + dhcp_configured = 'ip dhcp' in dhcp_output + wireless_configured = 'wireless' in dhcp_output + + # Device is vulnerable if it's a Cat9K and has both DHCP and wireless configured + is_vulnerable = is_cat9k and dhcp_configured and wireless_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20847. " + "The device is a Catalyst 9000 Series wireless controller with DHCP configured, " + "which could allow an unauthenticated attacker to cause a denial of service through malicious DHCP messages. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-dhcp-dos-76pCjPxK" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220848.py b/CVEasy/Cisco/2022/cisco_xe/cve202220848.py new file mode 100644 index 00000000..cc4ef75a --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220848.py @@ -0,0 +1,51 @@ +from comfy import high + + +@high( + name='rule_cve202220848', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_wireless='show running-config | include ap|wireless' + ), +) +def rule_cve202220848(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20848 vulnerability in Cisco IOS XE Software. + The vulnerability is due to improper processing of UDP datagrams in Embedded Wireless Controllers + on Catalyst 9100 Series Access Points. An unauthenticated, remote attacker could exploit this + vulnerability by sending malicious UDP datagrams to an affected device, causing it to reload + and resulting in a denial of service (DoS) condition. + """ + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a Catalyst 9100 Series AP + is_cat9100 = 'C91' in platform_output + + # If not a Catalyst 9100 device, it's not vulnerable + if not is_cat9100: + return + + # Extract the output of the command to check wireless configuration + wireless_output = commands.check_wireless + + # Check if device is configured as an embedded wireless controller + wireless_controller_enabled = any(feature in wireless_output for feature in [ + 'ap sso', + 'wireless management interface', + 'wireless controller' + ]) + + # Device is vulnerable if it's a Cat9100 and configured as wireless controller + is_vulnerable = is_cat9100 and wireless_controller_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20848. " + "The device is a Catalyst 9100 Series AP configured as an embedded wireless controller, " + "which could allow an unauthenticated attacker to cause a denial of service through malicious UDP datagrams. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-udp-dos-XDyEwhNz" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220851.py b/CVEasy/Cisco/2022/cisco_xe/cve202220851.py new file mode 100644 index 00000000..7104b977 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220851.py @@ -0,0 +1,37 @@ +from comfy import high + + +@high( + name='rule_cve202220851', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_webui='show running-config | include ip http|restconf' + ), +) +def rule_cve202220851(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20851 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient input validation in the web UI feature. + An authenticated, remote attacker with Administrator privileges could exploit this + vulnerability by sending crafted input to the web UI API, allowing them to execute + arbitrary commands on the underlying operating system with root privileges. + """ + # Extract the output of the command to check web UI configuration + webui_output = commands.check_webui + + # Check if web UI or RESTCONF is enabled + webui_enabled = any(feature in webui_output for feature in [ + 'ip http server', + 'ip http secure-server', + 'restconf' + ]) + + # Assert that the device is not vulnerable + assert not webui_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20851. " + "The device has web UI or RESTCONF enabled, " + "which could allow an authenticated attacker with Administrator privileges to execute arbitrary commands with root privileges. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webui-cmdinj-Gje47EMn" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220855.py b/CVEasy/Cisco/2022/cisco_xe/cve202220855.py new file mode 100644 index 00000000..2100bb57 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220855.py @@ -0,0 +1,51 @@ +from comfy import high + + +@high( + name='rule_cve202220855', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_wireless='show running-config | include ap|wireless' + ), +) +def rule_cve202220855(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20855 vulnerability in Cisco IOS XE Software. + The vulnerability is due to improper checks throughout the restart of certain system processes + in Embedded Wireless Controllers on Catalyst Access Points. An authenticated, local attacker with + privilege level 15 could exploit this vulnerability by executing certain CLI commands to escape + the restricted controller shell and execute arbitrary commands on the underlying OS as root. + """ + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a Catalyst 9100 Series AP + is_cat9100 = 'C91' in platform_output + + # If not a Catalyst 9100 device, it's not vulnerable + if not is_cat9100: + return + + # Extract the output of the command to check wireless configuration + wireless_output = commands.check_wireless + + # Check if device is configured as an embedded wireless controller + wireless_controller_enabled = any(feature in wireless_output for feature in [ + 'ap sso', + 'wireless management interface', + 'wireless controller' + ]) + + # Device is vulnerable if it's a Cat9100 and configured as wireless controller + is_vulnerable = is_cat9100 and wireless_controller_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20855. " + "The device is a Catalyst 9100 Series AP configured as an embedded wireless controller, " + "which could allow a privileged attacker to execute arbitrary commands as root. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewc-priv-esc-nderYLtK" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220856.py b/CVEasy/Cisco/2022/cisco_xe/cve202220856.py new file mode 100644 index 00000000..a8c689e4 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220856.py @@ -0,0 +1,48 @@ +from comfy import high + + +@high( + name='rule_cve202220856', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_wireless='show running-config | include wireless|mobility' + ), +) +def rule_cve202220856(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20856 vulnerability in Cisco IOS XE Software. + The vulnerability is due to a logic error and improper management of resources related to + the handling of CAPWAP Mobility messages in Catalyst 9000 Family Wireless Controllers. + An unauthenticated, remote attacker could exploit this vulnerability by sending crafted + CAPWAP Mobility packets to exhaust resources on the affected device, causing it to reload. + """ + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a Catalyst 9000 Series + is_cat9k = 'C9' in platform_output + + # If not a Catalyst 9000 device, it's not vulnerable + if not is_cat9k: + return + + # Extract the output of the command to check wireless and mobility configuration + wireless_output = commands.check_wireless + + # Check if wireless controller and mobility are configured + wireless_configured = 'wireless' in wireless_output + mobility_configured = 'mobility' in wireless_output + + # Device is vulnerable if it's a Cat9K and has both wireless and mobility configured + is_vulnerable = is_cat9k and wireless_configured and mobility_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20856. " + "The device is a Catalyst 9000 Series wireless controller with mobility configured, " + "which could allow an unauthenticated attacker to cause a denial of service through crafted CAPWAP Mobility packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9800-mob-dos-342YAc6J" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220864.py b/CVEasy/Cisco/2022/cisco_xe/cve202220864.py new file mode 100644 index 00000000..91dc185e --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220864.py @@ -0,0 +1,44 @@ +from comfy import high + + +@high( + name='rule_cve202220864', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_password_recovery='show running-config | include no service password-recovery' + ), +) +def rule_cve202220864(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20864 vulnerability in Cisco IOS XE Software. + The vulnerability is due to a problem with the file and boot variable permissions in ROMMON + when password recovery is disabled. An unauthenticated, local attacker could exploit this + vulnerability by rebooting the switch into ROMMON and entering specific commands through + the console to read any file or reset the enable password. + """ + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a Catalyst switch + is_catalyst = 'C9' in platform_output + + # If not a Catalyst switch, it's not vulnerable + if not is_catalyst: + return + + # Extract the output of the command to check password recovery configuration + password_recovery_output = commands.check_password_recovery + + # Check if password recovery is disabled + password_recovery_disabled = 'no service password-recovery' in password_recovery_output + + # Assert that the device is not vulnerable + assert not password_recovery_disabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20864. " + "The device is a Catalyst switch with password recovery disabled, " + "which could allow an unauthenticated attacker with physical access to recover configuration or reset passwords. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-info-disc-nrORXjO" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220870.py b/CVEasy/Cisco/2022/cisco_xe/cve202220870.py new file mode 100644 index 00000000..39da8e08 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220870.py @@ -0,0 +1,47 @@ +from comfy import high + + +@high( + name='rule_cve202220870', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_mpls='show running-config | include mpls' + ), +) +def rule_cve202220870(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20870 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient input validation of IPv4 traffic in the egress MPLS + packet processing function of Catalyst 3650, 3850, and 9000 Family Switches. An unauthenticated, + remote attacker could exploit this vulnerability by sending a malformed packet out of an affected + MPLS-enabled interface, causing the device to reload. + """ + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a vulnerable Catalyst model (3650, 3850, or 9000 series) + is_vulnerable_platform = any(model in platform_output for model in ['C3650', 'C3850', 'C9']) + + # If not a vulnerable Catalyst model, it's not vulnerable + if not is_vulnerable_platform: + return + + # Extract the output of the command to check MPLS configuration + mpls_output = commands.check_mpls + + # Check if MPLS is enabled + mpls_enabled = 'mpls' in mpls_output + + # Device is vulnerable if it's a vulnerable platform and has MPLS enabled + is_vulnerable = is_vulnerable_platform and mpls_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20870. " + "The device is a Catalyst 3650/3850/9000 switch with MPLS enabled, " + "which could allow an unauthenticated attacker to cause a denial of service through malformed packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-mpls-dos-Ab4OUL3" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220915.py b/CVEasy/Cisco/2022/cisco_xe/cve202220915.py new file mode 100644 index 00000000..734d4009 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220915.py @@ -0,0 +1,47 @@ +from comfy import high + + +@high( + name='rule_cve202220915', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_6vpe='show running-config | include vrf|ipv6|zone', + check_zbfw='show running-config | include zone-pair|class-map|policy-map' + ), +) +def rule_cve202220915(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20915 vulnerability in Cisco IOS XE Software. + The vulnerability is due to improper error handling of an IPv6 packet that is forwarded from + an MPLS and ZBFW-enabled interface in a 6VPE deployment. An unauthenticated, adjacent attacker + could exploit this vulnerability by sending a crafted IPv6 packet sourced from a device on the + IPv6-enabled VRF interface through the affected device. + """ + # Extract the output of the commands + vpe_output = commands.check_6vpe + zbfw_output = commands.check_zbfw + + # Check if 6VPE is configured (requires VRF and IPv6) + vrf_configured = 'vrf' in vpe_output + ipv6_configured = 'ipv6' in vpe_output + vpe_configured = vrf_configured and ipv6_configured + + # Check if Zone-Based Firewall is configured + zbfw_configured = any(feature in zbfw_output for feature in [ + 'zone-pair', + 'class-map', + 'policy-map' + ]) + + # Device is vulnerable if both 6VPE and ZBFW are configured + is_vulnerable = vpe_configured and zbfw_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20915. " + "The device has IPv6 VPN over MPLS (6VPE) and Zone-Based Firewall configured, " + "which could allow an adjacent attacker to cause a denial of service through crafted IPv6 packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-6vpe-dos-tJBtf5Zv" + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220944.py b/CVEasy/Cisco/2022/cisco_xe/cve202220944.py new file mode 100644 index 00000000..42a825a2 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220944.py @@ -0,0 +1,48 @@ +from comfy import high + + +@high( + name='rule_cve202220944', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_secure_boot='show platform software authenticity' + ), +) +def rule_cve202220944(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20944 vulnerability in Cisco IOS XE Software. + The vulnerability is due to improper verification of digital signatures during the boot process + in Catalyst 9200 Series Switches. An unauthenticated, physical attacker could exploit this + vulnerability by loading unsigned code at system boot time, allowing them to bypass image + verification and execute arbitrary code. + """ + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is a Catalyst 9200 Series + is_cat9200 = 'C92' in platform_output + + # If not a Catalyst 9200 device, it's not vulnerable + if not is_cat9200: + return + + # Extract the output of the command to check secure boot status + secure_boot_output = commands.check_secure_boot + + # Check if secure boot is disabled or not properly configured + secure_boot_disabled = ( + 'Image verification is disabled' in secure_boot_output or + 'Secure Boot: disabled' in secure_boot_output or + not secure_boot_output # If no output, assume it's not properly configured + ) + + # Assert that the device is not vulnerable + assert not secure_boot_disabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20944. " + "The device is a Catalyst 9200 Series switch with image verification disabled or not properly configured, " + "which could allow an attacker with physical access to execute unsigned code at boot time. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-xe-cat-verify-D4NEQA6q" + ) From c70fb5855dc5ec0292c81cb3334d6d9773040e1c Mon Sep 17 00:00:00 2001 From: mailsanjayhere Date: Sun, 1 Jun 2025 19:55:35 +0000 Subject: [PATCH 05/22] cisco_xe 2022 cves --- CVEasy/Cisco/2022/cisco_xe/cve202220679.py | 2 +- CVEasy/Cisco/2022/cisco_xe/cve202220681.py | 2 ++ CVEasy/Cisco/2022/cisco_xe/cve202220693.py | 3 ++- CVEasy/Cisco/2022/cisco_xe/cve202220810.py | 1 + CVEasy/Cisco/2022/cisco_xe/cve202220837.py | 3 ++- CVEasy/Cisco/2022/cisco_xe/cve202220851.py | 3 ++- CVEasy/Cisco/2022/cisco_xe/cve202220856.py | 3 ++- CVEasy/Cisco/2022/cisco_xe/cve202220864.py | 3 ++- 8 files changed, 14 insertions(+), 6 deletions(-) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220679.py b/CVEasy/Cisco/2022/cisco_xe/cve202220679.py index 0654fb70..d876fa19 100644 --- a/CVEasy/Cisco/2022/cisco_xe/cve202220679.py +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220679.py @@ -44,4 +44,4 @@ def rule_cve202220679(configuration, commands, device, devices): "which could allow an attacker to cause a denial of service. " "For more information, see" "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-qfp-ipsec-GQmqvtqV" - ) \ No newline at end of file + ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220681.py b/CVEasy/Cisco/2022/cisco_xe/cve202220681.py index 42aa3f4a..a75b1d96 100644 --- a/CVEasy/Cisco/2022/cisco_xe/cve202220681.py +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220681.py @@ -20,6 +20,8 @@ def rule_cve202220681(configuration, commands, device, devices): # Extract the version information from the command output version_output = commands.show_version + _ = version_output # intentionally unused + # Extract the platform information platform_output = commands.check_platform diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220693.py b/CVEasy/Cisco/2022/cisco_xe/cve202220693.py index 173c821e..5ff4d0d2 100644 --- a/CVEasy/Cisco/2022/cisco_xe/cve202220693.py +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220693.py @@ -31,7 +31,8 @@ def rule_cve202220693(configuration, commands, device, devices): assert not webui_enabled, ( f"Device {device.name} is vulnerable to CVE-2022-20693. " "The device has web UI or RESTCONF enabled, " - "which could allow an authenticated attacker to inject commands with root privileges through crafted API input. " + "which could allow an authenticated attacker to inject commands with root privileges through " + "crafted API input. " "For more information, see" "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webuiapi-inj-Nyrq92Od" ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220810.py b/CVEasy/Cisco/2022/cisco_xe/cve202220810.py index d68c49c9..800e1562 100644 --- a/CVEasy/Cisco/2022/cisco_xe/cve202220810.py +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220810.py @@ -1,5 +1,6 @@ from comfy import high + @high( name='rule_cve202220810', platform=['cisco_xe'], diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220837.py b/CVEasy/Cisco/2022/cisco_xe/cve202220837.py index e0714f58..4ad69d65 100644 --- a/CVEasy/Cisco/2022/cisco_xe/cve202220837.py +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220837.py @@ -31,7 +31,8 @@ def rule_cve202220837(configuration, commands, device, devices): assert not is_vulnerable, ( f"Device {device.name} is vulnerable to CVE-2022-20837. " "The device has NAT configured with DNS ALG enabled, " - "which could allow an unauthenticated attacker to cause a denial of service through crafted IPv4 TCP DNS packets. " + "which could allow an unauthenticated attacker to cause a denial of service through crafted " + "IPv4 TCP DNS packets. " "For more information, see" "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-alg-dos-KU9Z8kFX" ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220851.py b/CVEasy/Cisco/2022/cisco_xe/cve202220851.py index 7104b977..23b129aa 100644 --- a/CVEasy/Cisco/2022/cisco_xe/cve202220851.py +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220851.py @@ -31,7 +31,8 @@ def rule_cve202220851(configuration, commands, device, devices): assert not webui_enabled, ( f"Device {device.name} is vulnerable to CVE-2022-20851. " "The device has web UI or RESTCONF enabled, " - "which could allow an authenticated attacker with Administrator privileges to execute arbitrary commands with root privileges. " + "which could allow an authenticated attacker with Administrator privileges to execute arbitrary " + "commands with root privileges. " "For more information, see" "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webui-cmdinj-Gje47EMn" ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220856.py b/CVEasy/Cisco/2022/cisco_xe/cve202220856.py index a8c689e4..01b3ebcd 100644 --- a/CVEasy/Cisco/2022/cisco_xe/cve202220856.py +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220856.py @@ -42,7 +42,8 @@ def rule_cve202220856(configuration, commands, device, devices): assert not is_vulnerable, ( f"Device {device.name} is vulnerable to CVE-2022-20856. " "The device is a Catalyst 9000 Series wireless controller with mobility configured, " - "which could allow an unauthenticated attacker to cause a denial of service through crafted CAPWAP Mobility packets. " + "which could allow an unauthenticated attacker to cause a denial of service through crafted " + "CAPWAP Mobility packets. " "For more information, see" "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9800-mob-dos-342YAc6J" ) diff --git a/CVEasy/Cisco/2022/cisco_xe/cve202220864.py b/CVEasy/Cisco/2022/cisco_xe/cve202220864.py index 91dc185e..c0d1e7a5 100644 --- a/CVEasy/Cisco/2022/cisco_xe/cve202220864.py +++ b/CVEasy/Cisco/2022/cisco_xe/cve202220864.py @@ -38,7 +38,8 @@ def rule_cve202220864(configuration, commands, device, devices): assert not password_recovery_disabled, ( f"Device {device.name} is vulnerable to CVE-2022-20864. " "The device is a Catalyst switch with password recovery disabled, " - "which could allow an unauthenticated attacker with physical access to recover configuration or reset passwords. " + "which could allow an unauthenticated attacker with physical access to recover configuration " + "or reset passwords. " "For more information, see" "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-info-disc-nrORXjO" ) From 91456ea475da94c3dda644d69aff53d70ad61cff Mon Sep 17 00:00:00 2001 From: mailsanjayhere Date: Sun, 1 Jun 2025 20:18:00 +0000 Subject: [PATCH 06/22] cisco_xr 2022 cves --- CVEasy/Cisco/2022/cisco_xr/__init__.py | 0 CVEasy/Cisco/2022/cisco_xr/cve202220655.py | 54 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_xr/cve202220714.py | 33 ++++++++++++ CVEasy/Cisco/2022/cisco_xr/cve202220758.py | 37 ++++++++++++++ CVEasy/Cisco/2022/cisco_xr/cve202220821.py | 39 ++++++++++++++ CVEasy/Cisco/2022/cisco_xr/cve202220845.py | 59 ++++++++++++++++++++++ CVEasy/Cisco/2022/cisco_xr/cve202220846.py | 58 +++++++++++++++++++++ CVEasy/Cisco/2022/cisco_xr/cve202220849.py | 55 ++++++++++++++++++++ 8 files changed, 335 insertions(+) create mode 100644 CVEasy/Cisco/2022/cisco_xr/__init__.py create mode 100644 CVEasy/Cisco/2022/cisco_xr/cve202220655.py create mode 100644 CVEasy/Cisco/2022/cisco_xr/cve202220714.py create mode 100644 CVEasy/Cisco/2022/cisco_xr/cve202220758.py create mode 100644 CVEasy/Cisco/2022/cisco_xr/cve202220821.py create mode 100644 CVEasy/Cisco/2022/cisco_xr/cve202220845.py create mode 100644 CVEasy/Cisco/2022/cisco_xr/cve202220846.py create mode 100644 CVEasy/Cisco/2022/cisco_xr/cve202220849.py diff --git a/CVEasy/Cisco/2022/cisco_xr/__init__.py b/CVEasy/Cisco/2022/cisco_xr/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/CVEasy/Cisco/2022/cisco_xr/cve202220655.py b/CVEasy/Cisco/2022/cisco_xr/cve202220655.py new file mode 100644 index 00000000..d3229321 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xr/cve202220655.py @@ -0,0 +1,54 @@ +from comfy import high + + +@high( + name='rule_cve202220655', + platform=['cisco_xr'], + commands=dict( + show_version='show version', + check_confd='show processes confd' + ), +) +def rule_cve202220655(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20655 vulnerability in Cisco IOS XR Software. + The vulnerability is due to insufficient validation of a process argument in the ConfD CLI. + An authenticated, local attacker could exploit this vulnerability by injecting commands during + the execution of this process, allowing them to execute arbitrary commands on the underlying + operating system with root privileges. + """ + # List of vulnerable versions + vulnerable_versions = [ + '7.0.1', '7.0.2', '7.0.3', '7.1.0', # IOS XR versions + '2.6.5', # Virtual Topology System versions + '4.3.9.1', '4.4.5.6', '4.5.7', '4.6.1.7', '4.7.1', '5.1.0.1', # Network Services Orchestrator versions + '3.12.1', # Enterprise NFV Infrastructure Software versions + '18.4.4', '19.2.1', # Catalyst SD-WAN Manager versions + '16.10.2', '16.12.1b', '17.2.1r', # IOS XE Catalyst SD-WAN versions + '18.4.4', '19.2.1' # SD-WAN vEdge Router versions + ] + + # Extract the version information + version_output = commands.show_version + + # Check if version is vulnerable + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check ConfD process + confd_output = commands.check_confd + + # Check if ConfD is running + confd_running = 'confd' in confd_output + + # Assert that the device is not vulnerable + assert not confd_running, ( + f"Device {device.name} is vulnerable to CVE-2022-20655. " + "The device is running a vulnerable version with ConfD enabled, " + "which could allow an authenticated attacker to execute arbitrary commands with root privileges. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cli-cmdinj-4MttWZPB" + ) diff --git a/CVEasy/Cisco/2022/cisco_xr/cve202220714.py b/CVEasy/Cisco/2022/cisco_xr/cve202220714.py new file mode 100644 index 00000000..c434098d --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xr/cve202220714.py @@ -0,0 +1,33 @@ +from comfy import high + + +@high( + name='rule_cve202220714', + platform=['cisco_xr'], + commands=dict( + show_version='show version', + check_linecard='show inventory | include Lightspeed-Plus' + ), +) +def rule_cve202220714(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20714 vulnerability in Cisco IOS XR Software. + The vulnerability is due to incorrect handling of malformed packets in the data plane microcode + of Lightspeed-Plus line cards for ASR 9000 Series routers. An unauthenticated, remote attacker + could exploit this vulnerability by sending crafted IPv4 or IPv6 packets through an affected device, + causing the line card to reset and resulting in a denial of service condition. + """ + # Extract the output of the command to check for Lightspeed-Plus line cards + linecard_output = commands.check_linecard + + # Check if Lightspeed-Plus line cards are present + lightspeed_plus_present = 'Lightspeed-Plus' in linecard_output + + # Assert that the device is not vulnerable + assert not lightspeed_plus_present, ( + f"Device {device.name} is vulnerable to CVE-2022-20714. " + "The device has Lightspeed-Plus line cards installed, " + "which could allow an unauthenticated attacker to cause a denial of service through crafted IPv4/IPv6 packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-lsplus-Z6AQEOjk" + ) diff --git a/CVEasy/Cisco/2022/cisco_xr/cve202220758.py b/CVEasy/Cisco/2022/cisco_xr/cve202220758.py new file mode 100644 index 00000000..5f0e6a84 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xr/cve202220758.py @@ -0,0 +1,37 @@ +from comfy import high + + +@high( + name='rule_cve202220758', + platform=['cisco_xr'], + commands=dict( + show_version='show version', + check_bgp='show running-config | include router bgp|address-family l2vpn evpn' + ), +) +def rule_cve202220758(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20758 vulnerability in Cisco IOS XR Software. + The vulnerability is due to incorrect processing of BGP update messages containing specific EVPN attributes. + An unauthenticated, remote attacker could exploit this vulnerability by sending crafted BGP update messages + through an established trusted peer connection, causing the BGP process to restart and resulting in a + denial of service (DoS) condition. + """ + # Extract the output of the command to check BGP EVPN configuration + bgp_output = commands.check_bgp + + # Check if BGP is configured with L2VPN EVPN address family + bgp_configured = 'router bgp' in bgp_output + evpn_configured = 'address-family l2vpn evpn' in bgp_output + + # Device is vulnerable if both BGP and L2VPN EVPN are configured + is_vulnerable = bgp_configured and evpn_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20758. " + "The device has BGP configured with L2VPN EVPN address-family, " + "which could allow an unauthenticated attacker to cause a denial of service through crafted BGP update messages. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bgpevpn-zWTRtPBb" + ) diff --git a/CVEasy/Cisco/2022/cisco_xr/cve202220821.py b/CVEasy/Cisco/2022/cisco_xr/cve202220821.py new file mode 100644 index 00000000..befbecc7 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xr/cve202220821.py @@ -0,0 +1,39 @@ +from comfy import high + + +@high( + name='rule_cve202220821', + platform=['cisco_xr'], + commands=dict( + show_version='show version', + check_redis='show processes | include redis', + check_port='show processes | include 6379' + ), +) +def rule_cve202220821(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20821 vulnerability in Cisco IOS XR Software. + The vulnerability is due to the health check RPM opening TCP port 6379 by default upon activation. + An unauthenticated, remote attacker could exploit this vulnerability by connecting to the Redis + instance on the open port, allowing them to write to the Redis in-memory database, write arbitrary + files to the container filesystem, and retrieve information about the Redis database. + """ + # Extract the output of the commands + redis_output = commands.check_redis + port_output = commands.check_port + + # Check if Redis is running and port 6379 is open + redis_running = 'redis' in redis_output + port_open = '6379' in port_output + + # Device is vulnerable if Redis is running and port 6379 is open + is_vulnerable = redis_running and port_open + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-20821. " + "The device has Redis running with port 6379 open, " + "which could allow an unauthenticated attacker to access and modify the Redis database. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-redis-ABJyE5xK" + ) diff --git a/CVEasy/Cisco/2022/cisco_xr/cve202220845.py b/CVEasy/Cisco/2022/cisco_xr/cve202220845.py new file mode 100644 index 00000000..6687124a --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xr/cve202220845.py @@ -0,0 +1,59 @@ +from comfy import high + + +@high( + name='rule_cve202220845', + platform=['cisco_xr'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis', + check_tl1='show processes | include tl1' + ), +) +def rule_cve202220845(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20845 vulnerability in Cisco IOS XR Software. + The vulnerability is due to TL1 not freeing memory under some conditions in NCS 4000 Series devices. + An authenticated, local attacker could exploit this vulnerability by connecting to the device and + issuing TL1 commands, causing the TL1 process to consume large amounts of memory and potentially + leading to a denial of service condition. + """ + # List of vulnerable versions + vulnerable_versions = [ + '6.5.25', '6.5.26', '6.5.28', '6.5.29', '6.5.31', '6.5.32' + ] + + # Extract the version information + version_output = commands.show_version + + # Check if version is vulnerable + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the platform information + platform_output = commands.check_platform + + # Check if the device is an NCS 4000 Series + is_ncs4k = 'NCS-4' in platform_output + + # If not an NCS 4000 device, it's not vulnerable + if not is_ncs4k: + return + + # Extract the output of the command to check TL1 process + tl1_output = commands.check_tl1 + + # Check if TL1 process is running + tl1_running = 'tl1' in tl1_output + + # Assert that the device is not vulnerable + assert not tl1_running, ( + f"Device {device.name} is vulnerable to CVE-2022-20845. " + "The device is an NCS 4000 Series running a vulnerable version with TL1 process enabled, " + "which could allow an authenticated attacker to cause a denial of service through memory exhaustion. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ncs4k-tl1-GNnLwC6" + ) diff --git a/CVEasy/Cisco/2022/cisco_xr/cve202220846.py b/CVEasy/Cisco/2022/cisco_xr/cve202220846.py new file mode 100644 index 00000000..80868215 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xr/cve202220846.py @@ -0,0 +1,58 @@ +from comfy import high + + +@high( + name='rule_cve202220846', + platform=['cisco_xr'], + commands=dict( + show_version='show version', + check_cdp='show running-config | include cdp' + ), +) +def rule_cve202220846(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20846 vulnerability in Cisco IOS XR Software. + The vulnerability is due to a heap buffer overflow in certain Cisco Discovery Protocol messages. + An unauthenticated, adjacent attacker could exploit this vulnerability by sending malicious + Cisco Discovery Protocol packets to an affected device, causing the CDP process to reload. + """ + # List of vulnerable versions + vulnerable_versions = [ + '6.5.1', '6.5.2', '6.5.3', '6.5.15', '6.5.25', '6.5.26', '6.5.28', '6.5.29', + '6.5.31', '6.5.32', '6.5.90', '6.5.92', '6.5.93', + '6.6.1', '6.6.2', '6.6.3', '6.6.4', '6.6.11', '6.6.12', '6.6.25', + '6.7.1', '6.7.2', '6.7.3', '6.7.4', '6.7.35', + '6.8.1', '6.8.2', '6.9.1', + '7.0.0', '7.0.1', '7.0.2', '7.0.11', '7.0.12', '7.0.14', '7.0.90', + '7.1.1', '7.1.2', '7.1.3', '7.1.15', '7.1.25', + '7.2.0', '7.2.1', '7.2.2', '7.2.12', + '7.3.1', '7.3.2', '7.3.3', '7.3.4', '7.3.15', '7.3.16', '7.3.27', + '7.4.1', '7.4.2', '7.4.15', '7.4.16', + '7.5.1', '7.5.2', '7.5.12', + '7.6.1', '7.6.15' + ] + + # Extract the version information + version_output = commands.show_version + + # Check if version is vulnerable + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check CDP configuration + cdp_output = commands.check_cdp + + # Check if CDP is enabled (CDP is enabled by default unless explicitly disabled) + cdp_disabled = 'no cdp' in cdp_output + + # Assert that the device is not vulnerable + assert cdp_disabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20846. " + "The device is running a vulnerable version with CDP enabled, " + "which could allow an adjacent attacker to cause a denial of service through malicious CDP packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xr-cdp-wnALzvT2" + ) diff --git a/CVEasy/Cisco/2022/cisco_xr/cve202220849.py b/CVEasy/Cisco/2022/cisco_xr/cve202220849.py new file mode 100644 index 00000000..acc5b32b --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_xr/cve202220849.py @@ -0,0 +1,55 @@ +from comfy import high + + +@high( + name='rule_cve202220849', + platform=['cisco_xr'], + commands=dict( + show_version='show version', + check_pppoe='show running-config | include bba-group pppoe|pppoe enable' + ), +) +def rule_cve202220849(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20849 vulnerability in Cisco IOS XR Software. + The vulnerability is due to improper handling of error conditions within specific PPPoE packet + sequences in the Broadband Network Gateway feature. An unauthenticated, adjacent attacker could + exploit this vulnerability by sending a sequence of specific PPPoE packets from controlled CPE, + causing the PPPoE process to continually restart and resulting in a denial of service condition. + """ + # List of vulnerable versions + vulnerable_versions = [ + '6.5.1', '6.5.2', '6.5.3', '6.5.15', '6.6.1', '6.6.2', '6.6.3', '6.6.4', '6.6.25', + '6.7.1', '6.7.2', '6.7.3', '6.7.35', '6.8.1', '6.8.2', '6.9.1', + '7.0.1', '7.0.2', '7.0.90', '7.1.1', '7.1.2', '7.1.3', '7.1.15', '7.1.25', + '7.2.1', '7.2.2', '7.3.1', '7.3.2', '7.3.3', '7.3.4', '7.4.1', '7.4.2', + '7.5.1' + ] + + # Extract the version information + version_output = commands.show_version + + # Check if version is vulnerable + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check PPPoE configuration + pppoe_output = commands.check_pppoe + + # Check if PPPoE is configured + pppoe_configured = any(feature in pppoe_output for feature in [ + 'bba-group pppoe', + 'pppoe enable' + ]) + + # Assert that the device is not vulnerable + assert not pppoe_configured, ( + f"Device {device.name} is vulnerable to CVE-2022-20849. " + "The device is running a vulnerable version with PPPoE enabled, " + "which could allow an adjacent attacker to cause a denial of service through crafted PPPoE packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-bng-Gmg5Gxt" + ) From 35f3b68c9173776e97f1efa55712827c89aa25c5 Mon Sep 17 00:00:00 2001 From: mailsanjayhere Date: Sun, 1 Jun 2025 20:26:49 +0000 Subject: [PATCH 07/22] cisco_xr 2022 cves --- CVEasy/Cisco/2022/cisco_xr/cve202220758.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CVEasy/Cisco/2022/cisco_xr/cve202220758.py b/CVEasy/Cisco/2022/cisco_xr/cve202220758.py index 5f0e6a84..0b8c565f 100644 --- a/CVEasy/Cisco/2022/cisco_xr/cve202220758.py +++ b/CVEasy/Cisco/2022/cisco_xr/cve202220758.py @@ -31,7 +31,8 @@ def rule_cve202220758(configuration, commands, device, devices): assert not is_vulnerable, ( f"Device {device.name} is vulnerable to CVE-2022-20758. " "The device has BGP configured with L2VPN EVPN address-family, " - "which could allow an unauthenticated attacker to cause a denial of service through crafted BGP update messages. " + "which could allow an unauthenticated attacker to cause a denial of service through crafted " + "BGP update messages. " "For more information, see" "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bgpevpn-zWTRtPBb" ) From c11981a297c59eebb7955baedec111363c6e600e Mon Sep 17 00:00:00 2001 From: mailsanjayhere Date: Sun, 1 Jun 2025 20:33:43 +0000 Subject: [PATCH 08/22] cisco_nxos 2022 cves --- CVEasy/Cisco/2022/cisco_nxos/__init__.py | 0 CVEasy/Cisco/2022/cisco_nxos/cve202220623.py | 44 ++++++++++++++++++++ CVEasy/Cisco/2022/cisco_nxos/cve202220624.py | 38 +++++++++++++++++ CVEasy/Cisco/2022/cisco_nxos/cve202220625.py | 38 +++++++++++++++++ CVEasy/Cisco/2022/cisco_nxos/cve202220650.py | 37 ++++++++++++++++ CVEasy/Cisco/2022/cisco_nxos/cve202220823.py | 41 ++++++++++++++++++ CVEasy/Cisco/2022/cisco_nxos/cve202220824.py | 37 ++++++++++++++++ 7 files changed, 235 insertions(+) create mode 100644 CVEasy/Cisco/2022/cisco_nxos/__init__.py create mode 100644 CVEasy/Cisco/2022/cisco_nxos/cve202220623.py create mode 100644 CVEasy/Cisco/2022/cisco_nxos/cve202220624.py create mode 100644 CVEasy/Cisco/2022/cisco_nxos/cve202220625.py create mode 100644 CVEasy/Cisco/2022/cisco_nxos/cve202220650.py create mode 100644 CVEasy/Cisco/2022/cisco_nxos/cve202220823.py create mode 100644 CVEasy/Cisco/2022/cisco_nxos/cve202220824.py diff --git a/CVEasy/Cisco/2022/cisco_nxos/__init__.py b/CVEasy/Cisco/2022/cisco_nxos/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/CVEasy/Cisco/2022/cisco_nxos/cve202220623.py b/CVEasy/Cisco/2022/cisco_nxos/cve202220623.py new file mode 100644 index 00000000..68d2b466 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_nxos/cve202220623.py @@ -0,0 +1,44 @@ +from comfy import high + + +@high( + name='rule_cve202220623', + platform=['cisco_nxos'], + commands=dict( + show_version='show version', + check_bfd='show running-config | include feature bfd' + ), +) +def rule_cve202220623(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20623 vulnerability in Cisco NX-OS Software. + The vulnerability is due to a logic error in the BFD rate limiter functionality of Nexus 9000 Series Switches. + An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted stream of traffic + through the device, causing BFD traffic to be dropped and resulting in BFD session flaps, route instability, + and a denial of service condition. + """ + # Extract the platform information + platform_output = commands.show_version + + # Check if the device is a Nexus 9000 Series + is_n9k = 'Nexus 9000' in platform_output + + # If not a Nexus 9000 device, it's not vulnerable + if not is_n9k: + return + + # Extract the output of the command to check BFD configuration + bfd_output = commands.check_bfd + + # Check if BFD is enabled + bfd_enabled = 'feature bfd' in bfd_output + + # Assert that the device is not vulnerable + assert not bfd_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20623. " + "The device is a Nexus 9000 Series switch with BFD enabled, " + "which could allow an unauthenticated attacker to cause BFD session flaps and a denial of service " + "through crafted traffic. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-bfd-dos-wGQXrzxn" + ) diff --git a/CVEasy/Cisco/2022/cisco_nxos/cve202220624.py b/CVEasy/Cisco/2022/cisco_nxos/cve202220624.py new file mode 100644 index 00000000..32f2796b --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_nxos/cve202220624.py @@ -0,0 +1,38 @@ +from comfy import high + + +@high( + name='rule_cve202220624', + platform=['cisco_nxos'], + commands=dict( + show_version='show version', + check_cfs='show running-config | include cfs ipv4 distribute' + ), +) +def rule_cve202220624(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20624 vulnerability in Cisco NX-OS Software. + The vulnerability is due to insufficient validation of incoming CFSoIP packets. + An unauthenticated, remote attacker could exploit this vulnerability by sending crafted + CFSoIP packets to an affected device, causing it to reload and resulting in a denial of + service condition. + """ + # Extract the output of the command to check CFS configuration + cfs_output = commands.check_cfs + + # Check if CFSoIP is enabled + cfs_enabled = 'cfs ipv4 distribute' in cfs_output + + # If CFSoIP is not enabled, device is not vulnerable + if not cfs_enabled: + return + + # Assert that the device is not vulnerable + assert not cfs_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20624. " + "The device has Cisco Fabric Services over IP (CFSoIP) enabled, " + "which could allow an unauthenticated attacker to cause a denial of service through crafted " + "CFSoIP packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cfsoip-dos-tpykyDr" + ) diff --git a/CVEasy/Cisco/2022/cisco_nxos/cve202220625.py b/CVEasy/Cisco/2022/cisco_nxos/cve202220625.py new file mode 100644 index 00000000..24ec9eb1 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_nxos/cve202220625.py @@ -0,0 +1,38 @@ +from comfy import high + + +@high( + name='rule_cve202220625', + platform=['cisco_nxos'], + commands=dict( + show_version='show version', + check_cdp='show running-config | include no cdp enable|cdp enable' + ), +) +def rule_cve202220625(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20625 vulnerability in Cisco NX-OS Software. + The vulnerability is due to improper handling of Cisco Discovery Protocol messages. + An unauthenticated, adjacent attacker could exploit this vulnerability by sending + malicious CDP packets to an affected device, causing the CDP service to fail and + restart, and in rare conditions, causing the entire device to restart. + """ + # Extract the output of the command to check CDP configuration + cdp_output = commands.check_cdp + + # Check if CDP is enabled + cdp_enabled = 'cdp enable' in cdp_output + + # If CDP is not enabled, device is not vulnerable + if not cdp_enabled: + return + + # Assert that the device is not vulnerable + assert not cdp_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20625. " + "The device has Cisco Discovery Protocol enabled, " + "which could allow an adjacent attacker to cause a denial of service through " + "malicious CDP packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cdp-dos-G8DPLWYG" + ) diff --git a/CVEasy/Cisco/2022/cisco_nxos/cve202220650.py b/CVEasy/Cisco/2022/cisco_nxos/cve202220650.py new file mode 100644 index 00000000..94e66d00 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_nxos/cve202220650.py @@ -0,0 +1,37 @@ +from comfy import high + + +@high( + name='rule_cve202220650', + platform=['cisco_nxos'], + commands=dict( + show_version='show version', + check_nxapi='show running-config | include feature nxapi' + ), +) +def rule_cve202220650(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20650 vulnerability in Cisco NX-OS Software. + The vulnerability is due to insufficient input validation of user supplied data that is sent to the NX-API. + An authenticated, remote attacker could exploit this vulnerability by sending a crafted HTTP POST request + to the NX-API of an affected device, allowing them to execute arbitrary commands with root privileges. + Note: The NX-API feature is disabled by default. + """ + # Extract the output of the command to check NX-API configuration + nxapi_output = commands.check_nxapi + + # Check if NX-API is enabled + nxapi_enabled = 'feature nxapi' in nxapi_output + + # If NX-API is not enabled, device is not vulnerable + if not nxapi_enabled: + return + + # Assert that the device is not vulnerable + assert not nxapi_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20650. " + "The device has NX-API enabled, which could allow an authenticated attacker " + "to execute arbitrary commands with root privileges through crafted HTTP POST requests. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-nxapi-cmdinject-ULukNMZ2" + ) diff --git a/CVEasy/Cisco/2022/cisco_nxos/cve202220823.py b/CVEasy/Cisco/2022/cisco_nxos/cve202220823.py new file mode 100644 index 00000000..b8a815ac --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_nxos/cve202220823.py @@ -0,0 +1,41 @@ +from comfy import high + + +@high( + name='rule_cve202220823', + platform=['cisco_nxos'], + commands=dict( + show_version='show version', + check_ospfv3='show running-config | include router ospfv3|ipv6 router ospf' + ), +) +def rule_cve202220823(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20823 vulnerability in Cisco NX-OS Software. + The vulnerability is due to incomplete input validation of specific OSPFv3 packets. + An unauthenticated, remote attacker could exploit this vulnerability by sending a malicious + OSPFv3 link-state advertisement (LSA) to an affected device, causing the OSPFv3 process to + crash and restart multiple times, leading to a denial of service condition. + Note: The OSPFv3 feature is disabled by default. + """ + # Extract the output of the command to check OSPFv3 configuration + ospfv3_output = commands.check_ospfv3 + + # Check if OSPFv3 is enabled (either via 'router ospfv3' or 'ipv6 router ospf') + ospfv3_enabled = any(feature in ospfv3_output for feature in [ + 'router ospfv3', + 'ipv6 router ospf' + ]) + + # If OSPFv3 is not enabled, device is not vulnerable + if not ospfv3_enabled: + return + + # Assert that the device is not vulnerable + assert not ospfv3_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20823. " + "The device has OSPFv3 enabled, which could allow an unauthenticated attacker " + "to cause a denial of service through malicious OSPFv3 LSA packets. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-ospfv3-dos-48qutcu" + ) diff --git a/CVEasy/Cisco/2022/cisco_nxos/cve202220824.py b/CVEasy/Cisco/2022/cisco_nxos/cve202220824.py new file mode 100644 index 00000000..c43f8933 --- /dev/null +++ b/CVEasy/Cisco/2022/cisco_nxos/cve202220824.py @@ -0,0 +1,37 @@ +from comfy import high + + +@high( + name='rule_cve202220824', + platform=['cisco_nxos'], + commands=dict( + show_version='show version', + check_cdp='show running-config | include no cdp enable|cdp enable' + ), +) +def rule_cve202220824(configuration, commands, device, devices): + """ + This rule checks for the CVE-2022-20824 vulnerability in Cisco NX-OS Software. + The vulnerability is due to improper input validation of specific values within Cisco Discovery Protocol messages. + An unauthenticated, adjacent attacker could exploit this vulnerability by sending malicious CDP packets to an + affected device, allowing them to execute arbitrary code with root privileges or cause a denial of service condition. + Note: CDP is enabled by default, and the attacker must be in the same broadcast domain (Layer 2 adjacent). + """ + # Extract the output of the command to check CDP configuration + cdp_output = commands.check_cdp + + # Check if CDP is enabled + cdp_enabled = 'cdp enable' in cdp_output + + # If CDP is not enabled, device is not vulnerable + if not cdp_enabled: + return + + # Assert that the device is not vulnerable + assert not cdp_enabled, ( + f"Device {device.name} is vulnerable to CVE-2022-20824. " + "The device has Cisco Discovery Protocol enabled, " + "which could allow an adjacent attacker to execute arbitrary code with root privileges or cause a denial of service. " + "For more information, see" + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-cdp-dos-ce-wWvPucC9" + ) From a16a8ac1ee153cd6a1cc3d66a74e1c1d41ac1301 Mon Sep 17 00:00:00 2001 From: mailsanjayhere Date: Sun, 1 Jun 2025 20:36:23 +0000 Subject: [PATCH 09/22] cisco_nxos 2022 cves --- CVEasy/Cisco/2022/cisco_nxos/cve202220824.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/CVEasy/Cisco/2022/cisco_nxos/cve202220824.py b/CVEasy/Cisco/2022/cisco_nxos/cve202220824.py index c43f8933..0f036b7e 100644 --- a/CVEasy/Cisco/2022/cisco_nxos/cve202220824.py +++ b/CVEasy/Cisco/2022/cisco_nxos/cve202220824.py @@ -14,7 +14,8 @@ def rule_cve202220824(configuration, commands, device, devices): This rule checks for the CVE-2022-20824 vulnerability in Cisco NX-OS Software. The vulnerability is due to improper input validation of specific values within Cisco Discovery Protocol messages. An unauthenticated, adjacent attacker could exploit this vulnerability by sending malicious CDP packets to an - affected device, allowing them to execute arbitrary code with root privileges or cause a denial of service condition. + affected device, allowing them to execute arbitrary code with root privileges or cause a denial of " + "service condition. Note: CDP is enabled by default, and the attacker must be in the same broadcast domain (Layer 2 adjacent). """ # Extract the output of the command to check CDP configuration @@ -31,7 +32,7 @@ def rule_cve202220824(configuration, commands, device, devices): assert not cdp_enabled, ( f"Device {device.name} is vulnerable to CVE-2022-20824. " "The device has Cisco Discovery Protocol enabled, " - "which could allow an adjacent attacker to execute arbitrary code with root privileges or cause a denial of service. " - "For more information, see" + "which could allow an adjacent attacker to execute arbitrary code with root privileges or cause a " + "denial of service. For more information, see" "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-cdp-dos-ce-wWvPucC9" ) From d0b64675470b19dbd4fab219505f45b6703646db Mon Sep 17 00:00:00 2001 From: mailsanjayhere Date: Mon, 2 Jun 2025 16:51:04 +0000 Subject: [PATCH 10/22] arista 2022 2024 cve --- CVEasy/Arista/2022/__init__.py | 0 CVEasy/Arista/2022/cve202229071.py | 57 ++++++++++++++++++++++++++++++ CVEasy/Arista/2024/cve20244578.py | 48 +++++++++++++++++++++++++ 3 files changed, 105 insertions(+) create mode 100644 CVEasy/Arista/2022/__init__.py create mode 100644 CVEasy/Arista/2022/cve202229071.py create mode 100644 CVEasy/Arista/2024/cve20244578.py diff --git a/CVEasy/Arista/2022/__init__.py b/CVEasy/Arista/2022/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/CVEasy/Arista/2022/cve202229071.py b/CVEasy/Arista/2022/cve202229071.py new file mode 100644 index 00000000..f0b916f7 --- /dev/null +++ b/CVEasy/Arista/2022/cve202229071.py @@ -0,0 +1,57 @@ +from comfy import high + + +@high( + name='rule_cve202229071', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_cvp_info='show cvp info' + ), +) +def rule_cve202229071(configuration, commands, device, devices): + """ + This rule checks for CVE-2022-29071 vulnerability in Arista CloudVision Portal (CVP). + The vulnerability allows user passwords to be leaked in the Audit and System logs, + which could expose sensitive information to other authenticated users. + """ + # Extract the CVP version information from the command output + version_output = commands.show_cvp_info + + # List of vulnerable software versions + vulnerable_versions = [ + # CVP versions + '2020.2', '2020.3', + '2021.1', '2021.2', '2021.3' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if this is an on-premises deployment + cvp_info = commands.show_cvp_info + is_onprem = 'Deployment: On-Premises' in cvp_info + + # Device is vulnerable if it's an on-premises deployment + is_vulnerable = is_onprem + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2022-29071. " + "The device is running a vulnerable version of CVP in an on-premises deployment, " + "which could allow user passwords to be leaked in Audit and System logs. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * CVP 2022.1.1 or later\n" + " * CVP 2022.2.0 or later\n" + "2. Until upgrade is complete, implement these workarounds:\n" + " * Change CVP user passwords and ensure they match switch enable passwords\n" + " * Restrict access to CVP application and host OS to trusted users only\n" + " * Regularly rotate user passwords\n" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/15865-security-advisory-0079" + ) diff --git a/CVEasy/Arista/2024/cve20244578.py b/CVEasy/Arista/2024/cve20244578.py new file mode 100644 index 00000000..5f3e115b --- /dev/null +++ b/CVEasy/Arista/2024/cve20244578.py @@ -0,0 +1,48 @@ +from comfy import high + + +@high( + name='rule_cve20244578', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_config='show running-config' + ), +) +def rule_cve20244578(configuration, commands, device, devices): + """ + This rule checks for CVE-2024-4578 vulnerability in Arista Wireless Access Points. + The vulnerability allows privilege escalation via spawning a bash shell when authenticated + as the "config" user via SSH. The spawned shell can obtain root privileges. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 13.0.2.x versions + '13.0.2-28-vv1002', + # 15.x versions are all vulnerable + '15.0', '15.1', '15.2', '15.3', '15.4', '15.5', '15.6', '15.7', '15.8', '15.9', + # 16.x versions up to the vulnerable version + '16.1.051-vv6' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Assert that the device is not vulnerable + assert not version_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2024-4578. " + "The device is running a vulnerable version that allows privilege escalation " + "via spawning a bash shell when authenticated as the 'config' user. " + "Upgrade to one of the following fixed versions:\n" + "- 13.0.2-28-vv1101 or later for 13.0.2.x\n" + "- 16.1.0-51-vv703 or later for 16.x\n" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/19844-security-advisory-0098" + ) From 64e93a38cc4e5145ad567717c1d608be3b7c7f48 Mon Sep 17 00:00:00 2001 From: mailsanjayhere Date: Mon, 2 Jun 2025 16:53:27 +0000 Subject: [PATCH 11/22] arista 2022 2024 cve --- CVEasy/Arista/2024/cve20244578.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CVEasy/Arista/2024/cve20244578.py b/CVEasy/Arista/2024/cve20244578.py index 5f3e115b..72adbe8d 100644 --- a/CVEasy/Arista/2024/cve20244578.py +++ b/CVEasy/Arista/2024/cve20244578.py @@ -12,7 +12,7 @@ def rule_cve20244578(configuration, commands, device, devices): """ This rule checks for CVE-2024-4578 vulnerability in Arista Wireless Access Points. - The vulnerability allows privilege escalation via spawning a bash shell when authenticated + The vulnerability allows privilege escalation via spawning a bash shell when authenticated as the "config" user via SSH. The spawned shell can obtain root privileges. """ # Extract the version information from the command output From 608e882764fe74424d872270044a68c66b3245b1 Mon Sep 17 00:00:00 2001 From: mailsanjayhere Date: Mon, 2 Jun 2025 17:06:15 +0000 Subject: [PATCH 12/22] Arista 2023 --- CVEasy/Arista/2023/__init__.py | 0 CVEasy/Arista/2023/cve202324509.py | 76 ++++++++++++++++++++++++ CVEasy/Arista/2023/cve202324510.py | 95 ++++++++++++++++++++++++++++++ CVEasy/Arista/2023/cve202324511.py | 64 ++++++++++++++++++++ CVEasy/Arista/2023/cve202324512.py | 70 ++++++++++++++++++++++ CVEasy/Arista/2023/cve202324513.py | 69 ++++++++++++++++++++++ CVEasy/Arista/2023/cve202324545.py | 69 ++++++++++++++++++++++ CVEasy/Arista/2023/cve202324547.py | 63 ++++++++++++++++++++ CVEasy/Arista/2023/cve202324548.py | 91 ++++++++++++++++++++++++++++ CVEasy/Arista/2023/cve20233646.py | 59 +++++++++++++++++++ CVEasy/Arista/2023/cve20236068.py | 51 ++++++++++++++++ 11 files changed, 707 insertions(+) create mode 100644 CVEasy/Arista/2023/__init__.py create mode 100644 CVEasy/Arista/2023/cve202324509.py create mode 100644 CVEasy/Arista/2023/cve202324510.py create mode 100644 CVEasy/Arista/2023/cve202324511.py create mode 100644 CVEasy/Arista/2023/cve202324512.py create mode 100644 CVEasy/Arista/2023/cve202324513.py create mode 100644 CVEasy/Arista/2023/cve202324545.py create mode 100644 CVEasy/Arista/2023/cve202324547.py create mode 100644 CVEasy/Arista/2023/cve202324548.py create mode 100644 CVEasy/Arista/2023/cve20233646.py create mode 100644 CVEasy/Arista/2023/cve20236068.py diff --git a/CVEasy/Arista/2023/__init__.py b/CVEasy/Arista/2023/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/CVEasy/Arista/2023/cve202324509.py b/CVEasy/Arista/2023/cve202324509.py new file mode 100644 index 00000000..df7c364a --- /dev/null +++ b/CVEasy/Arista/2023/cve202324509.py @@ -0,0 +1,76 @@ +from comfy import high + + +@high( + name='rule_cve202324509', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_module='show module', + show_redundancy='show redundancy status' + ), +) +def rule_cve202324509(configuration, commands, device, devices): + """ + This rule checks for CVE-2023-24509 vulnerability in Arista EOS devices. + The vulnerability allows privilege escalation when an unprivileged user logs into + the standby supervisor as root on devices with redundant supervisor modules and + RPR/SSO redundancy protocol configured. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.23.x versions + '4.23.0', '4.23.13M', + # 4.24.x versions + '4.24.0', '4.24.10M', + # 4.25.x versions + '4.25.0', '4.25.9M', + # 4.26.x versions + '4.26.0', '4.26.8M', + # 4.27.x versions + '4.27.0', '4.27.6M', + # 4.28.x versions + '4.28.0', '4.28.3M' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check for redundant supervisor modules + module_output = commands.show_module + has_standby_supervisor = 'Standby supervisor' in module_output + + # Check redundancy protocol configuration + redundancy_output = commands.show_redundancy + redundancy_configured = any(protocol in redundancy_output for protocol in [ + 'Route Processor Redundancy', + 'Stateful Switchover' + ]) + + # Device is vulnerable if it has both conditions + is_vulnerable = has_standby_supervisor and redundancy_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2023-24509. " + "The device is running a vulnerable version AND has redundant supervisor modules with RPR/SSO configured, " + "which could allow privilege escalation via root access to standby supervisor. " + "Recommended fixes:\n" + "- Upgrade to one of the following fixed versions:\n" + " * 4.28.4M or later for 4.28.x train\n" + " * 4.27.7M or later for 4.27.x train\n" + " * 4.26.9M or later for 4.26.x train\n" + " * 4.25.10M or later for 4.25.x train\n" + " * 4.24.11M or later for 4.24.x train\n" + "- Or apply the hotfix for supported versions\n" + "Workaround: Disable SSH CLI command in unprivileged mode using RBAC\n" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/16985-security-advisory-0082" + ) diff --git a/CVEasy/Arista/2023/cve202324510.py b/CVEasy/Arista/2023/cve202324510.py new file mode 100644 index 00000000..03bbe4f2 --- /dev/null +++ b/CVEasy/Arista/2023/cve202324510.py @@ -0,0 +1,95 @@ +from comfy import high + + +@high( + name='rule_cve202324510', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_ip_helper='show running-config | include ip helper-address' + ), +) +def rule_cve202324510(configuration, commands, device, devices): + """ + This rule checks for CVE-2023-24510 vulnerability in Arista EOS devices. + The vulnerability allows a malformed DHCP packet to cause the DHCP relay agent to restart + when specific ip helper-address configurations are present on the same interface. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.25.x versions + '4.25.0F', '4.25.10M', + # 4.26.x versions + '4.26.0F', '4.26.9M', + # 4.27.x versions + '4.27.0F', '4.27.9M', + # 4.28.x versions + '4.28.0F', '4.28.6.1M', + # 4.29.x versions + '4.29.0F', '4.29.1F' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check for vulnerable ip helper-address configurations + helper_config = commands.show_ip_helper + config_lines = helper_config.splitlines() + + # Track interfaces with multiple helper addresses + interface_helpers = {} + current_interface = None + + # Parse configuration to find interfaces with multiple helper addresses + for line in config_lines: + if 'interface' in line: + current_interface = line + interface_helpers[current_interface] = { + 'source_interface': False, + 'vrf': False, + 'basic': False + } + elif current_interface and 'ip helper-address' in line: + if 'source-interface' in line: + interface_helpers[current_interface]['source_interface'] = True + elif 'vrf' in line: + interface_helpers[current_interface]['vrf'] = True + else: + interface_helpers[current_interface]['basic'] = True + + # Check for vulnerable configurations + vulnerable_config = False + for interface, config in interface_helpers.items(): + # Scenario One: One command uses source-interface, second command is basic + if config['source_interface'] and config['basic']: + vulnerable_config = True + break + # Scenario Two: One command in VRF, second command is basic + if config['vrf'] and config['basic']: + vulnerable_config = True + break + + # Assert that the device is not vulnerable + assert not vulnerable_config, ( + f"Device {device.name} is vulnerable to CVE-2023-24510. " + "The device is running a vulnerable version AND has multiple ip helper-address commands " + "configured on the same interface in a vulnerable combination:\n" + "- One command using source-interface with a basic command, or\n" + "- One command in a VRF with a basic command\n" + "Recommended fixes:\n" + "- Upgrade to one of the following fixed versions:\n" + " * 4.29.2F or later for 4.29.x train\n" + " * 4.28.7M or later for 4.28.x train\n" + " * 4.27.10M or later for 4.27.x train\n" + " * 4.26.10M or later for 4.26.x train\n" + "- Or apply the hotfix for supported versions\n" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/17445-security-advisory-0087" + ) diff --git a/CVEasy/Arista/2023/cve202324511.py b/CVEasy/Arista/2023/cve202324511.py new file mode 100644 index 00000000..b6074a11 --- /dev/null +++ b/CVEasy/Arista/2023/cve202324511.py @@ -0,0 +1,64 @@ +from comfy import high + + +@high( + name='rule_cve202324511', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_snmp='show running-config | include snmp-server' + ), +) +def rule_cve202324511(configuration, commands, device, devices): + """ + This rule checks for CVE-2023-24511 vulnerability in Arista EOS devices. + The vulnerability allows a specially crafted SNMP packet to cause a memory leak in the snmpd process, + which can lead to process termination and memory resource exhaustion. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.24.x versions + '4.24.0', '4.24.11M', + # 4.25.x versions + '4.25.0', '4.25.10M', + # 4.26.x versions + '4.26.0', '4.26.9M', + # 4.27.x versions + '4.27.0', '4.27.8.1M', + # 4.28.x versions + '4.28.0', '4.28.5.1M', + # 4.29.x versions + '4.29.0', '4.29.1F' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if SNMP is configured + snmp_config = commands.show_snmp + snmp_enabled = 'snmp-server' in snmp_config + + # Assert that the device is not vulnerable + assert not snmp_enabled, ( + f"Device {device.name} is vulnerable to CVE-2023-24511. " + "The device is running a vulnerable version AND has SNMP configured, " + "which could allow memory leaks in the snmpd process leading to service disruption. " + "Recommended fixes:\n" + "- Upgrade to one of the following fixed versions:\n" + " * 4.29.2F or later for 4.29.x train\n" + " * 4.28.6M or later for 4.28.x train\n" + " * 4.27.9M or later for 4.27.x train\n" + " * 4.26.10M or later for 4.26.x train\n" + "Workaround: Configure SNMP ACLs to restrict access:\n" + " snmp-server ipv4 access-list allowHosts4\n" + " snmp-server ipv6 access-list allowHosts6\n" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/17239-security-advisory-0084" + ) diff --git a/CVEasy/Arista/2023/cve202324512.py b/CVEasy/Arista/2023/cve202324512.py new file mode 100644 index 00000000..0bb76000 --- /dev/null +++ b/CVEasy/Arista/2023/cve202324512.py @@ -0,0 +1,70 @@ +from comfy import high + + +@high( + name='rule_cve202324512', + platform=['arista_eos'], + commands=dict( + show_version='show version detail | grep TerminAttr-core', + show_daemon='show daemon TerminAttr', + show_daemon_config='show running-config | section daemon TerminAttr' + ), +) +def rule_cve202324512(configuration, commands, device, devices): + """ + This rule checks for CVE-2023-24512 vulnerability in Arista EOS devices. + The vulnerability allows an authorized attacker with gNMI permissions to craft requests + that could update arbitrary configurations in the switch when the Streaming Telemetry + Agent (TerminAttr) is enabled with gNMI access. + """ + # Extract the TerminAttr version from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # Specific version + 'v1.23.0', + # Version ranges + 'v1.19.', 'v1.20.', 'v1.21.', 'v1.22.0', 'v1.22.1', + 'v1.24.0', 'v1.24.1', 'v1.24.2', 'v1.24.3' + ] + + # Check if the current version matches any vulnerable version patterns + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if TerminAttr daemon is running + daemon_output = commands.show_daemon + daemon_running = 'running with PID' in daemon_output + + # Check if gNMI access is configured + daemon_config = commands.show_daemon_config + gnmi_enabled = '-grpcaddr=' in daemon_config and '-grpcreadonly' not in daemon_config + + # Device is vulnerable if daemon is running and gNMI is enabled without read-only mode + is_vulnerable = daemon_running and gnmi_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2023-24512. " + "The device is running a vulnerable version of TerminAttr AND has the daemon running " + "with gNMI access enabled without read-only mode. " + "Recommended fixes:\n" + "1. Upgrade TerminAttr:\n" + " * Version 1.25.0 or later\n" + " * Version 1.22.2 or later for 1.22.x train\n" + " * Version 1.19.6 or later for 1.19.x train\n" + "2. Or upgrade EOS to a version with fixed TerminAttr:\n" + " * 4.29.2F or later (includes TerminAttr 1.25.0+)\n" + " * 4.28.6M or later (includes TerminAttr 1.22.2+)\n" + " * 4.27.9M or later (includes TerminAttr 1.19.6+)\n" + " * 4.26.10M or later (includes TerminAttr 1.19.6+)\n" + "Workaround: Configure gRPC read-only mode:\n" + " daemon TerminAttr\n" + " exec /usr/bin/TerminAttr -grpcreadonly -grpcaddr=... \n" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/17250-security-advisory-0086" + ) diff --git a/CVEasy/Arista/2023/cve202324513.py b/CVEasy/Arista/2023/cve202324513.py new file mode 100644 index 00000000..62252aa1 --- /dev/null +++ b/CVEasy/Arista/2023/cve202324513.py @@ -0,0 +1,69 @@ +from comfy import high + + +@high( + name='rule_cve202324513', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_sfe='show sfe status', + show_platform='show platform cloudeos' + ), +) +def rule_cve202324513(configuration, commands, device, devices): + """ + This rule checks for CVE-2023-24513 vulnerability in Arista CloudEOS devices. + The vulnerability in the Software Forwarding Engine (Sfe) can lead to a potential + denial of service attack by sending malformed packets to the switch, causing packet + buffer leaks that may eventually stop traffic forwarding. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.26.x versions + '4.26.0F', '4.26.9M', + # 4.27.x versions + '4.27.0F', '4.27.8M', + # 4.28.x versions + '4.28.0F', '4.28.5M', + # 4.29.x versions + '4.29.0F', '4.29.1F' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if this is a CloudEOS platform + platform_output = commands.show_platform + is_cloudeos = 'CloudEOS' in platform_output + + # Check if SFE is enabled (default on CloudEOS) + sfe_output = commands.show_sfe + sfe_enabled = 'SFE enabled' in sfe_output + + # Device is vulnerable if it's CloudEOS with SFE enabled + is_vulnerable = is_cloudeos and sfe_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2023-24513. " + "The device is running a vulnerable version on CloudEOS platform with Software Forwarding Engine (SFE) enabled, " + "which could allow malformed packets to cause buffer leaks and stop traffic forwarding. " + "Recommended fixes:\n" + "- Upgrade to one of the following fixed versions:\n" + " * 4.29.2F or later for 4.29.x train\n" + " * 4.28.6M or later for 4.28.x train\n" + " * 4.27.9M or later for 4.27.x train\n" + " * 4.26.10M or later for 4.26.x train\n" + "- Or apply the appropriate hotfix for your version\n" + "Note: Installing/uninstalling the hotfix will cause SFE agent to restart " + "and stop forwarding traffic for up to 10 seconds.\n" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/17240-security-advisory-0085" + ) diff --git a/CVEasy/Arista/2023/cve202324545.py b/CVEasy/Arista/2023/cve202324545.py new file mode 100644 index 00000000..45407ff1 --- /dev/null +++ b/CVEasy/Arista/2023/cve202324545.py @@ -0,0 +1,69 @@ +from comfy import high + + +@high( + name='rule_cve202324545', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_sfe='show sfe status', + show_platform='show platform cloudeos' + ), +) +def rule_cve202324545(configuration, commands, device, devices): + """ + This rule checks for CVE-2023-24545 vulnerability in Arista CloudEOS devices. + The vulnerability in the Software Forwarding Engine (Sfe) can lead to a potential + denial of service attack by sending malformed packets to the switch, causing packet + buffer leaks that may eventually stop traffic forwarding. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.26.x versions + '4.26.0F', '4.26.8M', + # 4.27.x versions + '4.27.0F', '4.27.7M', + # 4.28.x versions + '4.28.0F', '4.28.4M', + # 4.29.x versions + '4.29.0F', '4.29.1F' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if this is a CloudEOS platform + platform_output = commands.show_platform + is_cloudeos = 'CloudEOS' in platform_output + + # Check if SFE is enabled (default on CloudEOS) + sfe_output = commands.show_sfe + sfe_enabled = 'SFE enabled' in sfe_output + + # Device is vulnerable if it's CloudEOS with SFE enabled + is_vulnerable = is_cloudeos and sfe_enabled + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2023-24545. " + "The device is running a vulnerable version on CloudEOS platform with Software Forwarding Engine (SFE) enabled, " + "which could allow malformed packets to cause buffer leaks and stop traffic forwarding. " + "Recommended fixes:\n" + "- Upgrade to one of the following fixed versions:\n" + " * 4.29.2F or later for 4.29.x train\n" + " * 4.28.5M or later for 4.28.x train\n" + " * 4.27.8M or later for 4.27.x train\n" + " * 4.26.9M or later for 4.26.x train\n" + "- Or apply the appropriate hotfix for your version\n" + "Note: Installing/uninstalling the hotfix will cause SFE agent to restart " + "and stop forwarding traffic for up to 10 seconds.\n" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/17240-security-advisory-0085" + ) diff --git a/CVEasy/Arista/2023/cve202324547.py b/CVEasy/Arista/2023/cve202324547.py new file mode 100644 index 00000000..10f1c7f1 --- /dev/null +++ b/CVEasy/Arista/2023/cve202324547.py @@ -0,0 +1,63 @@ +from comfy import high + + +@high( + name='rule_cve202324547', + platform=['arista_mos'], + commands=dict( + show_version='show version', + show_bgp_config='show running-config | section router bgp' + ), +) +def rule_cve202324547(configuration, commands, device, devices): + """ + This rule checks for CVE-2023-24547 vulnerability in Arista MOS devices. + The vulnerability exposes BGP passwords in clear text in logs and running configuration, + which could allow authenticated users to view sensitive password information. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # MOS versions from 0.13.0 through 0.39.4 + '0.13.0', '0.34.0', + '0.35.3', + '0.36.0', '0.36.9', + '0.37.0', '0.37.1', + '0.38.0', '0.38.1', + '0.39.0', '0.39.1', '0.39.2', '0.39.3', '0.39.4' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check BGP configuration for plaintext passwords + bgp_config = commands.show_bgp_config + + # Look for BGP neighbor password configurations without type 7 encryption + has_plaintext_password = False + for line in bgp_config.splitlines(): + if 'neighbor' in line and 'password' in line and 'key 7' not in line: + has_plaintext_password = True + break + + # Assert that the device is not vulnerable + assert not has_plaintext_password, ( + f"Device {device.name} is vulnerable to CVE-2023-24547. " + "The device is running a vulnerable version of MOS AND has BGP neighbors configured " + "with plaintext passwords, which could expose sensitive information in logs and running config. " + "Recommended fixes:\n" + "1. Upgrade to one of the following fixed versions:\n" + " * MOS-0.39.4 or later for 0.39.x train\n" + " * MOS-0.36.10 or later for 0.36.x train\n" + "2. After upgrading, passwords will be automatically obfuscated with type-7 encryption\n" + "3. It is recommended to rotate BGP passwords after upgrading since they may have been exposed\n" + "Note: Only MOS-0.39.x and MOS-0.36.x trains are currently under maintenance support.\n" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/18644-security-advisory-0090" + ) diff --git a/CVEasy/Arista/2023/cve202324548.py b/CVEasy/Arista/2023/cve202324548.py new file mode 100644 index 00000000..d2fb8f22 --- /dev/null +++ b/CVEasy/Arista/2023/cve202324548.py @@ -0,0 +1,91 @@ +from comfy import high + + +@high( + name='rule_cve202324548', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_ip_routing='show running-config | include ip routing', + show_vxlan_config='show running-config | section vxlan', + show_vxlan_vni='show vxlan vni', + show_vlan='show vlan', + show_ip_interface='show ip interface brief' + ), +) +def rule_cve202324548(configuration, commands, device, devices): + """ + This rule checks for CVE-2023-24548 vulnerability in Arista EOS devices. + The vulnerability allows malformed or truncated packets received over a VXLAN tunnel + to cause egress ports to be unable to forward packets when certain conditions are met. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.22.x versions + '4.22.1F', '4.22.13M', + # 4.23.x versions + '4.23.0', '4.23.14M', + # 4.24.x versions + '4.24.0', '4.24.11M', + # 4.25.x versions + '4.25.0F' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if IP routing is enabled + ip_routing = commands.show_ip_routing + routing_enabled = 'ip routing' in ip_routing + + # Check if VXLAN is configured + vxlan_config = commands.show_vxlan_config + vxlan_enabled = 'interface Vxlan1' in vxlan_config + + # Check if VXLAN VNIs are routable + vxlan_vni = commands.show_vxlan_vni + vlan_info = commands.show_vlan + ip_interfaces = commands.show_ip_interface + + # Look for routable VNIs (either VLAN interfaces or VRF-mapped) + has_routable_vni = False + if vxlan_enabled: + # Check for VLANs with IP addresses that are also mapped to VNIs + for line in vxlan_vni.splitlines(): + if 'VNI' in line and 'VLAN' in line: + vlan_id = line.split()[1].strip() + # Check if this VLAN has an IP interface that's up + if f"Vlan{vlan_id}" in ip_interfaces and 'up' in ip_interfaces: + has_routable_vni = True + break + + # Device is vulnerable if all conditions are met + is_vulnerable = routing_enabled and vxlan_enabled and has_routable_vni + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2023-24548. " + "The device is running a vulnerable version AND has all vulnerability conditions met:\n" + "1. IP routing is enabled\n" + "2. VXLAN is configured\n" + "3. Has routable VXLAN VNIs\n" + "This could allow malformed VXLAN packets to cause egress ports to stop forwarding.\n" + "Recommended fixes:\n" + "- Upgrade to one of the following fixed versions:\n" + " * 4.30.0F or later for 4.30.x train\n" + " * 4.29.0F or later for 4.29.x train\n" + " * 4.28.0F or later for 4.28.x train\n" + " * 4.27.0F or later for 4.27.x train\n" + " * 4.26.0F or later for 4.26.x train\n" + " * 4.25.1F or later for 4.25.x train\n" + "Note: No remediation is planned for EOS versions beyond their support lifecycle (4.22, 4.23).\n" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/18043-security-advisory-0089" + ) diff --git a/CVEasy/Arista/2023/cve20233646.py b/CVEasy/Arista/2023/cve20233646.py new file mode 100644 index 00000000..d924a336 --- /dev/null +++ b/CVEasy/Arista/2023/cve20233646.py @@ -0,0 +1,59 @@ +from comfy import high + + +@high( + name='rule_cve20233646', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_monitor='show monitor session', + show_config='show running-config | section monitor' + ), +) +def rule_cve20233646(configuration, commands, device, devices): + """ + This rule checks for CVE-2023-3646 vulnerability in Arista EOS devices. + The vulnerability can trigger a kernel panic and cause system reload when mirroring + to multiple destinations is configured. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.28.x versions + '4.28.2F', '4.28.3F', '4.28.4F', '4.28.5F', '4.28.5.1M', + # 4.29.x versions + '4.29.0F', '4.29.1F' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check for multiple destination ports in monitor sessions + monitor_output = commands.show_monitor + config_output = commands.show_config + + # Check if any monitor session has multiple destinations configured + multiple_destinations = False + if 'Session' in monitor_output: + # Count destination ports in active sessions + dest_ports = len([line for line in monitor_output.splitlines() if ': active' in line]) + multiple_destinations = dest_ports > 1 + + # Assert that the device is not vulnerable + assert not multiple_destinations, ( + f"Device {device.name} is vulnerable to CVE-2023-3646. " + "The device is running a vulnerable version AND has mirroring to multiple destinations configured, " + "which could trigger a kernel panic and cause system reload. " + "Recommended fixes:\n" + "- Upgrade to 4.28.6M or later for 4.28.x train\n" + "- Upgrade to 4.29.2F or later for 4.29.x train\n" + "- Workaround: Remove mirroring configuration to multiple destinations\n" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/18042-security-advisory-0088" + ) diff --git a/CVEasy/Arista/2023/cve20236068.py b/CVEasy/Arista/2023/cve20236068.py new file mode 100644 index 00000000..01686680 --- /dev/null +++ b/CVEasy/Arista/2023/cve20236068.py @@ -0,0 +1,51 @@ +from comfy import high + + +@high( + name='rule_cve20236068', + platform=['arista_eos'], + commands=dict( + show_version='show version', + show_multiaccess='show running-config | section multiaccess' + ), +) +def rule_cve20236068(configuration, commands, device, devices): + """ + This rule checks for CVE-2023-6068 vulnerability in Arista MOS devices with MultiAccess FPGA. + The vulnerability can cause incorrect operation of configured ACLs on ports, resulting in some + packets that should be denied being permitted. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # MultiAccess FPGA versions + 'multiaccess-1.7.1', + 'multiaccess-1.6' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Check if MultiAccess FPGA is configured with ACLs + config_output = commands.show_multiaccess + acl_configured = 'access-list' in config_output + + # Assert that the device is not vulnerable + assert not acl_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-6068. " + "The device is running a vulnerable version of MultiAccess FPGA software " + "and has ACLs configured, which may result in incorrect ACL operation. " + "Recommended fixes:\n" + "- Upgrade to MultiAccess FPGA 1.8.0 or later\n" + "Workaround:\n" + "- Only apply one access-list to any particular port after the MultiAccess image is loaded\n" + "- If a new access-list needs to be applied, reload the FPGA image after applying it\n" + "For more information, see" + "https://www.arista.com/en/support/advisories-notices/security-advisory/19023-security-advisory-0091" + ) From efe7a0bc996498936af51bff35d84376cccd9a2d Mon Sep 17 00:00:00 2001 From: mailsanjayhere Date: Mon, 2 Jun 2025 17:19:10 +0000 Subject: [PATCH 13/22] Arista 2023 --- CVEasy/Arista/2023/cve202324513.py | 3 ++- CVEasy/Arista/2023/cve202324545.py | 3 ++- CVEasy/Arista/2023/cve202324547.py | 2 +- CVEasy/Arista/2023/cve202324548.py | 1 - CVEasy/Arista/2023/cve20233646.py | 2 -- 5 files changed, 5 insertions(+), 6 deletions(-) diff --git a/CVEasy/Arista/2023/cve202324513.py b/CVEasy/Arista/2023/cve202324513.py index 62252aa1..df890217 100644 --- a/CVEasy/Arista/2023/cve202324513.py +++ b/CVEasy/Arista/2023/cve202324513.py @@ -53,7 +53,8 @@ def rule_cve202324513(configuration, commands, device, devices): # Assert that the device is not vulnerable assert not is_vulnerable, ( f"Device {device.name} is vulnerable to CVE-2023-24513. " - "The device is running a vulnerable version on CloudEOS platform with Software Forwarding Engine (SFE) enabled, " + "The device is running a vulnerable version on CloudEOS platform with " + "Software Forwarding Engine (SFE) enabled, " "which could allow malformed packets to cause buffer leaks and stop traffic forwarding. " "Recommended fixes:\n" "- Upgrade to one of the following fixed versions:\n" diff --git a/CVEasy/Arista/2023/cve202324545.py b/CVEasy/Arista/2023/cve202324545.py index 45407ff1..55e17960 100644 --- a/CVEasy/Arista/2023/cve202324545.py +++ b/CVEasy/Arista/2023/cve202324545.py @@ -53,7 +53,8 @@ def rule_cve202324545(configuration, commands, device, devices): # Assert that the device is not vulnerable assert not is_vulnerable, ( f"Device {device.name} is vulnerable to CVE-2023-24545. " - "The device is running a vulnerable version on CloudEOS platform with Software Forwarding Engine (SFE) enabled, " + "The device is running a vulnerable version on CloudEOS platform with " + "Software Forwarding Engine (SFE) enabled, " "which could allow malformed packets to cause buffer leaks and stop traffic forwarding. " "Recommended fixes:\n" "- Upgrade to one of the following fixed versions:\n" diff --git a/CVEasy/Arista/2023/cve202324547.py b/CVEasy/Arista/2023/cve202324547.py index 10f1c7f1..7103073a 100644 --- a/CVEasy/Arista/2023/cve202324547.py +++ b/CVEasy/Arista/2023/cve202324547.py @@ -38,7 +38,7 @@ def rule_cve202324547(configuration, commands, device, devices): # Check BGP configuration for plaintext passwords bgp_config = commands.show_bgp_config - + # Look for BGP neighbor password configurations without type 7 encryption has_plaintext_password = False for line in bgp_config.splitlines(): diff --git a/CVEasy/Arista/2023/cve202324548.py b/CVEasy/Arista/2023/cve202324548.py index d2fb8f22..c85853bc 100644 --- a/CVEasy/Arista/2023/cve202324548.py +++ b/CVEasy/Arista/2023/cve202324548.py @@ -51,7 +51,6 @@ def rule_cve202324548(configuration, commands, device, devices): # Check if VXLAN VNIs are routable vxlan_vni = commands.show_vxlan_vni - vlan_info = commands.show_vlan ip_interfaces = commands.show_ip_interface # Look for routable VNIs (either VLAN interfaces or VRF-mapped) diff --git a/CVEasy/Arista/2023/cve20233646.py b/CVEasy/Arista/2023/cve20233646.py index d924a336..43ed1591 100644 --- a/CVEasy/Arista/2023/cve20233646.py +++ b/CVEasy/Arista/2023/cve20233646.py @@ -7,7 +7,6 @@ commands=dict( show_version='show version', show_monitor='show monitor session', - show_config='show running-config | section monitor' ), ) def rule_cve20233646(configuration, commands, device, devices): @@ -36,7 +35,6 @@ def rule_cve20233646(configuration, commands, device, devices): # Check for multiple destination ports in monitor sessions monitor_output = commands.show_monitor - config_output = commands.show_config # Check if any monitor session has multiple destinations configured multiple_destinations = False From aad77260d4fd07c5139816b4b3fa53de1aab1cd4 Mon Sep 17 00:00:00 2001 From: mailsanjayhere Date: Tue, 3 Jun 2025 09:31:59 +0000 Subject: [PATCH 14/22] cisco_ios 2023 cve --- CVEasy/Cisco/2023/cisco_ios/__init__.py | 0 CVEasy/Cisco/2023/cisco_ios/cve202320076.py | 33 +++++++++++++ CVEasy/Cisco/2023/cisco_ios/cve202320080.py | 32 ++++++++++++ CVEasy/Cisco/2023/cisco_ios/cve202320081.py | 34 +++++++++++++ CVEasy/Cisco/2023/cisco_ios/cve202320109.py | 33 +++++++++++++ CVEasy/Cisco/2023/cisco_ios/cve202320186.py | 55 +++++++++++++++++++++ 6 files changed, 187 insertions(+) create mode 100644 CVEasy/Cisco/2023/cisco_ios/__init__.py create mode 100644 CVEasy/Cisco/2023/cisco_ios/cve202320076.py create mode 100644 CVEasy/Cisco/2023/cisco_ios/cve202320080.py create mode 100644 CVEasy/Cisco/2023/cisco_ios/cve202320081.py create mode 100644 CVEasy/Cisco/2023/cisco_ios/cve202320109.py create mode 100644 CVEasy/Cisco/2023/cisco_ios/cve202320186.py diff --git a/CVEasy/Cisco/2023/cisco_ios/__init__.py b/CVEasy/Cisco/2023/cisco_ios/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/CVEasy/Cisco/2023/cisco_ios/cve202320076.py b/CVEasy/Cisco/2023/cisco_ios/cve202320076.py new file mode 100644 index 00000000..ce3db4b3 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_ios/cve202320076.py @@ -0,0 +1,33 @@ +from comfy import high + + +@high( + name='rule_cve202320076', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_iox='show running-config | include iox' + ), +) +def rule_cve202320076(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20076 vulnerability in Cisco IOS Software. + The vulnerability is due to incomplete sanitization of parameters that are passed in for + activation of an application in the Cisco IOx application hosting environment. An attacker + could exploit this vulnerability by deploying and activating an application with a crafted + activation payload file. + """ + # Extract the output of the command to check IOx configuration + iox_output = commands.check_iox + + # Check if IOx is configured + iox_configured = 'iox' in iox_output + + # Assert that the device is not vulnerable + assert not iox_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20076. " + "The device has IOx application hosting configured, " + "which could allow an authenticated attacker to execute arbitrary commands as root. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iox-8whGn5dL" + ) diff --git a/CVEasy/Cisco/2023/cisco_ios/cve202320080.py b/CVEasy/Cisco/2023/cisco_ios/cve202320080.py new file mode 100644 index 00000000..c43652dc --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_ios/cve202320080.py @@ -0,0 +1,32 @@ +from comfy import high + + +@high( + name='rule_cve202320080', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_dhcpv6='show running-config | include ipv6 dhcp' + ), +) +def rule_cve202320080(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20080 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient validation of data boundaries in the IPv6 DHCP (DHCPv6) + relay and server features. An attacker could exploit this vulnerability by sending crafted DHCPv6 + messages to an affected device, causing it to reload unexpectedly. + """ + # Extract the output of the command to check DHCPv6 configuration + dhcpv6_output = commands.check_dhcpv6 + + # Check if DHCPv6 relay or server is configured + dhcpv6_configured = any(feature in dhcpv6_output for feature in ['ipv6 dhcp relay', 'ipv6 dhcp server']) + + # Assert that the device is not vulnerable + assert not dhcpv6_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20080. " + "The device has IPv6 DHCP relay or server configured, " + "which could allow an attacker to cause a denial of service through crafted DHCPv6 messages. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-dhcpv6-dos-44cMvdDK" + ) diff --git a/CVEasy/Cisco/2023/cisco_ios/cve202320081.py b/CVEasy/Cisco/2023/cisco_ios/cve202320081.py new file mode 100644 index 00000000..976e0de7 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_ios/cve202320081.py @@ -0,0 +1,34 @@ +from comfy import high + + +@high( + name='rule_cve202320081', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_dhcpv6_client='show running-config | include ipv6 dhcp client' + ), +) +def rule_cve202320081(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20081 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient validation of DHCPv6 messages in the DHCPv6 client module. + An attacker could exploit this vulnerability by sending crafted DHCPv6 messages to an affected device, + causing it to reload and resulting in a denial of service (DoS) condition. + Note: To successfully exploit this vulnerability, the attacker would need to either control the DHCPv6 + server or be in a man-in-the-middle position. + """ + # Extract the output of the command to check DHCPv6 client configuration + dhcpv6_output = commands.check_dhcpv6_client + + # Check if DHCPv6 client is configured + dhcpv6_client_configured = 'ipv6 dhcp client' in dhcpv6_output + + # Assert that the device is not vulnerable + assert not dhcpv6_client_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20081. " + "The device has DHCPv6 client configured, " + "which could allow an attacker to cause a denial of service through crafted DHCPv6 messages. " + "For more information,see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftdios-dhcpv6-cli-Zf3zTv" + ) diff --git a/CVEasy/Cisco/2023/cisco_ios/cve202320109.py b/CVEasy/Cisco/2023/cisco_ios/cve202320109.py new file mode 100644 index 00000000..15031d77 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_ios/cve202320109.py @@ -0,0 +1,33 @@ +from comfy import high + + +@high( + name='rule_cve202320109', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_getvpn='show running-config | include crypto gdoi' + ), +) +def rule_cve202320109(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20109 vulnerability in Cisco IOS Software. + The vulnerability is due to insufficient validation of attributes in the Group Domain of + Interpretation (GDOI) and G-IKEv2 protocols of the GET VPN feature. An attacker could + exploit this vulnerability by either compromising an installed key server or modifying + the configuration of a group member to point to a key server that is controlled by the attacker. + """ + # Extract the output of the command to check GET VPN configuration + getvpn_output = commands.check_getvpn + + # Check if GET VPN (GDOI) is configured + getvpn_configured = 'crypto gdoi' in getvpn_output + + # Assert that the device is not vulnerable + assert not getvpn_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20109. " + "The device has GET VPN (GDOI) configured, " + "which could allow an authenticated attacker to execute arbitrary code or cause a denial of service. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-getvpn-rce-g8qR68sx" + ) diff --git a/CVEasy/Cisco/2023/cisco_ios/cve202320186.py b/CVEasy/Cisco/2023/cisco_ios/cve202320186.py new file mode 100644 index 00000000..4701ac67 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_ios/cve202320186.py @@ -0,0 +1,55 @@ +from comfy import high + + +@high( + name='rule_cve202320186', + platform=['cisco_ios'], + commands=dict( + show_version='show version', + check_aaa='show running-config | include aaa|ip scp' + ), +) +def rule_cve202320186(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20186 vulnerability in Cisco IOS Software. + The vulnerability is due to incorrect processing of SCP commands in AAA command authorization checks. + An attacker with valid credentials and level 15 privileges could exploit this vulnerability by using + SCP to connect to an affected device from an external machine, potentially allowing them to obtain + or change the configuration of the affected device. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions (from CVE details) + vulnerable_versions = [ + '15.0(1)M', '15.1(4)M', '15.2(4)M', '15.3(3)M', '15.4(3)M', '15.5(3)M', + '15.6(3)M', '15.7(3)M', '15.8(3)M', '15.9(3)M', '15.1(2)SG', '15.1(2)SY', + '15.2(1)E', '15.2(2)E', '15.2(3)E', '15.2(4)E', '15.2(5)E', '15.2(6)E', + '15.2(7)E', '15.2(8)E', '15.5(1)SY' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check AAA and SCP configuration + aaa_output = commands.check_aaa + + # Check if AAA authorization and SCP are configured + aaa_configured = 'aaa authorization' in aaa_output + scp_configured = 'ip scp server enable' in aaa_output + + # Device is vulnerable if both AAA authorization and SCP are enabled + is_vulnerable = aaa_configured and scp_configured + + # Assert that the device is not vulnerable + assert not is_vulnerable, ( + f"Device {device.name} is vulnerable to CVE-2023-20186. " + "The device is running a vulnerable version AND has both AAA authorization and SCP enabled, " + "which could allow an authenticated attacker to bypass command authorization. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-aaascp-Tyj4fEJm" + ) From 2737cdd4232d312d5fb216283dda7720716ccba7 Mon Sep 17 00:00:00 2001 From: mailsanjayhere Date: Tue, 3 Jun 2025 09:37:04 +0000 Subject: [PATCH 15/22] cisco_ios 2023 cve --- CVEasy/Cisco/2023/cisco_ios/cve202320081.py | 4 ++-- CVEasy/Cisco/2023/cisco_ios/cve202320109.py | 6 +++--- CVEasy/Cisco/2023/cisco_ios/cve202320186.py | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/CVEasy/Cisco/2023/cisco_ios/cve202320081.py b/CVEasy/Cisco/2023/cisco_ios/cve202320081.py index 976e0de7..cdeae6c4 100644 --- a/CVEasy/Cisco/2023/cisco_ios/cve202320081.py +++ b/CVEasy/Cisco/2023/cisco_ios/cve202320081.py @@ -29,6 +29,6 @@ def rule_cve202320081(configuration, commands, device, devices): f"Device {device.name} is vulnerable to CVE-2023-20081. " "The device has DHCPv6 client configured, " "which could allow an attacker to cause a denial of service through crafted DHCPv6 messages. " - "For more information,see" - "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftdios-dhcpv6-cli-Zf3zTv" + "For more information,see https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-" + "sa-asaftdios-dhcpv6-cli-Zf3zTv" ) diff --git a/CVEasy/Cisco/2023/cisco_ios/cve202320109.py b/CVEasy/Cisco/2023/cisco_ios/cve202320109.py index 15031d77..2aac407a 100644 --- a/CVEasy/Cisco/2023/cisco_ios/cve202320109.py +++ b/CVEasy/Cisco/2023/cisco_ios/cve202320109.py @@ -12,9 +12,9 @@ def rule_cve202320109(configuration, commands, device, devices): """ This rule checks for the CVE-2023-20109 vulnerability in Cisco IOS Software. - The vulnerability is due to insufficient validation of attributes in the Group Domain of - Interpretation (GDOI) and G-IKEv2 protocols of the GET VPN feature. An attacker could - exploit this vulnerability by either compromising an installed key server or modifying + The vulnerability is due to insufficient validation of attributes in the Group Domain of + Interpretation (GDOI) and G-IKEv2 protocols of the GET VPN feature. An attacker could + exploit this vulnerability by either compromising an installed key server or modifying the configuration of a group member to point to a key server that is controlled by the attacker. """ # Extract the output of the command to check GET VPN configuration diff --git a/CVEasy/Cisco/2023/cisco_ios/cve202320186.py b/CVEasy/Cisco/2023/cisco_ios/cve202320186.py index 4701ac67..d065567d 100644 --- a/CVEasy/Cisco/2023/cisco_ios/cve202320186.py +++ b/CVEasy/Cisco/2023/cisco_ios/cve202320186.py @@ -13,8 +13,8 @@ def rule_cve202320186(configuration, commands, device, devices): """ This rule checks for the CVE-2023-20186 vulnerability in Cisco IOS Software. The vulnerability is due to incorrect processing of SCP commands in AAA command authorization checks. - An attacker with valid credentials and level 15 privileges could exploit this vulnerability by using - SCP to connect to an affected device from an external machine, potentially allowing them to obtain + An attacker with valid credentials and level 15 privileges could exploit this vulnerability by using + SCP to connect to an affected device from an external machine, potentially allowing them to obtain or change the configuration of the affected device. """ # Extract the version information from the command output From 52b4ec66838d46bb2256ff019fffa10fa40fdc29 Mon Sep 17 00:00:00 2001 From: mailsanjayhere Date: Tue, 3 Jun 2025 09:59:39 +0000 Subject: [PATCH 16/22] cisco_xe cve 2023 --- CVEasy/Cisco/2023/cisco_xe/__init__.py | 0 CVEasy/Cisco/2023/cisco_xe/cve202320027.py | 32 +++++++++ CVEasy/Cisco/2023/cisco_xe/cve202320029.py | 32 +++++++++ CVEasy/Cisco/2023/cisco_xe/cve202320033.py | 57 ++++++++++++++++ CVEasy/Cisco/2023/cisco_xe/cve202320035.py | 32 +++++++++ CVEasy/Cisco/2023/cisco_xe/cve202320065.py | 60 +++++++++++++++++ CVEasy/Cisco/2023/cisco_xe/cve202320066.py | 32 +++++++++ CVEasy/Cisco/2023/cisco_xe/cve202320067.py | 33 +++++++++ CVEasy/Cisco/2023/cisco_xe/cve202320072.py | 32 +++++++++ CVEasy/Cisco/2023/cisco_xe/cve202320082.py | 38 +++++++++++ CVEasy/Cisco/2023/cisco_xe/cve202320100.py | 32 +++++++++ CVEasy/Cisco/2023/cisco_xe/cve202320187.py | 63 +++++++++++++++++ CVEasy/Cisco/2023/cisco_xe/cve202320198.py | 76 +++++++++++++++++++++ CVEasy/Cisco/2023/cisco_xe/cve202320202.py | 51 ++++++++++++++ CVEasy/Cisco/2023/cisco_xe/cve202320226.py | 54 +++++++++++++++ CVEasy/Cisco/2023/cisco_xe/cve202320227.py | 66 ++++++++++++++++++ CVEasy/Cisco/2023/cisco_xe/cve202320231.py | 65 ++++++++++++++++++ CVEasy/Cisco/2023/cisco_xe/cve202320235.py | 63 +++++++++++++++++ CVEasy/Cisco/2023/cisco_xe/cve202320273.py | 78 ++++++++++++++++++++++ 19 files changed, 896 insertions(+) create mode 100644 CVEasy/Cisco/2023/cisco_xe/__init__.py create mode 100644 CVEasy/Cisco/2023/cisco_xe/cve202320027.py create mode 100644 CVEasy/Cisco/2023/cisco_xe/cve202320029.py create mode 100644 CVEasy/Cisco/2023/cisco_xe/cve202320033.py create mode 100644 CVEasy/Cisco/2023/cisco_xe/cve202320035.py create mode 100644 CVEasy/Cisco/2023/cisco_xe/cve202320065.py create mode 100644 CVEasy/Cisco/2023/cisco_xe/cve202320066.py create mode 100644 CVEasy/Cisco/2023/cisco_xe/cve202320067.py create mode 100644 CVEasy/Cisco/2023/cisco_xe/cve202320072.py create mode 100644 CVEasy/Cisco/2023/cisco_xe/cve202320082.py create mode 100644 CVEasy/Cisco/2023/cisco_xe/cve202320100.py create mode 100644 CVEasy/Cisco/2023/cisco_xe/cve202320187.py create mode 100644 CVEasy/Cisco/2023/cisco_xe/cve202320198.py create mode 100644 CVEasy/Cisco/2023/cisco_xe/cve202320202.py create mode 100644 CVEasy/Cisco/2023/cisco_xe/cve202320226.py create mode 100644 CVEasy/Cisco/2023/cisco_xe/cve202320227.py create mode 100644 CVEasy/Cisco/2023/cisco_xe/cve202320231.py create mode 100644 CVEasy/Cisco/2023/cisco_xe/cve202320235.py create mode 100644 CVEasy/Cisco/2023/cisco_xe/cve202320273.py diff --git a/CVEasy/Cisco/2023/cisco_xe/__init__.py b/CVEasy/Cisco/2023/cisco_xe/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/CVEasy/Cisco/2023/cisco_xe/cve202320027.py b/CVEasy/Cisco/2023/cisco_xe/cve202320027.py new file mode 100644 index 00000000..ab5702a2 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xe/cve202320027.py @@ -0,0 +1,32 @@ +from comfy import high + + +@high( + name='rule_cve202320027', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_vfr='show running-config | include ip virtual-reassembly' + ), +) +def rule_cve202320027(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20027 vulnerability in Cisco IOS XE Software. + The vulnerability is due to improper reassembly of large packets when Virtual Fragmentation + Reassembly (VFR) is enabled on either a tunnel interface or on a physical interface that is + configured with an MTU greater than 4,615 bytes. + """ + # Extract the output of the command to check VFR configuration + vfr_output = commands.check_vfr + + # Check if VFR is configured + vfr_configured = 'ip virtual-reassembly' in vfr_output + + # Assert that the device is not vulnerable + assert not vfr_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20027. " + "The device has Virtual Fragmentation Reassembly (VFR) enabled, " + "which could allow an attacker to cause a denial of service. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipv4-vfr-dos-CXxtFacb" + ) diff --git a/CVEasy/Cisco/2023/cisco_xe/cve202320029.py b/CVEasy/Cisco/2023/cisco_xe/cve202320029.py new file mode 100644 index 00000000..130310ce --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xe/cve202320029.py @@ -0,0 +1,32 @@ +from comfy import high + + +@high( + name='rule_cve202320029', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_meraki='show running-config | include meraki' + ), +) +def rule_cve202320029(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20029 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient memory protection in the Meraki onboarding feature. + An attacker could exploit this vulnerability by modifying the Meraki registration parameters, + which could allow them to elevate privileges to root. + """ + # Extract the output of the command to check Meraki configuration + meraki_output = commands.check_meraki + + # Check if Meraki onboarding is configured + meraki_configured = 'meraki' in meraki_output + + # Assert that the device is not vulnerable + assert not meraki_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20029. " + "The device has Meraki onboarding feature enabled, " + "which could allow an attacker to elevate privileges to root. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-priv-esc-sABD8hcU" + ) diff --git a/CVEasy/Cisco/2023/cisco_xe/cve202320033.py b/CVEasy/Cisco/2023/cisco_xe/cve202320033.py new file mode 100644 index 00000000..155498ce --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xe/cve202320033.py @@ -0,0 +1,57 @@ +from comfy import high + + +@high( + name='rule_cve202320033', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_mgmt='show running-config | include interface GigabitEthernet0' + ), +) +def rule_cve202320033(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20033 vulnerability in Cisco IOS XE Software for Catalyst 3650/3850 Series Switches. + The vulnerability is due to improper resource management when processing traffic received on the management interface. + An attacker could exploit this vulnerability by sending a high rate of traffic to the management interface. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 16.3 versions + '16.3.1', '16.3.2', '16.3.3', '16.3.1a', '16.3.4', '16.3.5', '16.3.5b', + '16.3.6', '16.3.7', '16.3.8', '16.3.9', '16.3.10', '16.3.11', + # 16.4-16.9 versions + '16.4.1', '16.5.1', '16.5.1a', '16.6.1', '16.6.2', '16.6.3', '16.6.4', + '16.6.5', '16.6.4a', '16.6.6', '16.6.7', '16.6.8', '16.6.9', '16.6.10', + '16.7.1', '16.8.1', '16.8.1a', '16.8.1s', '16.9.1', '16.9.2', '16.9.1s', + '16.9.3', '16.9.4', '16.9.3a', '16.9.5', '16.9.6', '16.9.7', '16.9.8', + # 16.11-16.12 versions + '16.11.1', '16.11.2', '16.11.1s', '16.12.1', '16.12.1s', '16.12.2', + '16.12.3', '16.12.8', '16.12.4', '16.12.3s', '16.12.3a', '16.12.5', + '16.12.6', '16.12.5b', '16.12.6a', '16.12.7', '16.12.9' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check management interface configuration + mgmt_output = commands.check_mgmt + + # Check if management interface is configured + mgmt_configured = 'interface GigabitEthernet0' in mgmt_output + + # Assert that the device is not vulnerable + assert not mgmt_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20033. " + "The device is running a vulnerable version AND has management interface configured, " + "which could allow an attacker to cause a denial of service. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cat3k-dos-ZZA4Gb3r" + ) diff --git a/CVEasy/Cisco/2023/cisco_xe/cve202320035.py b/CVEasy/Cisco/2023/cisco_xe/cve202320035.py new file mode 100644 index 00000000..64f73331 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xe/cve202320035.py @@ -0,0 +1,32 @@ +from comfy import high + + +@high( + name='rule_cve202320035', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_sdwan='show running-config | include sdwan' + ), +) +def rule_cve202320035(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20035 vulnerability in Cisco IOS XE SD-WAN Software. + The vulnerability is due to insufficient input validation by the system CLI. + An attacker with privileges to run commands could exploit this vulnerability by submitting + crafted input to the system CLI, allowing them to execute commands with root-level privileges. + """ + # Extract the output of the command to check SD-WAN configuration + sdwan_output = commands.check_sdwan + + # Check if SD-WAN is configured + sdwan_configured = 'sdwan' in sdwan_output + + # Assert that the device is not vulnerable + assert not sdwan_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20035. " + "The device has SD-WAN configured with CLI access, " + "which could allow an attacker to execute arbitrary commands with root privileges. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-xe-sdwan-VQAhEjYw" + ) diff --git a/CVEasy/Cisco/2023/cisco_xe/cve202320065.py b/CVEasy/Cisco/2023/cisco_xe/cve202320065.py new file mode 100644 index 00000000..3f6a4cae --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xe/cve202320065.py @@ -0,0 +1,60 @@ +from comfy import high + + +@high( + name='rule_cve202320065', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_iox='show running-config | include iox' + ), +) +def rule_cve202320065(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20065 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient restrictions on the hosted application in the + Cisco IOx application hosting subsystem. An attacker could exploit this vulnerability + by logging in to and then escaping the Cisco IOx application container. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 16.4 versions + '16.4.1', '16.4.2', '16.4.3', + # 17.3 versions + '17.3.1', '17.3.2', '17.3.3', '17.3.1a', '17.3.1w', '17.3.2a', '17.3.1x', + '17.3.1z', '17.3.4', '17.3.5', '17.3.4a', '17.3.6', '17.3.4b', '17.3.4c', + '17.3.5a', '17.3.5b', + # 17.4-17.9 versions + '17.4.1', '17.4.2', '17.4.1a', '17.4.1b', '17.4.2a', + '17.5.1', '17.5.1a', '17.5.1b', '17.5.1c', + '17.6.1', '17.6.2', '17.6.1w', '17.6.1a', '17.6.1x', '17.6.3', '17.6.1y', + '17.6.1z', '17.6.3a', '17.6.4', '17.6.1z1', + '17.7.1', '17.7.1a', '17.7.1b', '17.7.2', + '17.8.1', '17.8.1a', + '17.9.1', '17.9.1w', '17.9.2', '17.9.1a', '17.9.2a' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check IOx configuration + iox_output = commands.check_iox + + # Check if IOx is configured + iox_configured = 'iox' in iox_output + + # Assert that the device is not vulnerable + assert not iox_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20065. " + "The device is running a vulnerable version AND has IOx application hosting configured, " + "which could allow an attacker to elevate privileges to root. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iox-priv-escalate-Xg8zkyPk" + ) diff --git a/CVEasy/Cisco/2023/cisco_xe/cve202320066.py b/CVEasy/Cisco/2023/cisco_xe/cve202320066.py new file mode 100644 index 00000000..fe5595f2 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xe/cve202320066.py @@ -0,0 +1,32 @@ +from comfy import high + + +@high( + name='rule_cve202320066', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_webui='show running-config | include ip http|webui' + ), +) +def rule_cve202320066(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20066 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient security configuration in the web UI. + An attacker could exploit this vulnerability by sending a crafted request to the web UI, + allowing them to gain read access to files outside the filesystem mountpoint. + """ + # Extract the output of the command to check web UI configuration + webui_output = commands.check_webui + + # Check if web UI is enabled + webui_enabled = any(service in webui_output for service in ['ip http', 'webui']) + + # Assert that the device is not vulnerable + assert not webui_enabled, ( + f"Device {device.name} is vulnerable to CVE-2023-20066. " + "The device has web UI enabled, which could allow an attacker to access files " + "outside the filesystem mountpoint through path traversal. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webui-pthtrv-es7GSb9V" + ) diff --git a/CVEasy/Cisco/2023/cisco_xe/cve202320067.py b/CVEasy/Cisco/2023/cisco_xe/cve202320067.py new file mode 100644 index 00000000..99a14000 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xe/cve202320067.py @@ -0,0 +1,33 @@ +from comfy import high + + +@high( + name='rule_cve202320067', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_wlc='show running-config | include wireless|http client' + ), +) +def rule_cve202320067(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20067 vulnerability in Cisco IOS XE Software for Wireless LAN Controllers. + The vulnerability is due to insufficient input validation of received traffic in the " + "HTTP-based client profiling feature. + An attacker could exploit this vulnerability by sending crafted traffic through a wireless access point, + causing high CPU utilization and a denial of service condition. + """ + # Extract the output of the command to check WLC and HTTP client profiling configuration + wlc_output = commands.check_wlc + + # Check if WLC and HTTP client profiling are configured + wlc_configured = 'wireless' in wlc_output and 'http client' in wlc_output + + # Assert that the device is not vulnerable + assert not wlc_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20067. " + "The device has wireless LAN controller and HTTP client profiling enabled, " + "which could allow an attacker to cause a denial of service condition. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewlc-dos-wFujBHKw" + ) diff --git a/CVEasy/Cisco/2023/cisco_xe/cve202320072.py b/CVEasy/Cisco/2023/cisco_xe/cve202320072.py new file mode 100644 index 00000000..fdc3b154 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xe/cve202320072.py @@ -0,0 +1,32 @@ +from comfy import high + + +@high( + name='rule_cve202320072', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_tunnel='show running-config | include tunnel|gre' + ), +) +def rule_cve202320072(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20072 vulnerability in Cisco IOS XE Software. + The vulnerability is due to improper handling of large fragmented tunnel protocol packets. + An attacker could exploit this vulnerability by sending crafted fragmented packets to an affected system, + causing it to reload and resulting in a denial of service (DoS) condition. + """ + # Extract the output of the command to check tunnel configuration + tunnel_output = commands.check_tunnel + + # Check if any tunnel protocols (like GRE) are configured + tunnel_configured = any(protocol in tunnel_output for protocol in ['tunnel', 'gre']) + + # Assert that the device is not vulnerable + assert not tunnel_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20072. " + "The device has tunnel protocols configured (e.g., GRE), " + "which could allow an attacker to cause a denial of service through crafted fragmented packets. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-gre-crash-p6nE5Sq5" + ) diff --git a/CVEasy/Cisco/2023/cisco_xe/cve202320082.py b/CVEasy/Cisco/2023/cisco_xe/cve202320082.py new file mode 100644 index 00000000..0ada9478 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xe/cve202320082.py @@ -0,0 +1,38 @@ +from comfy import high + + +@high( + name='rule_cve202320082', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis' + ), +) +def rule_cve202320082(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20082 vulnerability in Cisco IOS XE Software for Catalyst 9300 Series Switches. + The vulnerability is due to errors that occur when retrieving the public release key used for image signature verification. + An attacker could exploit this vulnerability by modifying specific variables in the SPI flash memory, + allowing them to execute persistent code at boot time and break the chain of trust. + """ + # Extract the output of the command to check platform type + platform_output = commands.check_platform + + # Check if the device is a Catalyst 9300 Series Switch + is_cat9300 = 'C9300' in platform_output + + # Extract the version information from the command output + version_output = commands.show_version + + # Check if version is before 16.11.1 (more vulnerable) + version_pre_16_11_1 = not any(ver in version_output for ver in ['16.11.1', '16.12', '17.']) + + # Assert that the device is not vulnerable + assert not (is_cat9300 and version_pre_16_11_1), ( + f"Device {device.name} is vulnerable to CVE-2023-20082. " + "The device is a Catalyst 9300 Series Switch running a version before 16.11.1, " + "which could allow an attacker to execute persistent code at boot time. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9300-spi-ace-yejYgnNQ" + ) diff --git a/CVEasy/Cisco/2023/cisco_xe/cve202320100.py b/CVEasy/Cisco/2023/cisco_xe/cve202320100.py new file mode 100644 index 00000000..439ce6b8 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xe/cve202320100.py @@ -0,0 +1,32 @@ +from comfy import high + + +@high( + name='rule_cve202320100', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_capwap='show running-config | include wireless|capwap' + ), +) +def rule_cve202320100(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20100 vulnerability in Cisco IOS XE Software for Wireless LAN Controllers. + The vulnerability is due to a logic error in the access point (AP) joining process of the Control and + Provisioning of Wireless Access Points (CAPWAP) protocol. An attacker could exploit this vulnerability + by adding a malicious AP to the network and causing specific conditions during the AP joining process. + """ + # Extract the output of the command to check CAPWAP/wireless configuration + capwap_output = commands.check_capwap + + # Check if wireless/CAPWAP is configured + wireless_configured = 'wireless' in capwap_output and 'capwap' in capwap_output + + # Assert that the device is not vulnerable + assert not wireless_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20100. " + "The device has wireless LAN controller and CAPWAP configured, " + "which could allow an attacker to cause a denial of service through the AP joining process. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9800-apjoin-dos-nXRHkt5" + ) diff --git a/CVEasy/Cisco/2023/cisco_xe/cve202320187.py b/CVEasy/Cisco/2023/cisco_xe/cve202320187.py new file mode 100644 index 00000000..3ae0e266 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xe/cve202320187.py @@ -0,0 +1,63 @@ +from comfy import high + + +@high( + name='rule_cve202320187', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include ASR1', + check_ipv6='show running-config | include ipv6 multicast' + ), +) +def rule_cve202320187(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20187 vulnerability in Cisco IOS XE Software for ASR 1000 Series routers. + The vulnerability is due to incorrect handling of certain IPv6 multicast packets when they are fanned out + more than seven times on an affected device. An attacker could exploit this vulnerability by sending + specific IPv6 multicast or IPv6 multicast VPN (MVPNv6) packets through the affected device. + """ + # Extract the output of the command to check platform type + platform_output = commands.check_platform + + # Check if the device is an ASR 1000 Series router + is_asr1000 = 'ASR1' in platform_output + + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions (from CVE details) + vulnerable_versions = [ + '3.7.1S', '3.7.2S', '3.7.3S', '3.7.4S', '3.7.5S', '3.7.6S', '3.7.7S', '3.7.2tS', + '3.8.0S', '3.8.1S', '3.8.2S', '3.9.0S', '3.9.1S', '3.9.2S', + '3.10.0S', '3.10.1S', '3.10.2S', '3.10.3S', '3.10.4S', '3.10.5S', '3.10.6S', + '3.10.7S', '3.10.8S', '3.10.9S', '3.10.10S', '3.10.1xbS', '3.10.8aS', + '3.11.0S', '3.11.1S', '3.11.2S', '3.11.3S', '3.11.4S', + '3.12.0S', '3.12.1S', '3.12.2S', '3.12.3S', '3.12.4S', + '3.13.0S', '3.13.1S', '3.13.2S', '3.13.3S', '3.13.4S', '3.13.5S', '3.13.2aS', + '3.13.5aS', '3.13.6S', '3.13.7S', '3.13.6aS', '3.13.8S', '3.13.9S', '3.13.10S', + '3.14.0S', '3.14.1S', '3.14.2S', '3.14.3S', '3.14.4S', + '3.15.0S', '3.15.1S', '3.15.2S', '3.15.3S', '3.15.4S', + '3.16.0S', '3.16.1aS', '3.16.2S', '3.16.3S', '3.16.2bS', '3.16.4aS', '3.16.4bS', + '3.16.5S', '3.16.6S', '3.16.7S', '3.16.6bS', '3.16.7aS', '3.16.7bS', '3.16.8S', + '3.16.9S', '3.16.10S', + '3.17.0S', '3.17.1S', '3.17.2S', '3.17.1aS', '3.17.3S', '3.17.4S' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # Extract the output of the command to check IPv6 multicast configuration + ipv6_output = commands.check_ipv6 + + # Check if IPv6 multicast is configured + ipv6_multicast_configured = 'ipv6 multicast' in ipv6_output + + # Assert that the device is not vulnerable + assert not (is_asr1000 and version_vulnerable and ipv6_multicast_configured), ( + f"Device {device.name} is vulnerable to CVE-2023-20187. " + "The device is an ASR 1000 Series router running a vulnerable version with IPv6 multicast configured, " + "which could allow an attacker to cause a denial of service. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-mlre-H93FswRz" + ) diff --git a/CVEasy/Cisco/2023/cisco_xe/cve202320198.py b/CVEasy/Cisco/2023/cisco_xe/cve202320198.py new file mode 100644 index 00000000..57fa4053 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xe/cve202320198.py @@ -0,0 +1,76 @@ +from comfy import high + + +@high( + name='rule_cve202320198', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_webui='show running-config | include ip http|webui' + ), +) +def rule_cve202320198(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20198 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient protection of the web UI feature, which could allow + an unauthenticated, remote attacker to gain privileged access. This vulnerability has been + actively exploited in the wild and has a CVSS score of 10.0 (Critical). + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions (from CVE details) + vulnerable_versions = [ + # 16.1-16.3 versions + '16.1.1', '16.1.2', '16.1.3', '16.2.1', '16.2.2', + '16.3.1', '16.3.2', '16.3.3', '16.3.1a', '16.3.4', '16.3.5', '16.3.5b', + '16.3.6', '16.3.7', '16.3.8', '16.3.9', '16.3.10', '16.3.11', + # 16.4-16.9 versions + '16.4.1', '16.4.2', '16.4.3', '16.5.1', '16.5.1a', '16.5.1b', '16.5.2', '16.5.3', + '16.6.1', '16.6.2', '16.6.3', '16.6.4', '16.6.5', '16.6.4a', '16.6.5a', '16.6.6', + '16.6.7', '16.6.8', '16.6.9', '16.6.10', '16.7.1', '16.7.1a', '16.7.1b', '16.7.2', + '16.7.3', '16.7.4', '16.8.1', '16.8.1a', '16.8.1b', '16.8.1s', '16.8.1c', '16.8.1d', + '16.8.2', '16.8.1e', '16.8.3', '16.9.1', '16.9.2', '16.9.1a', '16.9.1b', '16.9.1s', + '16.9.3', '16.9.4', '16.9.3a', '16.9.5', '16.9.5f', '16.9.6', '16.9.7', '16.9.8', + # 16.10-16.12 versions + '16.10.1', '16.10.1a', '16.10.1b', '16.10.1s', '16.10.1c', '16.10.1e', '16.10.1d', + '16.10.2', '16.10.1f', '16.10.1g', '16.10.3', '16.11.1', '16.11.1a', '16.11.1b', + '16.11.2', '16.11.1s', '16.12.1', '16.12.1s', '16.12.1a', '16.12.1c', '16.12.1w', + '16.12.2', '16.12.1y', '16.12.2a', '16.12.3', '16.12.8', '16.12.2s', '16.12.1x', + '16.12.1t', '16.12.4', '16.12.3s', '16.12.3a', '16.12.4a', '16.12.5', '16.12.6', + '16.12.1z1', '16.12.5a', '16.12.5b', '16.12.1z2', '16.12.6a', '16.12.7', '16.12.9', + '16.12.10', + # 17.1-17.12 versions + '17.1.1', '17.1.1a', '17.1.1s', '17.1.1t', '17.1.3', '17.2.1', '17.2.1r', '17.2.1a', + '17.2.1v', '17.2.2', '17.2.3', '17.3.1', '17.3.2', '17.3.3', '17.3.1a', '17.3.1w', + '17.3.2a', '17.3.1x', '17.3.1z', '17.3.4', '17.3.5', '17.3.4a', '17.3.6', '17.3.4b', + '17.3.4c', '17.3.5a', '17.3.5b', '17.3.7', '17.3.8', '17.4.1', '17.4.2', '17.4.1a', + '17.4.1b', '17.4.2a', '17.5.1', '17.5.1a', '17.5.1b', '17.5.1c', '17.6.1', '17.6.2', + '17.6.1w', '17.6.1a', '17.6.1x', '17.6.3', '17.6.1y', '17.6.1z', '17.6.3a', '17.6.4', + '17.6.1z1', '17.6.5', '17.6.6', '17.7.1', '17.7.1a', '17.7.1b', '17.7.2', '17.8.1', + '17.8.1a', '17.9.1', '17.9.1w', '17.9.2', '17.9.1a', '17.9.1x', '17.9.1y', '17.9.3', + '17.9.2a', '17.9.1x1', '17.9.3a', '17.9.4', '17.9.1y1', '17.10.1', '17.10.1a', + '17.10.1b', '17.11.1', '17.11.1a', '17.12.1', '17.12.1a', '17.11.99SW' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check web UI configuration + webui_output = commands.check_webui + + # Check if web UI is enabled + webui_enabled = any(service in webui_output for service in ['ip http', 'webui']) + + # Assert that the device is not vulnerable + assert not webui_enabled, ( + f"Device {device.name} is vulnerable to CVE-2023-20198. " + "The device is running a vulnerable version AND has web UI enabled, " + "which could allow an attacker to gain privileged access. This vulnerability is being actively exploited. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z" + ) diff --git a/CVEasy/Cisco/2023/cisco_xe/cve202320202.py b/CVEasy/Cisco/2023/cisco_xe/cve202320202.py new file mode 100644 index 00000000..05ff7fca --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xe/cve202320202.py @@ -0,0 +1,51 @@ +from comfy import high + + +@high( + name='rule_cve202320202', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_wncd='show running-config | include wireless|wncd' + ), +) +def rule_cve202320202(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20202 vulnerability in Cisco IOS XE Software for Wireless LAN Controllers. + The vulnerability is due to improper memory management in the Wireless Network Control daemon (wncd). + An attacker could exploit this vulnerability by sending a series of network requests to an affected device, + causing the wncd process to consume available memory and eventually cause the device to reload. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions (from CVE details) + vulnerable_versions = [ + # 17.9 versions + '17.9.1', '17.9.1w', '17.9.2', '17.9.1a', '17.9.1x', '17.9.1y', + '17.9.2a', '17.9.1x1', + # 17.10 versions + '17.10.1', '17.10.1a', '17.10.1b' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check WNCD configuration + wncd_output = commands.check_wncd + + # Check if wireless/WNCD is configured + wireless_configured = 'wireless' in wncd_output and 'wncd' in wncd_output + + # Assert that the device is not vulnerable + assert not wireless_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20202. " + "The device is running a vulnerable version AND has wireless LAN controller with WNCD configured, " + "which could allow an attacker to cause a denial of service. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-wncd-HFGMsfSD" + ) diff --git a/CVEasy/Cisco/2023/cisco_xe/cve202320226.py b/CVEasy/Cisco/2023/cisco_xe/cve202320226.py new file mode 100644 index 00000000..1c88984b --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xe/cve202320226.py @@ -0,0 +1,54 @@ +from comfy import high + + +@high( + name='rule_cve202320226', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_appqoe_utd='show running-config | include appqoe|utd' + ), +) +def rule_cve202320226(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20226 vulnerability in Cisco IOS XE Software. + The vulnerability is due to the mishandling of a crafted packet stream through the AppQoE or UTD application. + An attacker could exploit this vulnerability by sending a crafted packet stream through an affected device, + causing it to reload and resulting in a denial of service (DoS) condition. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions (from CVE details) + vulnerable_versions = [ + # 17.7 versions + '17.7.1', '17.7.1a', '17.7.2', + # 17.8 versions + '17.8.1', '17.8.1a', + # 17.9 versions + '17.9.1', '17.9.2', '17.9.1a', '17.9.2a', + # 17.10 versions + '17.10.1', '17.10.1a' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check AppQoE and UTD configuration + appqoe_utd_output = commands.check_appqoe_utd + + # Check if AppQoE or UTD is configured + features_configured = any(feature in appqoe_utd_output for feature in ['appqoe', 'utd']) + + # Assert that the device is not vulnerable + assert not features_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20226. " + "The device is running a vulnerable version AND has AppQoE or UTD configured, " + "which could allow an attacker to cause a denial of service. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-appqoe-utd-dos-p8O57p5y" + ) diff --git a/CVEasy/Cisco/2023/cisco_xe/cve202320227.py b/CVEasy/Cisco/2023/cisco_xe/cve202320227.py new file mode 100644 index 00000000..413e4f49 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xe/cve202320227.py @@ -0,0 +1,66 @@ +from comfy import high + + +@high( + name='rule_cve202320227', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_l2tp='show running-config | include vpdn|l2tp' + ), +) +def rule_cve202320227(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20227 vulnerability in Cisco IOS XE Software. + The vulnerability is due to improper handling of certain L2TP packets. An attacker could + exploit this vulnerability by sending crafted L2TP packets to an affected device, causing + it to reload unexpectedly and resulting in a denial of service (DoS) condition. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions (from CVE details) + vulnerable_versions = [ + # 16.8-16.9 versions + '16.8.1', '16.8.1a', '16.8.1b', '16.8.1s', '16.8.1c', '16.8.1d', + '16.8.2', '16.8.1e', '16.8.3', '16.9.1', '16.9.2', '16.9.1a', + '16.9.1b', '16.9.1s', '16.9.3', '16.9.4', '16.9.5', '16.9.5f', + '16.9.6', '16.9.7', '16.9.8', + # 16.10-16.12 versions + '16.10.1', '16.10.1a', '16.10.1b', '16.10.1s', '16.10.1c', '16.10.1e', + '16.10.1d', '16.10.2', '16.10.1f', '16.10.1g', '16.10.3', '16.11.1', + '16.11.1a', '16.11.1b', '16.11.2', '16.11.1s', '16.12.1', '16.12.1s', + '16.12.1a', '16.12.1c', '16.12.1w', '16.12.2', '16.12.1y', '16.12.2a', + '16.12.3', '16.12.8', '16.12.2s', '16.12.1x', '16.12.1t', '16.12.4', + '16.12.3s', '16.12.4a', '16.12.5', '16.12.6', '16.12.1z1', '16.12.5a', + '16.12.1z2', '16.12.6a', '16.12.7', '16.12.10a', + # 17.1-17.5 versions + '17.1.1', '17.1.1a', '17.1.1s', '17.1.1t', '17.1.3', '17.2.1', '17.2.1r', + '17.2.1a', '17.2.1v', '17.2.2', '17.2.3', '17.3.1', '17.3.2', '17.3.3', + '17.3.1a', '17.3.1w', '17.3.2a', '17.3.1x', '17.3.1z', '17.3.4', '17.3.5', + '17.3.4a', '17.3.6', '17.3.4c', '17.3.5a', '17.3.5b', '17.3.7', '17.4.1', + '17.4.2', '17.4.1a', '17.4.1b', '17.4.2a', '17.5.1', '17.5.1a', '17.5.1b', + '17.5.1c' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check L2TP configuration + l2tp_output = commands.check_l2tp + + # Check if L2TP is configured + l2tp_configured = any(feature in l2tp_output for feature in ['vpdn', 'l2tp']) + + # Assert that the device is not vulnerable + assert not l2tp_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20227. " + "The device is running a vulnerable version AND has L2TP configured, " + "which could allow an attacker to cause a denial of service. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-xe-l2tp-dos-eB5tuFmV" + ) diff --git a/CVEasy/Cisco/2023/cisco_xe/cve202320231.py b/CVEasy/Cisco/2023/cisco_xe/cve202320231.py new file mode 100644 index 00000000..68ad720a --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xe/cve202320231.py @@ -0,0 +1,65 @@ +from comfy import high + + +@high( + name='rule_cve202320231', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_webui='show running-config | include ip http|webui|lobby' + ), +) +def rule_cve202320231(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20231 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient input validation in the web UI. An attacker could + exploit this vulnerability by sending crafted input to the web UI using Lobby Ambassador credentials, + allowing them to execute arbitrary Cisco IOS XE Software CLI commands with level 15 privileges. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions (from CVE details) + vulnerable_versions = [ + # 16.12 versions + '16.12.4', '16.12.4a', '16.12.5', '16.12.5a', '16.12.5b', '16.12.6', + '16.12.6a', '16.12.7', '16.12.8', '16.12.9', + # 17.2-17.3 versions + '17.2.2', '17.2.3', '17.3.1', '17.3.1a', '17.3.1w', '17.3.1x', '17.3.1z', + '17.3.2', '17.3.2a', '17.3.3', '17.3.4', '17.3.4a', '17.3.4b', '17.3.4c', + '17.3.5', '17.3.5a', '17.3.5b', '17.3.6', + # 17.4-17.6 versions + '17.4.1', '17.4.1a', '17.4.1b', '17.4.2', '17.4.2a', + '17.5.1', '17.5.1a', '17.5.1b', '17.5.1c', + '17.6.1', '17.6.1a', '17.6.1w', '17.6.1x', '17.6.1y', '17.6.1z', '17.6.1z1', + '17.6.2', '17.6.3', '17.6.3a', '17.6.4', '17.6.5', '17.6.5a', + # 17.7-17.10 versions + '17.7.1', '17.7.1a', '17.7.1b', '17.7.2', + '17.8.1', '17.8.1a', + '17.9.1', '17.9.1a', '17.9.1w', '17.9.1x', '17.9.1x1', '17.9.1y', '17.9.2', + '17.9.2a', + '17.10.1', '17.10.1a', '17.10.1b' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check web UI and Lobby Ambassador configuration + webui_output = commands.check_webui + + # Check if web UI and Lobby Ambassador are configured + webui_enabled = any(service in webui_output for service in ['ip http', 'webui']) + lobby_configured = 'lobby' in webui_output + + # Assert that the device is not vulnerable + assert not (webui_enabled and lobby_configured), ( + f"Device {device.name} is vulnerable to CVE-2023-20231. " + "The device is running a vulnerable version AND has web UI with Lobby Ambassador configured, " + "which could allow an attacker to execute arbitrary commands with elevated privileges. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webui-cmdij-FzZAeXAy" + ) diff --git a/CVEasy/Cisco/2023/cisco_xe/cve202320235.py b/CVEasy/Cisco/2023/cisco_xe/cve202320235.py new file mode 100644 index 00000000..2b7eafc6 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xe/cve202320235.py @@ -0,0 +1,63 @@ +from comfy import high + + +@high( + name='rule_cve202320235', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_iox='show running-config | include iox|app-hosting' + ), +) +def rule_cve202320235(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20235 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient protection of the on-device application development + workflow feature in the Cisco IOx application hosting infrastructure. An attacker could + exploit this vulnerability by using Docker CLI to access the underlying operating system + as the root user. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions (from CVE details) + vulnerable_versions = [ + # 17.3 versions + '17.3.1', '17.3.2', '17.3.3', '17.3.1a', '17.3.1w', '17.3.2a', '17.3.1x', + '17.3.1z', '17.3.4', '17.3.5', '17.3.4a', '17.3.6', '17.3.4b', '17.3.4c', + '17.3.5a', '17.3.5b', '17.3.7', + # 17.4-17.6 versions + '17.4.1', '17.4.2', '17.4.1a', '17.4.1b', '17.4.2a', + '17.5.1', '17.5.1a', '17.5.1b', '17.5.1c', + '17.6.1', '17.6.2', '17.6.1w', '17.6.1a', '17.6.1x', '17.6.3', '17.6.1y', + '17.6.1z', '17.6.3a', '17.6.4', '17.6.1z1', '17.6.5', '17.6.5a', + # 17.7-17.12 versions + '17.7.1', '17.7.1a', '17.7.1b', '17.7.2', + '17.8.1', '17.8.1a', + '17.9.1', '17.9.1w', '17.9.2', '17.9.1a', '17.9.1x', '17.9.1y', '17.9.3', + '17.9.2a', '17.9.1x1', '17.9.3a', '17.9.4', '17.9.1y1', '17.9.4a', + '17.10.1', '17.10.1a', '17.10.1b', + '17.11.1', '17.11.1a', '17.12.1', '17.12.1a', '17.11.99SW' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check IOx configuration + iox_output = commands.check_iox + + # Check if IOx or app-hosting is configured + iox_configured = any(feature in iox_output for feature in ['iox', 'app-hosting']) + + # Assert that the device is not vulnerable + assert not iox_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20235. " + "The device is running a vulnerable version AND has IOx/app-hosting configured, " + "which could allow an attacker to gain root access to the underlying operating system. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rdocker-uATbukKn" + ) diff --git a/CVEasy/Cisco/2023/cisco_xe/cve202320273.py b/CVEasy/Cisco/2023/cisco_xe/cve202320273.py new file mode 100644 index 00000000..679635da --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xe/cve202320273.py @@ -0,0 +1,78 @@ +from comfy import high + + +@high( + name='rule_cve202320273', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_webui='show running-config | include ip http|webui' + ), +) +def rule_cve202320273(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20273 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient input validation in the web UI feature. + An authenticated, remote attacker could exploit this vulnerability by sending crafted + input to the web UI, allowing them to inject commands to the underlying operating system + with root privileges. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions (from CVE details) + vulnerable_versions = [ + # 16.1-16.3 versions + '16.1.1', '16.1.2', '16.1.3', '16.2.1', '16.2.2', + '16.3.1', '16.3.2', '16.3.3', '16.3.1a', '16.3.4', '16.3.5', '16.3.5b', + '16.3.6', '16.3.7', '16.3.8', '16.3.9', '16.3.10', '16.3.11', + # 16.4-16.9 versions + '16.4.1', '16.4.2', '16.4.3', '16.5.1', '16.5.1a', '16.5.1b', '16.5.2', '16.5.3', + '16.6.1', '16.6.2', '16.6.3', '16.6.4', '16.6.5', '16.6.4a', '16.6.5a', '16.6.6', + '16.6.7', '16.6.8', '16.6.9', '16.6.10', '16.7.1', '16.7.1a', '16.7.1b', '16.7.2', + '16.7.3', '16.7.4', '16.8.1', '16.8.1a', '16.8.1b', '16.8.1s', '16.8.1c', '16.8.1d', + '16.8.2', '16.8.1e', '16.8.3', '16.9.1', '16.9.2', '16.9.1a', '16.9.1b', '16.9.1s', + '16.9.3', '16.9.4', '16.9.3a', '16.9.5', '16.9.5f', '16.9.6', '16.9.7', '16.9.8', + # 16.10-16.12 versions + '16.10.1', '16.10.1a', '16.10.1b', '16.10.1s', '16.10.1c', '16.10.1e', '16.10.1d', + '16.10.2', '16.10.1f', '16.10.1g', '16.10.3', '16.11.1', '16.11.1a', '16.11.1b', + '16.11.2', '16.11.1s', '16.12.1', '16.12.1s', '16.12.1a', '16.12.1c', '16.12.1w', + '16.12.2', '16.12.1y', '16.12.2a', '16.12.3', '16.12.8', '16.12.2s', '16.12.1x', + '16.12.1t', '16.12.4', '16.12.3s', '16.12.3a', '16.12.4a', '16.12.5', '16.12.6', + '16.12.1z1', '16.12.5a', '16.12.5b', '16.12.1z2', '16.12.6a', '16.12.7', '16.12.9', + '16.12.10', + # 17.1-17.12 versions + '17.1.1', '17.1.1a', '17.1.1s', '17.1.1t', '17.1.3', '17.2.1', '17.2.1r', '17.2.1a', + '17.2.1v', '17.2.2', '17.2.3', '17.3.1', '17.3.2', '17.3.3', '17.3.1a', '17.3.1w', + '17.3.2a', '17.3.1x', '17.3.1z', '17.3.4', '17.3.5', '17.3.4a', '17.3.6', '17.3.4b', + '17.3.4c', '17.3.5a', '17.3.5b', '17.3.7', '17.3.8', '17.4.1', '17.4.2', '17.4.1a', + '17.4.1b', '17.4.2a', '17.5.1', '17.5.1a', '17.5.1b', '17.5.1c', '17.6.1', '17.6.2', + '17.6.1w', '17.6.1a', '17.6.1x', '17.6.3', '17.6.1y', '17.6.1z', '17.6.3a', '17.6.4', + '17.6.1z1', '17.6.5', '17.6.6', '17.7.1', '17.7.1a', '17.7.1b', '17.7.2', '17.8.1', + '17.8.1a', '17.9.1', '17.9.1w', '17.9.2', '17.9.1a', '17.9.1x', '17.9.1y', '17.9.3', + '17.9.2a', '17.9.1x1', '17.9.3a', '17.9.4', '17.9.1y1', '17.10.1', '17.10.1a', + '17.10.1b', '17.11.1', '17.11.1a', '17.12.1', '17.12.1a', '17.11.99SW' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check web UI configuration + webui_output = commands.check_webui + + # Check if web UI is enabled + webui_enabled = any(service in webui_output for service in ['ip http', 'webui']) + + # Assert that the device is not vulnerable + assert not webui_enabled, ( + f"Device {device.name} is vulnerable to CVE-2023-20273. " + "The device is running a vulnerable version AND has web UI enabled, " + "which could allow an authenticated attacker to execute arbitrary commands with root privileges. " + "This vulnerability is being actively exploited. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z" + ) From 8ea2de52a28550dbe7849fd5f1fa90e70f36a403 Mon Sep 17 00:00:00 2001 From: mailsanjayhere Date: Tue, 3 Jun 2025 10:49:59 +0000 Subject: [PATCH 17/22] cisco_xe cve 2023 --- CVEasy/Cisco/2023/cisco_xe/cve202320033.py | 8 +++++--- CVEasy/Cisco/2023/cisco_xe/cve202320065.py | 3 ++- CVEasy/Cisco/2023/cisco_xe/cve202320082.py | 10 ++++++---- CVEasy/Cisco/2023/cisco_xe/cve202320100.py | 3 ++- CVEasy/Cisco/2023/cisco_xe/cve202320198.py | 3 ++- CVEasy/Cisco/2023/cisco_xe/cve202320227.py | 3 ++- CVEasy/Cisco/2023/cisco_xe/cve202320273.py | 3 ++- 7 files changed, 21 insertions(+), 12 deletions(-) diff --git a/CVEasy/Cisco/2023/cisco_xe/cve202320033.py b/CVEasy/Cisco/2023/cisco_xe/cve202320033.py index 155498ce..1e5db748 100644 --- a/CVEasy/Cisco/2023/cisco_xe/cve202320033.py +++ b/CVEasy/Cisco/2023/cisco_xe/cve202320033.py @@ -11,9 +11,11 @@ ) def rule_cve202320033(configuration, commands, device, devices): """ - This rule checks for the CVE-2023-20033 vulnerability in Cisco IOS XE Software for Catalyst 3650/3850 Series Switches. - The vulnerability is due to improper resource management when processing traffic received on the management interface. - An attacker could exploit this vulnerability by sending a high rate of traffic to the management interface. + This rule checks for the CVE-2023-20033 vulnerability in Cisco IOS XE Software for + Catalyst 3650/3850 Series Switches. The vulnerability is due to improper resource + management when processing traffic received on the management interface. + An attacker could exploit this vulnerability by sending a high rate of traffic to + the management interface. """ # Extract the version information from the command output version_output = commands.show_version diff --git a/CVEasy/Cisco/2023/cisco_xe/cve202320065.py b/CVEasy/Cisco/2023/cisco_xe/cve202320065.py index 3f6a4cae..7868db88 100644 --- a/CVEasy/Cisco/2023/cisco_xe/cve202320065.py +++ b/CVEasy/Cisco/2023/cisco_xe/cve202320065.py @@ -56,5 +56,6 @@ def rule_cve202320065(configuration, commands, device, devices): "The device is running a vulnerable version AND has IOx application hosting configured, " "which could allow an attacker to elevate privileges to root. " "For more information, see" - "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iox-priv-escalate-Xg8zkyPk" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-" + "sa-iox-priv-escalate-Xg8zkyPk" ) diff --git a/CVEasy/Cisco/2023/cisco_xe/cve202320082.py b/CVEasy/Cisco/2023/cisco_xe/cve202320082.py index 0ada9478..6aa7e3e7 100644 --- a/CVEasy/Cisco/2023/cisco_xe/cve202320082.py +++ b/CVEasy/Cisco/2023/cisco_xe/cve202320082.py @@ -11,10 +11,12 @@ ) def rule_cve202320082(configuration, commands, device, devices): """ - This rule checks for the CVE-2023-20082 vulnerability in Cisco IOS XE Software for Catalyst 9300 Series Switches. - The vulnerability is due to errors that occur when retrieving the public release key used for image signature verification. - An attacker could exploit this vulnerability by modifying specific variables in the SPI flash memory, - allowing them to execute persistent code at boot time and break the chain of trust. + This rule checks for the CVE-2023-20082 vulnerability in Cisco IOS XE Software + for Catalyst 9300 Series Switches. The vulnerability is due to errors that occur + when retrieving the public release key used for image signature verification. + An attacker could exploit this vulnerability by modifying specific variables in the + SPI flash memory, allowing them to execute persistent code at boot time and break + the chain of trust. """ # Extract the output of the command to check platform type platform_output = commands.check_platform diff --git a/CVEasy/Cisco/2023/cisco_xe/cve202320100.py b/CVEasy/Cisco/2023/cisco_xe/cve202320100.py index 439ce6b8..058d47b6 100644 --- a/CVEasy/Cisco/2023/cisco_xe/cve202320100.py +++ b/CVEasy/Cisco/2023/cisco_xe/cve202320100.py @@ -28,5 +28,6 @@ def rule_cve202320100(configuration, commands, device, devices): "The device has wireless LAN controller and CAPWAP configured, " "which could allow an attacker to cause a denial of service through the AP joining process. " "For more information, see" - "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9800-apjoin-dos-nXRHkt5" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-" + "sa-c9800-apjoin-dos-nXRHkt5" ) diff --git a/CVEasy/Cisco/2023/cisco_xe/cve202320198.py b/CVEasy/Cisco/2023/cisco_xe/cve202320198.py index 57fa4053..e97ecf90 100644 --- a/CVEasy/Cisco/2023/cisco_xe/cve202320198.py +++ b/CVEasy/Cisco/2023/cisco_xe/cve202320198.py @@ -72,5 +72,6 @@ def rule_cve202320198(configuration, commands, device, devices): "The device is running a vulnerable version AND has web UI enabled, " "which could allow an attacker to gain privileged access. This vulnerability is being actively exploited. " "For more information, see" - "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-" + "sa-iosxe-webui-privesc-j22SaA4z" ) diff --git a/CVEasy/Cisco/2023/cisco_xe/cve202320227.py b/CVEasy/Cisco/2023/cisco_xe/cve202320227.py index 413e4f49..5e7a3547 100644 --- a/CVEasy/Cisco/2023/cisco_xe/cve202320227.py +++ b/CVEasy/Cisco/2023/cisco_xe/cve202320227.py @@ -62,5 +62,6 @@ def rule_cve202320227(configuration, commands, device, devices): "The device is running a vulnerable version AND has L2TP configured, " "which could allow an attacker to cause a denial of service. " "For more information, see" - "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-xe-l2tp-dos-eB5tuFmV" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-" + "sa-ios-xe-l2tp-dos-eB5tuFmV" ) diff --git a/CVEasy/Cisco/2023/cisco_xe/cve202320273.py b/CVEasy/Cisco/2023/cisco_xe/cve202320273.py index 679635da..9cd3613a 100644 --- a/CVEasy/Cisco/2023/cisco_xe/cve202320273.py +++ b/CVEasy/Cisco/2023/cisco_xe/cve202320273.py @@ -74,5 +74,6 @@ def rule_cve202320273(configuration, commands, device, devices): "which could allow an authenticated attacker to execute arbitrary commands with root privileges. " "This vulnerability is being actively exploited. " "For more information, see" - "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-" + "sa-iosxe-webui-privesc-j22SaA4z" ) From a68ee000806446bb9f46e0cfde6b5a3107b5d3b6 Mon Sep 17 00:00:00 2001 From: mailsanjayhere Date: Tue, 3 Jun 2025 11:12:07 +0000 Subject: [PATCH 18/22] xr and nxos 2023 CVEs --- CVEasy/Cisco/2023/cisco_nxos/__init__.py | 0 CVEasy/Cisco/2023/cisco_nxos/cve202320050.py | 30 +++++ CVEasy/Cisco/2023/cisco_nxos/cve202320089.py | 31 +++++ CVEasy/Cisco/2023/cisco_nxos/cve202320115.py | 51 ++++++++ CVEasy/Cisco/2023/cisco_nxos/cve202320168.py | 127 +++++++++++++++++++ CVEasy/Cisco/2023/cisco_nxos/cve202320169.py | 49 +++++++ CVEasy/Cisco/2023/cisco_nxos/cve202320185.py | 78 ++++++++++++ CVEasy/Cisco/2023/cisco_nxos/cve202320262.py | 78 ++++++++++++ CVEasy/Cisco/2023/cisco_xr/__init__.py | 0 CVEasy/Cisco/2023/cisco_xr/cve202320049.py | 32 +++++ CVEasy/Cisco/2023/cisco_xr/cve202320064.py | 31 +++++ CVEasy/Cisco/2023/cisco_xr/cve202320135.py | 56 ++++++++ CVEasy/Cisco/2023/cisco_xr/cve202320190.py | 90 +++++++++++++ CVEasy/Cisco/2023/cisco_xr/cve202320191.py | 72 +++++++++++ CVEasy/Cisco/2023/cisco_xr/cve202320233.py | 84 ++++++++++++ CVEasy/Cisco/2023/cisco_xr/cve202320236.py | 93 ++++++++++++++ 16 files changed, 902 insertions(+) create mode 100644 CVEasy/Cisco/2023/cisco_nxos/__init__.py create mode 100644 CVEasy/Cisco/2023/cisco_nxos/cve202320050.py create mode 100644 CVEasy/Cisco/2023/cisco_nxos/cve202320089.py create mode 100644 CVEasy/Cisco/2023/cisco_nxos/cve202320115.py create mode 100644 CVEasy/Cisco/2023/cisco_nxos/cve202320168.py create mode 100644 CVEasy/Cisco/2023/cisco_nxos/cve202320169.py create mode 100644 CVEasy/Cisco/2023/cisco_nxos/cve202320185.py create mode 100644 CVEasy/Cisco/2023/cisco_nxos/cve202320262.py create mode 100644 CVEasy/Cisco/2023/cisco_xr/__init__.py create mode 100644 CVEasy/Cisco/2023/cisco_xr/cve202320049.py create mode 100644 CVEasy/Cisco/2023/cisco_xr/cve202320064.py create mode 100644 CVEasy/Cisco/2023/cisco_xr/cve202320135.py create mode 100644 CVEasy/Cisco/2023/cisco_xr/cve202320190.py create mode 100644 CVEasy/Cisco/2023/cisco_xr/cve202320191.py create mode 100644 CVEasy/Cisco/2023/cisco_xr/cve202320233.py create mode 100644 CVEasy/Cisco/2023/cisco_xr/cve202320236.py diff --git a/CVEasy/Cisco/2023/cisco_nxos/__init__.py b/CVEasy/Cisco/2023/cisco_nxos/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320050.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320050.py new file mode 100644 index 00000000..4a33b01a --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_nxos/cve202320050.py @@ -0,0 +1,30 @@ +from comfy import high + + +@high( + name='rule_cve202320050', + platform=['cisco_nxos'], + commands=dict( + check_cli='show running-config | include cli' + ), +) +def rule_cve202320050(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20050 vulnerability in Cisco NX-OS Software. + The vulnerability is due to insufficient validation of arguments that are passed to specific CLI commands. + An attacker could exploit this vulnerability by including crafted input as the argument of an affected command. + """ + # Extract the output of the command to check CLI configuration + cli_output = commands.check_cli + + # Check if CLI command is configured + cli_configured = 'cli' in cli_output + + # Assert that the device is not vulnerable + assert not cli_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20050. " + "The device has CLI command enabled, which could allow an attacker to execute arbitrary commands. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-" + "sa-nxos-cli-cmdinject-euQVK9u" + ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320089.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320089.py new file mode 100644 index 00000000..83e8aca0 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_nxos/cve202320089.py @@ -0,0 +1,31 @@ +from comfy import high + + +@high( + name='rule_cve202320089', + platform=['cisco_nxos'], + commands=dict( + show_version='show version', + check_lldp='show running-config | include lldp' + ), +) +def rule_cve202320089(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20089 vulnerability in Cisco Nexus 9000 Series Fabric Switches in ACI Mode. + The vulnerability is due to incorrect error checking when parsing ingress LLDP packets, which could allow + an unauthenticated, adjacent attacker to cause a memory leak, resulting in a denial of service (DoS) condition. + """ + # Extract the output of the command to check LLDP configuration + lldp_output = commands.check_lldp + + # Check if LLDP is enabled + lldp_enabled = 'lldp' in lldp_output + + # Assert that the device is not vulnerable + assert not lldp_enabled, ( + f"Device {device.name} is vulnerable to CVE-2023-20089. " + "The device is running in ACI Mode AND has LLDP enabled, " + "which could allow an attacker to cause a memory leak and DoS condition. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-aci-lldp-dos-ySCNZOpX" + ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320115.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320115.py new file mode 100644 index 00000000..0e7b51df --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_nxos/cve202320115.py @@ -0,0 +1,51 @@ +from comfy import high + + +@high( + name='rule_cve202320115', + platform=['cisco_nxos'], + commands=dict( + show_version='show version', + check_sftp='show running-config | include sftp' + ), +) +def rule_cve202320115(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20115 vulnerability in Cisco NX-OS Software. + The vulnerability is due to a logic error when verifying the user role when an SFTP connection is opened, + which could allow an authenticated, remote attacker to download or overwrite files from the underlying + operating system of an affected device. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + '9.2(1)', '9.2(2)', '9.2(2t)', '9.2(3)', '9.2(4)', '9.2(2v)', + '9.3(1)', '9.3(2)', '9.3(3)', '9.3(4)', '9.3(5)', '9.3(6)', '9.3(7)', '9.3(7a)', + '9.3(8)', '9.3(9)', '9.3(10)', '9.3(11)', '10.1(1)', '10.1(2)', '10.1(2t)', + '10.2(1)', '10.2(1q)', '10.2(2)', '10.2(3)', '10.2(3t)', '10.2(4)', '10.2(5)', + '10.3(1)', '10.3(2)' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check SFTP configuration + sftp_output = commands.check_sftp + + # Check if SFTP is configured + sftp_configured = 'sftp' in sftp_output + + # Assert that the device is not vulnerable + assert not sftp_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20115. " + "The device is running a vulnerable version AND has SFTP configured, " + "which could allow an attacker to download or overwrite files. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-sftp-xVAp5Hfd" + ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320168.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320168.py new file mode 100644 index 00000000..3ac31e23 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_nxos/cve202320168.py @@ -0,0 +1,127 @@ +from comfy import high + + +@high( + name='rule_cve202320168', + platform=['cisco_nxos'], + commands=dict( + show_version='show version', + check_tacacs_radius='show running-config | include tacacs|radius' + ), +) +def rule_cve202320168(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20168 vulnerability in Cisco NX-OS Software. + The vulnerability is due to incorrect input validation when processing an authentication attempt + if the directed request option is enabled for TACACS+ or RADIUS, which could allow an unauthenticated, + local attacker to cause the device to unexpectedly reload, resulting in a denial of service (DoS) condition. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 4.2 versions + '4.2(1)SV1(4)', '4.2(1)SV1(4a)', '4.2(1)SV1(4b)', '4.2(1)SV1(5.1)', '4.2(1)SV1(5.1a)', + '4.2(1)SV1(5.2)', '4.2(1)SV1(5.2b)', '4.2(1)SV2(1.1)', '4.2(1)SV2(1.1a)', '4.2(1)SV2(2.1)', + '4.2(1)SV2(2.1a)', '4.2(1)SV2(2.2)', '4.2(1)SV2(2.3)', + # 5.2 versions + '5.2(1)SM1(5.1)', '5.2(1)SM1(5.2)', '5.2(1)SM1(5.2a)', '5.2(1)SM1(5.2b)', '5.2(1)SM1(5.2c)', + '5.2(1)SM3(1.1)', '5.2(1)SM3(1.1a)', '5.2(1)SM3(1.1b)', '5.2(1)SM3(1.1c)', '5.2(1)SM3(2.1)', + '5.2(1)SV3(1.4)', '5.2(1)SV3(1.1)', '5.2(1)SV3(1.3)', '5.2(1)SV3(1.5a)', '5.2(1)SV3(1.5b)', + '5.2(1)SV3(1.6)', '5.2(1)SV3(1.10)', '5.2(1)SV3(1.15)', '5.2(1)SV3(2.1)', '5.2(1)SV3(2.5)', + '5.2(1)SV3(2.8)', '5.2(1)SV3(3.1)', '5.2(1)SV3(1.2)', '5.2(1)SV3(1.4b)', '5.2(1)SV3(3.15)', + '5.2(1)SV3(4.1)', '5.2(1)SV3(4.1a)', '5.2(1)SV3(4.1b)', '5.2(1)SV3(4.1c)', + # 6.0 versions + '6.0(2)A3(1)', '6.0(2)A3(2)', '6.0(2)A3(4)', '6.0(2)A4(1)', '6.0(2)A4(2)', '6.0(2)A4(3)', + '6.0(2)A4(4)', '6.0(2)A4(5)', '6.0(2)A4(6)', '6.0(2)A6(1)', '6.0(2)A6(1a)', '6.0(2)A6(2)', + '6.0(2)A6(2a)', '6.0(2)A6(3)', '6.0(2)A6(3a)', '6.0(2)A6(4)', '6.0(2)A6(4a)', '6.0(2)A6(5)', + '6.0(2)A6(5a)', '6.0(2)A6(5b)', '6.0(2)A6(6)', '6.0(2)A6(7)', '6.0(2)A6(8)', '6.0(2)A7(1)', + '6.0(2)A7(1a)', '6.0(2)A7(2)', '6.0(2)A7(2a)', '6.0(2)A8(1)', '6.0(2)A8(2)', '6.0(2)A8(3)', + '6.0(2)A8(4)', '6.0(2)A8(4a)', '6.0(2)A8(5)', '6.0(2)A8(6)', '6.0(2)A8(7)', '6.0(2)A8(7a)', + '6.0(2)A8(7b)', '6.0(2)A8(8)', '6.0(2)A8(9)', '6.0(2)A8(10a)', '6.0(2)A8(10)', '6.0(2)A8(11)', + '6.0(2)A8(11a)', '6.0(2)A8(11b)', '6.0(2)U2(1)', '6.0(2)U2(2)', '6.0(2)U2(3)', '6.0(2)U2(4)', + '6.0(2)U2(5)', '6.0(2)U2(6)', '6.0(2)U3(1)', '6.0(2)U3(2)', '6.0(2)U3(3)', '6.0(2)U3(4)', + '6.0(2)U3(5)', '6.0(2)U3(6)', '6.0(2)U3(7)', '6.0(2)U3(8)', '6.0(2)U3(9)', '6.0(2)U4(1)', + '6.0(2)U4(2)', '6.0(2)U4(3)', '6.0(2)U4(4)', '6.0(2)U5(1)', '6.0(2)U5(2)', '6.0(2)U5(3)', + '6.0(2)U5(4)', '6.0(2)U6(1)', '6.0(2)U6(2)', '6.0(2)U6(3)', '6.0(2)U6(4)', '6.0(2)U6(5)', + '6.0(2)U6(6)', '6.0(2)U6(7)', '6.0(2)U6(8)', '6.0(2)U6(1a)', '6.0(2)U6(2a)', '6.0(2)U6(3a)', + '6.0(2)U6(4a)', '6.0(2)U6(5a)', '6.0(2)U6(5b)', '6.0(2)U6(5c)', '6.0(2)U6(9)', '6.0(2)U6(10)', + # 6.2 versions + '6.2(2)', '6.2(2a)', '6.2(6)', '6.2(6b)', '6.2(8)', '6.2(8a)', '6.2(8b)', '6.2(10)', + '6.2(12)', '6.2(18)', '6.2(16)', '6.2(14)', '6.2(6a)', '6.2(20)', '6.2(1)', '6.2(3)', + '6.2(5)', '6.2(5a)', '6.2(5b)', '6.2(7)', '6.2(9)', '6.2(9a)', '6.2(9b)', '6.2(9c)', + '6.2(11)', '6.2(11b)', '6.2(11c)', '6.2(11d)', '6.2(11e)', '6.2(13)', '6.2(13a)', '6.2(13b)', + '6.2(15)', '6.2(17)', '6.2(19)', '6.2(21)', '6.2(23)', '6.2(20a)', '6.2(25)', '6.2(22)', + '6.2(27)', '6.2(29)', '6.2(24)', '6.2(31)', '6.2(24a)', '6.2(33)', + # 7.0 versions + '7.0(3)F1(1)', '7.0(3)F2(1)', '7.0(3)F2(2)', '7.0(3)F3(1)', '7.0(3)F3(2)', '7.0(3)F3(3)', + '7.0(3)F3(3a)', '7.0(3)F3(4)', '7.0(3)F3(3c)', '7.0(3)F3(5)', '7.0(3)I2(2a)', '7.0(3)I2(2b)', + '7.0(3)I2(2c)', '7.0(3)I2(2d)', '7.0(3)I2(2e)', '7.0(3)I2(3)', '7.0(3)I2(4)', '7.0(3)I2(5)', + '7.0(3)I2(1)', '7.0(3)I2(1a)', '7.0(3)I2(2)', '7.0(3)I3(1)', '7.0(3)I4(1)', '7.0(3)I4(2)', + '7.0(3)I4(3)', '7.0(3)I4(4)', '7.0(3)I4(5)', '7.0(3)I4(6)', '7.0(3)I4(7)', '7.0(3)I4(8)', + '7.0(3)I4(8a)', '7.0(3)I4(8b)', '7.0(3)I4(8z)', '7.0(3)I4(9)', '7.0(3)I5(1)', '7.0(3)I5(2)', + '7.0(3)I6(1)', '7.0(3)I6(2)', '7.0(3)I7(1)', '7.0(3)I7(2)', '7.0(3)I7(3)', '7.0(3)I7(4)', + '7.0(3)I7(5)', '7.0(3)I7(5a)', '7.0(3)I7(6)', '7.0(3)I7(7)', '7.0(3)I7(8)', '7.0(3)I7(9)', + '7.0(3)I7(10)', + # 7.1 versions + '7.1(0)N1(1a)', '7.1(0)N1(1b)', '7.1(0)N1(1)', '7.1(1)N1(1)', '7.1(2)N1(1)', '7.1(3)N1(1)', + '7.1(3)N1(2)', '7.1(4)N1(1)', '7.1(5)N1(1)', '7.1(5)N1(1b)', + # 7.2 versions + '7.2(0)D1(1)', '7.2(1)D1(1)', '7.2(2)D1(2)', '7.2(2)D1(1)', + # 7.3 versions + '7.3(0)D1(1)', '7.3(0)DX(1)', '7.3(0)DY(1)', '7.3(0)N1(1)', '7.3(1)D1(1)', '7.3(1)DY(1)', + '7.3(1)N1(1)', '7.3(2)D1(1)', '7.3(2)D1(2)', '7.3(2)D1(3)', '7.3(2)D1(3a)', '7.3(2)N1(1)', + '7.3(3)N1(1)', '7.3(4)N1(1)', '7.3(3)D1(1)', '7.3(4)D1(1)', '7.3(5)N1(1)', '7.3(6)N1(1)', + '7.3(5)D1(1)', '7.3(7)N1(1)', '7.3(7)N1(1a)', '7.3(7)N1(1b)', '7.3(6)D1(1)', '7.3(8)N1(1)', + '7.3(7)D1(1)', '7.3(9)N1(1)', '7.3(10)N1(1)', '7.3(8)D1(1)', '7.3(9)D1(1)', '7.3(11)N1(1)', + '7.3(12)N1(1)', '7.3(13)N1(1)', + # 8.0 versions + '8.0(1)', + # 8.1 versions + '8.1(1)', '8.1(2)', '8.1(2a)', '8.1(1a)', '8.1(1b)', + # 8.2 versions + '8.2(1)', '8.2(2)', '8.2(3)', '8.2(4)', '8.2(5)', '8.2(6)', '8.2(7)', '8.2(7a)', '8.2(8)', + '8.2(9)', + # 8.3 versions + '8.3(1)', '8.3(2)', + # 8.4 versions + '8.4(1)', '8.4(1a)', '8.4(2)', '8.4(2a)', '8.4(3)', '8.4(2b)', '8.4(4)', '8.4(2c)', + '8.4(4a)', '8.4(5)', '8.4(2d)', '8.4(6)', '8.4(2e)', '8.4(6a)', '8.4(7)', '8.4(2f)', + # 8.5 versions + '8.5(1)', + # 9.2 versions + '9.2(1)', '9.2(2)', '9.2(2t)', '9.2(3)', '9.2(4)', '9.2(2v)', '9.2(1a)', + # 9.3 versions + '9.3(1)', '9.3(2)', '9.3(3)', '9.3(4)', '9.3(5)', '9.3(6)', '9.3(7)', '9.3(7a)', '9.3(8)', + '9.3(9)', '9.3(10)', '9.3(11)', + # 10.1 versions + '10.1(1)', '10.1(2)', '10.1(2t)', + # 10.2 versions + '10.2(1)', '10.2(1q)', '10.2(2)', '10.2(3)', '10.2(3t)', '10.2(4)', '10.2(5)', + # 10.3 versions + '10.3(1)', '10.3(2)', + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check TACACS+ and RADIUS configuration + tacacs_radius_output = commands.check_tacacs_radius + + # Check if TACACS+ or RADIUS is configured + tacacs_radius_configured = 'tacacs' in tacacs_radius_output or 'radius' in tacacs_radius_output + + # Assert that the device is not vulnerable + assert not tacacs_radius_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20168. " + "The device is running a vulnerable version AND has TACACS+ or RADIUS configured, " + "which could allow an attacker to cause a denial of service. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-" + "sa-nxos-remoteauth-dos-XB6pv74m" + ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320169.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320169.py new file mode 100644 index 00000000..b852e19f --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_nxos/cve202320169.py @@ -0,0 +1,49 @@ +from comfy import high + + +@high( + name='rule_cve202320169', + platform=['cisco_nxos'], + commands=dict( + show_version='show version', + check_isis='show running-config | include router isis' + ), +) +def rule_cve202320169(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20169 vulnerability in Cisco NX-OS Software. + The vulnerability is due to insufficient input validation when parsing an ingress IS-IS packet, + which could allow an unauthenticated, adjacent attacker to cause the IS-IS process to unexpectedly restart, + resulting in a denial of service (DoS) condition. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 10.3 versions + '10.3(2)', + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check IS-IS configuration + isis_output = commands.check_isis + + # Check if IS-IS is configured + isis_configured = 'router isis' in isis_output + + # Assert that the device is not vulnerable + assert not isis_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20169. " + "The device is running a vulnerable version AND has IS-IS configured, " + "which could allow an attacker to cause a denial of service. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-" + "sa-nxos-n3_9k-isis-dos-FTCXB4Vb" + ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320185.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320185.py new file mode 100644 index 00000000..3820950c --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_nxos/cve202320185.py @@ -0,0 +1,78 @@ +from comfy import high + + +@high( + name='rule_cve202320185', + platform=['cisco_nxos'], + commands=dict( + show_version='show version', + check_cloudsec='show running-config | include cloudsec' + ), +) +def rule_cve202320185(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20185 vulnerability in Cisco NX-OS System Software in ACI Mode. + The vulnerability is due to an issue with the implementation of the ciphers used by the + CloudSec encryption feature, which could allow an unauthenticated, remote attacker to read or modify + intersite encrypted traffic. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 14.0 versions + '14.0(1h)', '14.0(2c)', '14.0(3d)', '14.0(3c)', + # 14.1 versions + '14.1(1i)', '14.1(1j)', '14.1(1k)', '14.1(1l)', + '14.1(2g)', '14.1(2m)', '14.1(2o)', '14.1(2s)', + '14.1(2u)', '14.1(2w)', '14.1(2x)', + # 14.2 versions + '14.2(1i)', '14.2(1j)', '14.2(1l)', '14.2(2e)', + '14.2(2f)', '14.2(2g)', '14.2(3j)', '14.2(3l)', + '14.2(3n)', '14.2(3q)', '14.2(4i)', '14.2(4k)', + '14.2(4o)', '14.2(4p)', '14.2(5k)', '14.2(5l)', + '14.2(5n)', '14.2(6d)', '14.2(6g)', '14.2(6h)', + '14.2(6l)', '14.2(7f)', '14.2(7l)', '14.2(6o)', + '14.2(7q)', '14.2(7r)', '14.2(7s)', '14.2(7t)', + '14.2(7u)', '14.2(7v)', '14.2(7w)', + # 15.0 versions + '15.0(1k)', '15.0(1l)', '15.0(2e)', '15.0(2h)', + # 15.1 versions + '15.1(1h)', '15.1(2e)', '15.1(3e)', '15.1(4c)', + # 15.2 versions + '15.2(1g)', '15.2(2e)', '15.2(2f)', '15.2(2g)', + '15.2(2h)', '15.2(3e)', '15.2(3f)', '15.2(3g)', + '15.2(4d)', '15.2(4e)', '15.2(5c)', '15.2(5d)', + '15.2(5e)', '15.2(4f)', '15.2(6e)', '15.2(6g)', + '15.2(7f)', '15.2(7g)', '15.2(8d)', '15.2(8e)', + '15.2(8f)', '15.2(8g)', '15.2(8h)', + # 16.0 versions + '16.0(1g)', '16.0(1j)', '16.0(2h)', '16.0(2j)', + '16.0(3d)', '16.0(3e)', + # 15.3 versions + '15.3(1d)', + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check CloudSec configuration + cloudsec_output = commands.check_cloudsec + + # Check if CloudSec is configured + cloudsec_configured = 'cloudsec' in cloudsec_output + + # Assert that the device is not vulnerable + assert not cloudsec_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20185. " + "The device is running a vulnerable version AND has CloudSec configured, " + "which could allow an attacker to read or modify intersite encrypted traffic. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-" + "sa-aci-cloudsec-enc-Vs5Wn2sX" + ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320262.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320262.py new file mode 100644 index 00000000..c0ed1a15 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_nxos/cve202320262.py @@ -0,0 +1,78 @@ +from comfy import high + + +@high( + name='rule_cve202320262', + platform=['cisco_sdwan'], + commands=dict( + show_version='show version', + check_ssh='show running-config | include ssh' + ), +) +def rule_cve202320262(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20262 vulnerability in Cisco Catalyst SD-WAN Manager. + The vulnerability is due to insufficient resource management when an affected system is in an error condition, + which could allow an unauthenticated, remote attacker to cause a process crash, resulting in a DoS condition + for SSH access. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 17.2 versions + '17.2.4', '17.2.5', '17.2.6', '17.2.7', '17.2.8', '17.2.9', '17.2.10', + # 18.2 versions + '18.2.0', + # 18.3 versions + '18.3.0', '18.3.1', '18.3.3', '18.3.3.1', '18.3.4', '18.3.5', '18.3.6', '18.3.7', '18.3.8', + # 18.4 versions + '18.4.0', '18.4.0.1', '18.4.1', '18.4.3', '18.4.302', '18.4.303', '18.4.4', '18.4.5', '18.4.6', + # 19.1 versions + '19.1.0', + # 19.2 versions + '19.2.0', '19.2.097', '19.2.099', '19.2.1', '19.2.2', '19.2.3', '19.2.31', '19.2.929', '19.2.4', + # 19.3 versions + '19.3.0', + # 20.1 versions + '20.1.1', '20.1.1.1', '20.1.11', '20.1.12', '20.1.2', '20.1.3', '20.1.3.1', + # 20.3 versions + '20.3.1', '20.3.2', '20.3.2.1', '20.3.3', '20.3.3.1', '20.3.4', '20.3.4.1', '20.3.4.2', '20.3.4.3', '20.3.5', '20.3.5.1', '20.3.6', + # 20.4 versions + '20.4.1', '20.4.1.1', '20.4.1.2', '20.4.2', '20.4.2.1', '20.4.2.2', '20.4.2.3', + # 20.5 versions + '20.5.1', '20.5.1.1', '20.5.1.2', + # 20.6 versions + '20.6.1', '20.6.1.1', '20.6.1.2', '20.6.2', '20.6.2.1', '20.6.2.2', '20.6.3', '20.6.3.1', '20.6.3.2', '20.6.3.3', '20.6.3.4', '20.6.4', '20.6.4.1', '20.6.4.2', '20.6.5', '20.6.5.2', '20.6.5.4', '20.6.5.5', + # 20.7 versions + '20.7.1', '20.7.1.1', + # 20.8 versions + '20.8.1', + # 20.9 versions + '20.9.1', '20.9.2.3', + # 20.10 versions + '20.10.1.2' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check SSH configuration + ssh_output = commands.check_ssh + + # Check if SSH is configured + ssh_configured = 'ssh' in ssh_output + + # Assert that the device is not vulnerable + assert not ssh_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20262. " + "The device is running a vulnerable version AND has SSH configured, " + "which could allow an attacker to cause a denial of service. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-vman-sc-LRLfu2z" + ) diff --git a/CVEasy/Cisco/2023/cisco_xr/__init__.py b/CVEasy/Cisco/2023/cisco_xr/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/CVEasy/Cisco/2023/cisco_xr/cve202320049.py b/CVEasy/Cisco/2023/cisco_xr/cve202320049.py new file mode 100644 index 00000000..22870325 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xr/cve202320049.py @@ -0,0 +1,32 @@ +from comfy import high + + +@high( + name='rule_cve202320049', + platform=['cisco_xr'], + commands=dict( + show_version='show version', + check_bfd='show running-config | include bfd' + ), +) +def rule_cve202320049(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20049 vulnerability in Cisco IOS XR Software for ASR 9000 Series Routers. + The vulnerability is due to incorrect handling of malformed BFD packets that are received on line cards + where the BFD hardware offload feature is enabled. An attacker could exploit this vulnerability by sending + a crafted IPv4 BFD packet to an affected device, causing a line card to reset and resulting in a DoS condition. + """ + # Extract the output of the command to check BFD configuration + bfd_output = commands.check_bfd + + # Check if BFD hardware offload is configured + bfd_hardware_offload_configured = 'bfd' in bfd_output + + # Assert that the device is not vulnerable + assert not bfd_hardware_offload_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20049. " + "The device has BFD hardware offload configured, " + "which could allow an attacker to cause a denial of service. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bfd-XmRescbT" + ) diff --git a/CVEasy/Cisco/2023/cisco_xr/cve202320064.py b/CVEasy/Cisco/2023/cisco_xr/cve202320064.py new file mode 100644 index 00000000..6155a526 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xr/cve202320064.py @@ -0,0 +1,31 @@ +from comfy import high + + +@high( + name='rule_cve202320064', + platform=['cisco_xr'], + commands=dict( + check_grub='show running-config | include grub' + ), +) +def rule_cve202320064(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20064 vulnerability in Cisco IOS XR Software. + The vulnerability is due to the inclusion of unnecessary commands within the GRUB environment + that allow sensitive files to be viewed. An attacker could exploit this vulnerability by being + connected to the console port of the Cisco IOS XR device when the device is power-cycled. + """ + # Extract the output of the command to check GRUB configuration + grub_output = commands.check_grub + + # Check if GRUB configuration is present + grub_configured = 'grub' in grub_output + + # Assert that the device is not vulnerable + assert not grub_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20064. " + "The device has GRUB configuration that could allow an attacker to view sensitive files. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-" + "sa-iosxr-load-infodisc-9rdOr5Fq" + ) diff --git a/CVEasy/Cisco/2023/cisco_xr/cve202320135.py b/CVEasy/Cisco/2023/cisco_xr/cve202320135.py new file mode 100644 index 00000000..65590181 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xr/cve202320135.py @@ -0,0 +1,56 @@ +from comfy import high + + +@high( + name='rule_cve202320135', + platform=['cisco_xr'], + commands=dict( + show_version='show version', + check_install='show install active summary' + ), +) +def rule_cve202320135(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20135 vulnerability in Cisco IOS XR Software. + The vulnerability is due to a time-of-check, time-of-use (TOCTOU) race condition when an install query + regarding an ISO image is performed during an install operation that uses an ISO image. + An attacker could exploit this vulnerability by modifying an ISO image and then carrying out install + requests in parallel. + A successful exploit could allow the attacker to execute arbitrary code on an affected device. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 7.5 versions + '7.5.2', '7.5.3', '7.5.4', + # 7.7 versions + '7.7.1', '7.7.2', '7.7.21', + # 7.8 versions + '7.8.1', '7.8.2', + # 7.9 versions + '7.9.1', '7.9.2' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check install configuration + install_output = commands.check_install + + # Check if any suspicious install operations are present + install_issue_detected = 'install' in install_output + + # Assert that the device is not vulnerable + assert not install_issue_detected, ( + f"Device {device.name} is vulnerable to CVE-2023-20135. " + "The device is running a vulnerable version AND has suspicious install operations, " + "which could allow an attacker to execute arbitrary code. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-lnt-L9zOkBz5" + ) diff --git a/CVEasy/Cisco/2023/cisco_xr/cve202320190.py b/CVEasy/Cisco/2023/cisco_xr/cve202320190.py new file mode 100644 index 00000000..53c1642a --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xr/cve202320190.py @@ -0,0 +1,90 @@ +from comfy import high + + +@high( + name='rule_cve202320190', + platform=['cisco_xr'], + commands=dict( + show_version='show version', + check_acl='show running-config | include ipv4 access-list' + ), +) +def rule_cve202320190(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20190 vulnerability in Cisco IOS XR Software. + The vulnerability is due to incorrect destination address range encoding in the compression module + of an ACL that is applied to an interface of an affected device. An attacker could exploit this + vulnerability by sending traffic through the affected device that should be denied by the configured ACL. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 5.2 versions + '5.2.0', '5.2.1', '5.2.2', '5.2.3', '5.2.4', '5.2.5', '5.2.47', + # 5.3 versions + '5.3.0', '5.3.1', '5.3.2', '5.3.3', '5.3.4', + # 6.0 versions + '6.0.0', '6.0.1', '6.0.2', + # 6.1 versions + '6.1.1', '6.1.2', '6.1.3', '6.1.4', '6.1.12', '6.1.22', '6.1.32', + '6.1.36', '6.1.42', + # 6.2 versions + '6.2.1', '6.2.2', '6.2.3', '6.2.25', '6.2.11', + # 6.3 versions + '6.3.2', '6.3.3', '6.3.15', + # 6.4 versions + '6.4.1', '6.4.2', '6.4.3', + # 6.5 versions + '6.5.1', '6.5.2', '6.5.3', '6.5.25', '6.5.26', '6.5.28', '6.5.29', + '6.5.32', '6.5.33', + # 6.6 versions + '6.6.2', '6.6.3', '6.6.25', '6.6.4', + # 6.7 versions + '6.7.1', '6.7.2', '6.7.3', '6.7.4', + # 6.8 versions + '6.8.1', '6.8.2', + # 6.9 versions + '6.9.1', '6.9.2', + # 7.0 versions + '7.0.1', '7.0.2', '7.0.12', '7.0.14', + # 7.1 versions + '7.1.1', '7.1.15', '7.1.2', '7.1.3', + # 7.2 versions + '7.2.0', '7.2.1', '7.2.2', + # 7.3 versions + '7.3.1', '7.3.15', '7.3.2', '7.3.3', + # 7.4 versions + '7.4.1', '7.4.2', + # 7.5 versions + '7.5.1', '7.5.2', '7.5.3', + # 7.6 versions + '7.6.1', '7.6.2', + # 7.7 versions + '7.7.1', '7.7.2', + # 7.8 versions + '7.8.1' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check ACL configuration + acl_output = commands.check_acl + + # Check if ACL is configured + acl_configured = 'ipv4 access-list' in acl_output + + # Assert that the device is not vulnerable + assert not acl_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20190. " + "The device is running a vulnerable version AND has ACLs configured, " + "which could allow an attacker to bypass ACL protections. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-comp3acl-vGmp6BQ3" + ) diff --git a/CVEasy/Cisco/2023/cisco_xr/cve202320191.py b/CVEasy/Cisco/2023/cisco_xr/cve202320191.py new file mode 100644 index 00000000..55f1d91b --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xr/cve202320191.py @@ -0,0 +1,72 @@ +from comfy import high + + +@high( + name='rule_cve202320191', + platform=['cisco_xr'], + commands=dict( + show_version='show version', + check_mpls_acl='show running-config | include mpls|access-list' + ), +) +def rule_cve202320191(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20191 vulnerability in Cisco IOS XR Software. + The vulnerability is due to incomplete support for ACL processing on MPLS interfaces in the ingress direction. + An attacker could exploit this vulnerability by attempting to send traffic through an affected device, + which could allow the attacker to bypass an ACL on the affected device. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 6.4 versions + '6.4.1', + # 6.5 versions + '6.5.1', '6.5.2', '6.5.3', + # 6.6 versions + '6.6.2', '6.6.3', '6.6.25', '6.6.4', + # 7.0 versions + '7.0.1', '7.0.2', + # 7.1 versions + '7.1.1', '7.1.2', + # 7.2 versions + '7.2.1', '7.2.2', + # 7.3 versions + '7.3.1', '7.3.2', '7.3.3', '7.3.5', + # 7.4 versions + '7.4.1', '7.4.2', + # 7.5 versions + '7.5.1', '7.5.2', '7.5.3', '7.5.4', + # 7.6 versions + '7.6.1', '7.6.2', + # 7.7 versions + '7.7.1', '7.7.2', + # 7.8 versions + '7.8.1', '7.8.2', + # 7.9 versions + '7.9.1' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check MPLS and ACL configuration + mpls_acl_output = commands.check_mpls_acl + + # Check if MPLS and ACL are configured + mpls_acl_configured = 'mpls' in mpls_acl_output and 'access-list' in mpls_acl_output + + # Assert that the device is not vulnerable + assert not mpls_acl_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20191. " + "The device is running a vulnerable version AND has ACLs configured on MPLS interfaces, " + "which could allow an attacker to bypass ACL protections. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnx-acl-PyzDkeYF" + ) diff --git a/CVEasy/Cisco/2023/cisco_xr/cve202320233.py b/CVEasy/Cisco/2023/cisco_xr/cve202320233.py new file mode 100644 index 00000000..3f5975a8 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xr/cve202320233.py @@ -0,0 +1,84 @@ +from comfy import high + + +@high( + name='rule_cve202320233', + platform=['cisco_xr'], + commands=dict( + show_version='show version', + check_cfm='show running-config | include ethernet cfm' + ), +) +def rule_cve202320233(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20233 vulnerability in Cisco IOS XR Software. + The vulnerability is due to incorrect processing of invalid continuity check messages (CCMs). + An attacker could exploit this vulnerability by sending crafted CCMs to an affected device, + causing the CFM service to crash when a user displays information about maintenance end points (MEPs). + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 5.2 versions + '5.2.0', '5.2.1', '5.2.2', '5.2.3', '5.2.4', '5.2.5', + # 5.3 versions + '5.3.0', '5.3.1', '5.3.2', '5.3.3', '5.3.4', + # 6.1 versions + '6.1.1', '6.1.2', '6.1.3', '6.1.4', + # 6.2 versions + '6.2.1', '6.2.2', '6.2.3', '6.2.25', + # 6.3 versions + '6.3.2', '6.3.3', '6.3.15', + # 6.4 versions + '6.4.1', '6.4.2', '6.4.3', + # 6.5 versions + '6.5.1', '6.5.2', + # 6.6 versions + '6.6.2', '6.6.3', '6.6.25', '6.6.4', + # 6.7 versions + '6.7.1', '6.7.2', '6.7.3', '6.7.4', + # 6.8 versions + '6.8.1', '6.8.2', + # 6.9 versions + '6.9.1', '6.9.2', + # 7.0 versions + '7.0.1', '7.0.2', + # 7.1 versions + '7.1.1', '7.1.15', '7.1.2', '7.1.3', + # 7.2 versions + '7.2.1', '7.2.2', + # 7.3 versions + '7.3.1', '7.3.2', '7.3.3', + # 7.4 versions + '7.4.1', '7.4.2', + # 7.5 versions + '7.5.1', '7.5.2', '7.5.3', + # 7.6 versions + '7.6.1', '7.6.2', + # 7.7 versions + '7.7.1', '7.7.2' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check CFM configuration + cfm_output = commands.check_cfm + + # Check if CFM is configured + cfm_configured = 'ethernet cfm' in cfm_output + + # Assert that the device is not vulnerable + assert not cfm_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20233. " + "The device is running a vulnerable version AND has CFM configured, " + "which could allow an attacker to cause a denial of service. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-xr-cfm-3pWN8MKt" + ) diff --git a/CVEasy/Cisco/2023/cisco_xr/cve202320236.py b/CVEasy/Cisco/2023/cisco_xr/cve202320236.py new file mode 100644 index 00000000..35751d2f --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_xr/cve202320236.py @@ -0,0 +1,93 @@ +from comfy import high + + +@high( + name='rule_cve202320236', + platform=['cisco_xr'], + commands=dict( + show_version='show version', + check_ipxe='show running-config | include ipxe' + ), +) +def rule_cve202320236(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20236 vulnerability in Cisco IOS XR Software. + The vulnerability is due to insufficient image verification in the iPXE boot function. + An attacker could exploit this vulnerability by manipulating the boot parameters for image + verification during the iPXE boot process, allowing them to install an unverified software image. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 5.2 versions + '5.2.0', '5.2.1', '5.2.2', '5.2.3', '5.2.4', '5.2.5', '5.2.47', + # 5.3 versions + '5.3.0', '5.3.1', '5.3.2', '5.3.3', '5.3.4', + # 6.0 versions + '6.0.0', '6.0.1', '6.0.2', + # 6.1 versions + '6.1.1', '6.1.2', '6.1.3', '6.1.4', '6.1.12', '6.1.22', '6.1.32', + '6.1.36', '6.1.42', + # 6.2 versions + '6.2.1', '6.2.2', '6.2.3', '6.2.25', '6.2.11', + # 6.3 versions + '6.3.2', '6.3.3', '6.3.15', + # 6.4 versions + '6.4.1', '6.4.2', '6.4.3', + # 6.5 versions + '6.5.1', '6.5.2', '6.5.3', '6.5.25', '6.5.26', '6.5.28', '6.5.29', + '6.5.32', '6.5.33', + # 6.6 versions + '6.6.2', '6.6.3', '6.6.25', '6.6.4', + # 6.7 versions + '6.7.1', '6.7.2', '6.7.3', '6.7.4', + # 6.8 versions + '6.8.1', '6.8.2', + # 6.9 versions + '6.9.1', '6.9.2', + # 7.0 versions + '7.0.1', '7.0.2', '7.0.12', '7.0.14', + # 7.1 versions + '7.1.1', '7.1.15', '7.1.2', '7.1.3', + # 7.2 versions + '7.2.0', '7.2.1', '7.2.2', + # 7.3 versions + '7.3.1', '7.3.15', '7.3.2', '7.3.3', '7.3.5', + # 7.4 versions + '7.4.1', '7.4.2', + # 7.5 versions + '7.5.1', '7.5.2', '7.5.3', '7.5.4', + # 7.6 versions + '7.6.1', '7.6.2', + # 7.7 versions + '7.7.1', '7.7.2', '7.7.21', + # 7.8 versions + '7.8.1', '7.8.2', + # 7.9 versions + '7.9.1', '7.9.2' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check iPXE configuration + ipxe_output = commands.check_ipxe + + # Check if iPXE is configured + ipxe_configured = 'ipxe' in ipxe_output + + # Assert that the device is not vulnerable + assert not ipxe_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20236. " + "The device is running a vulnerable version AND has iPXE configured, " + "which could allow an attacker to install unverified software images. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-" + "sa-iosxr-ipxe-sigbypass-pymfyqgB" + ) From 501c2f67ce5e23cb6a965c62827ba9af4c0e8c81 Mon Sep 17 00:00:00 2001 From: mailsanjayhere Date: Tue, 3 Jun 2025 11:17:10 +0000 Subject: [PATCH 19/22] xr and nxos 2023 CVEs --- CVEasy/Cisco/2023/cisco_nxos/cve202320027.py | 32 ++++++++ CVEasy/Cisco/2023/cisco_nxos/cve202320029.py | 32 ++++++++ CVEasy/Cisco/2023/cisco_nxos/cve202320033.py | 59 +++++++++++++++ CVEasy/Cisco/2023/cisco_nxos/cve202320035.py | 32 ++++++++ CVEasy/Cisco/2023/cisco_nxos/cve202320065.py | 61 +++++++++++++++ CVEasy/Cisco/2023/cisco_nxos/cve202320066.py | 32 ++++++++ CVEasy/Cisco/2023/cisco_nxos/cve202320067.py | 33 ++++++++ CVEasy/Cisco/2023/cisco_nxos/cve202320072.py | 32 ++++++++ CVEasy/Cisco/2023/cisco_nxos/cve202320082.py | 40 ++++++++++ CVEasy/Cisco/2023/cisco_nxos/cve202320100.py | 33 ++++++++ CVEasy/Cisco/2023/cisco_nxos/cve202320185.py | 4 +- CVEasy/Cisco/2023/cisco_nxos/cve202320187.py | 63 ++++++++++++++++ CVEasy/Cisco/2023/cisco_nxos/cve202320198.py | 77 +++++++++++++++++++ CVEasy/Cisco/2023/cisco_nxos/cve202320202.py | 51 +++++++++++++ CVEasy/Cisco/2023/cisco_nxos/cve202320226.py | 54 +++++++++++++ CVEasy/Cisco/2023/cisco_nxos/cve202320227.py | 67 +++++++++++++++++ CVEasy/Cisco/2023/cisco_nxos/cve202320231.py | 65 ++++++++++++++++ CVEasy/Cisco/2023/cisco_nxos/cve202320235.py | 63 ++++++++++++++++ CVEasy/Cisco/2023/cisco_nxos/cve202320262.py | 8 +- CVEasy/Cisco/2023/cisco_nxos/cve202320273.py | 79 ++++++++++++++++++++ 20 files changed, 912 insertions(+), 5 deletions(-) create mode 100644 CVEasy/Cisco/2023/cisco_nxos/cve202320027.py create mode 100644 CVEasy/Cisco/2023/cisco_nxos/cve202320029.py create mode 100644 CVEasy/Cisco/2023/cisco_nxos/cve202320033.py create mode 100644 CVEasy/Cisco/2023/cisco_nxos/cve202320035.py create mode 100644 CVEasy/Cisco/2023/cisco_nxos/cve202320065.py create mode 100644 CVEasy/Cisco/2023/cisco_nxos/cve202320066.py create mode 100644 CVEasy/Cisco/2023/cisco_nxos/cve202320067.py create mode 100644 CVEasy/Cisco/2023/cisco_nxos/cve202320072.py create mode 100644 CVEasy/Cisco/2023/cisco_nxos/cve202320082.py create mode 100644 CVEasy/Cisco/2023/cisco_nxos/cve202320100.py create mode 100644 CVEasy/Cisco/2023/cisco_nxos/cve202320187.py create mode 100644 CVEasy/Cisco/2023/cisco_nxos/cve202320198.py create mode 100644 CVEasy/Cisco/2023/cisco_nxos/cve202320202.py create mode 100644 CVEasy/Cisco/2023/cisco_nxos/cve202320226.py create mode 100644 CVEasy/Cisco/2023/cisco_nxos/cve202320227.py create mode 100644 CVEasy/Cisco/2023/cisco_nxos/cve202320231.py create mode 100644 CVEasy/Cisco/2023/cisco_nxos/cve202320235.py create mode 100644 CVEasy/Cisco/2023/cisco_nxos/cve202320273.py diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320027.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320027.py new file mode 100644 index 00000000..ab5702a2 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_nxos/cve202320027.py @@ -0,0 +1,32 @@ +from comfy import high + + +@high( + name='rule_cve202320027', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_vfr='show running-config | include ip virtual-reassembly' + ), +) +def rule_cve202320027(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20027 vulnerability in Cisco IOS XE Software. + The vulnerability is due to improper reassembly of large packets when Virtual Fragmentation + Reassembly (VFR) is enabled on either a tunnel interface or on a physical interface that is + configured with an MTU greater than 4,615 bytes. + """ + # Extract the output of the command to check VFR configuration + vfr_output = commands.check_vfr + + # Check if VFR is configured + vfr_configured = 'ip virtual-reassembly' in vfr_output + + # Assert that the device is not vulnerable + assert not vfr_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20027. " + "The device has Virtual Fragmentation Reassembly (VFR) enabled, " + "which could allow an attacker to cause a denial of service. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipv4-vfr-dos-CXxtFacb" + ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320029.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320029.py new file mode 100644 index 00000000..130310ce --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_nxos/cve202320029.py @@ -0,0 +1,32 @@ +from comfy import high + + +@high( + name='rule_cve202320029', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_meraki='show running-config | include meraki' + ), +) +def rule_cve202320029(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20029 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient memory protection in the Meraki onboarding feature. + An attacker could exploit this vulnerability by modifying the Meraki registration parameters, + which could allow them to elevate privileges to root. + """ + # Extract the output of the command to check Meraki configuration + meraki_output = commands.check_meraki + + # Check if Meraki onboarding is configured + meraki_configured = 'meraki' in meraki_output + + # Assert that the device is not vulnerable + assert not meraki_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20029. " + "The device has Meraki onboarding feature enabled, " + "which could allow an attacker to elevate privileges to root. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-priv-esc-sABD8hcU" + ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320033.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320033.py new file mode 100644 index 00000000..879e054d --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_nxos/cve202320033.py @@ -0,0 +1,59 @@ +from comfy import high + + +@high( + name='rule_cve202320033', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_mgmt='show running-config | include interface GigabitEthernet0' + ), +) +def rule_cve202320033(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20033 vulnerability in Cisco IOS XE Software for + Catalyst 3650/3850 Series Switches. The vulnerability is due to improper resource + management when processing traffic received on the management interface. + An attacker could exploit this vulnerability by sending a high rate of traffic to + the management interface. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 16.3 versions + '16.3.1', '16.3.2', '16.3.3', '16.3.1a', '16.3.4', '16.3.5', '16.3.5b', + '16.3.6', '16.3.7', '16.3.8', '16.3.9', '16.3.10', '16.3.11', + # 16.4-16.9 versions + '16.4.1', '16.5.1', '16.5.1a', '16.6.1', '16.6.2', '16.6.3', '16.6.4', + '16.6.5', '16.6.4a', '16.6.6', '16.6.7', '16.6.8', '16.6.9', '16.6.10', + '16.7.1', '16.8.1', '16.8.1a', '16.8.1s', '16.9.1', '16.9.2', '16.9.1s', + '16.9.3', '16.9.4', '16.9.3a', '16.9.5', '16.9.6', '16.9.7', '16.9.8', + # 16.11-16.12 versions + '16.11.1', '16.11.2', '16.11.1s', '16.12.1', '16.12.1s', '16.12.2', + '16.12.3', '16.12.8', '16.12.4', '16.12.3s', '16.12.3a', '16.12.5', + '16.12.6', '16.12.5b', '16.12.6a', '16.12.7', '16.12.9' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check management interface configuration + mgmt_output = commands.check_mgmt + + # Check if management interface is configured + mgmt_configured = 'interface GigabitEthernet0' in mgmt_output + + # Assert that the device is not vulnerable + assert not mgmt_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20033. " + "The device is running a vulnerable version AND has management interface configured, " + "which could allow an attacker to cause a denial of service. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cat3k-dos-ZZA4Gb3r" + ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320035.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320035.py new file mode 100644 index 00000000..64f73331 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_nxos/cve202320035.py @@ -0,0 +1,32 @@ +from comfy import high + + +@high( + name='rule_cve202320035', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_sdwan='show running-config | include sdwan' + ), +) +def rule_cve202320035(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20035 vulnerability in Cisco IOS XE SD-WAN Software. + The vulnerability is due to insufficient input validation by the system CLI. + An attacker with privileges to run commands could exploit this vulnerability by submitting + crafted input to the system CLI, allowing them to execute commands with root-level privileges. + """ + # Extract the output of the command to check SD-WAN configuration + sdwan_output = commands.check_sdwan + + # Check if SD-WAN is configured + sdwan_configured = 'sdwan' in sdwan_output + + # Assert that the device is not vulnerable + assert not sdwan_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20035. " + "The device has SD-WAN configured with CLI access, " + "which could allow an attacker to execute arbitrary commands with root privileges. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-xe-sdwan-VQAhEjYw" + ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320065.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320065.py new file mode 100644 index 00000000..7868db88 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_nxos/cve202320065.py @@ -0,0 +1,61 @@ +from comfy import high + + +@high( + name='rule_cve202320065', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_iox='show running-config | include iox' + ), +) +def rule_cve202320065(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20065 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient restrictions on the hosted application in the + Cisco IOx application hosting subsystem. An attacker could exploit this vulnerability + by logging in to and then escaping the Cisco IOx application container. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions + vulnerable_versions = [ + # 16.4 versions + '16.4.1', '16.4.2', '16.4.3', + # 17.3 versions + '17.3.1', '17.3.2', '17.3.3', '17.3.1a', '17.3.1w', '17.3.2a', '17.3.1x', + '17.3.1z', '17.3.4', '17.3.5', '17.3.4a', '17.3.6', '17.3.4b', '17.3.4c', + '17.3.5a', '17.3.5b', + # 17.4-17.9 versions + '17.4.1', '17.4.2', '17.4.1a', '17.4.1b', '17.4.2a', + '17.5.1', '17.5.1a', '17.5.1b', '17.5.1c', + '17.6.1', '17.6.2', '17.6.1w', '17.6.1a', '17.6.1x', '17.6.3', '17.6.1y', + '17.6.1z', '17.6.3a', '17.6.4', '17.6.1z1', + '17.7.1', '17.7.1a', '17.7.1b', '17.7.2', + '17.8.1', '17.8.1a', + '17.9.1', '17.9.1w', '17.9.2', '17.9.1a', '17.9.2a' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check IOx configuration + iox_output = commands.check_iox + + # Check if IOx is configured + iox_configured = 'iox' in iox_output + + # Assert that the device is not vulnerable + assert not iox_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20065. " + "The device is running a vulnerable version AND has IOx application hosting configured, " + "which could allow an attacker to elevate privileges to root. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-" + "sa-iox-priv-escalate-Xg8zkyPk" + ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320066.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320066.py new file mode 100644 index 00000000..fe5595f2 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_nxos/cve202320066.py @@ -0,0 +1,32 @@ +from comfy import high + + +@high( + name='rule_cve202320066', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_webui='show running-config | include ip http|webui' + ), +) +def rule_cve202320066(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20066 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient security configuration in the web UI. + An attacker could exploit this vulnerability by sending a crafted request to the web UI, + allowing them to gain read access to files outside the filesystem mountpoint. + """ + # Extract the output of the command to check web UI configuration + webui_output = commands.check_webui + + # Check if web UI is enabled + webui_enabled = any(service in webui_output for service in ['ip http', 'webui']) + + # Assert that the device is not vulnerable + assert not webui_enabled, ( + f"Device {device.name} is vulnerable to CVE-2023-20066. " + "The device has web UI enabled, which could allow an attacker to access files " + "outside the filesystem mountpoint through path traversal. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webui-pthtrv-es7GSb9V" + ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320067.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320067.py new file mode 100644 index 00000000..99a14000 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_nxos/cve202320067.py @@ -0,0 +1,33 @@ +from comfy import high + + +@high( + name='rule_cve202320067', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_wlc='show running-config | include wireless|http client' + ), +) +def rule_cve202320067(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20067 vulnerability in Cisco IOS XE Software for Wireless LAN Controllers. + The vulnerability is due to insufficient input validation of received traffic in the " + "HTTP-based client profiling feature. + An attacker could exploit this vulnerability by sending crafted traffic through a wireless access point, + causing high CPU utilization and a denial of service condition. + """ + # Extract the output of the command to check WLC and HTTP client profiling configuration + wlc_output = commands.check_wlc + + # Check if WLC and HTTP client profiling are configured + wlc_configured = 'wireless' in wlc_output and 'http client' in wlc_output + + # Assert that the device is not vulnerable + assert not wlc_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20067. " + "The device has wireless LAN controller and HTTP client profiling enabled, " + "which could allow an attacker to cause a denial of service condition. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewlc-dos-wFujBHKw" + ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320072.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320072.py new file mode 100644 index 00000000..fdc3b154 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_nxos/cve202320072.py @@ -0,0 +1,32 @@ +from comfy import high + + +@high( + name='rule_cve202320072', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_tunnel='show running-config | include tunnel|gre' + ), +) +def rule_cve202320072(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20072 vulnerability in Cisco IOS XE Software. + The vulnerability is due to improper handling of large fragmented tunnel protocol packets. + An attacker could exploit this vulnerability by sending crafted fragmented packets to an affected system, + causing it to reload and resulting in a denial of service (DoS) condition. + """ + # Extract the output of the command to check tunnel configuration + tunnel_output = commands.check_tunnel + + # Check if any tunnel protocols (like GRE) are configured + tunnel_configured = any(protocol in tunnel_output for protocol in ['tunnel', 'gre']) + + # Assert that the device is not vulnerable + assert not tunnel_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20072. " + "The device has tunnel protocols configured (e.g., GRE), " + "which could allow an attacker to cause a denial of service through crafted fragmented packets. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-gre-crash-p6nE5Sq5" + ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320082.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320082.py new file mode 100644 index 00000000..01596507 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_nxos/cve202320082.py @@ -0,0 +1,40 @@ +from comfy import high + + +@high( + name='rule_cve202320082', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include Chassis' + ), +) +def rule_cve202320082(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20082 vulnerability in Cisco IOS XE Software + for Catalyst 9300 Series Switches. The vulnerability is due to errors that occur + when retrieving the public release key used for image signature verification. + An attacker could exploit this vulnerability by modifying specific variables in the + SPI flash memory, allowing them to execute persistent code at boot time and break + the chain of trust. + """ + # Extract the output of the command to check platform type + platform_output = commands.check_platform + + # Check if the device is a Catalyst 9300 Series Switch + is_cat9300 = 'C9300' in platform_output + + # Extract the version information from the command output + version_output = commands.show_version + + # Check if version is before 16.11.1 (more vulnerable) + version_pre_16_11_1 = not any(ver in version_output for ver in ['16.11.1', '16.12', '17.']) + + # Assert that the device is not vulnerable + assert not (is_cat9300 and version_pre_16_11_1), ( + f"Device {device.name} is vulnerable to CVE-2023-20082. " + "The device is a Catalyst 9300 Series Switch running a version before 16.11.1, " + "which could allow an attacker to execute persistent code at boot time. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9300-spi-ace-yejYgnNQ" + ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320100.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320100.py new file mode 100644 index 00000000..058d47b6 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_nxos/cve202320100.py @@ -0,0 +1,33 @@ +from comfy import high + + +@high( + name='rule_cve202320100', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_capwap='show running-config | include wireless|capwap' + ), +) +def rule_cve202320100(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20100 vulnerability in Cisco IOS XE Software for Wireless LAN Controllers. + The vulnerability is due to a logic error in the access point (AP) joining process of the Control and + Provisioning of Wireless Access Points (CAPWAP) protocol. An attacker could exploit this vulnerability + by adding a malicious AP to the network and causing specific conditions during the AP joining process. + """ + # Extract the output of the command to check CAPWAP/wireless configuration + capwap_output = commands.check_capwap + + # Check if wireless/CAPWAP is configured + wireless_configured = 'wireless' in capwap_output and 'capwap' in capwap_output + + # Assert that the device is not vulnerable + assert not wireless_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20100. " + "The device has wireless LAN controller and CAPWAP configured, " + "which could allow an attacker to cause a denial of service through the AP joining process. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-" + "sa-c9800-apjoin-dos-nXRHkt5" + ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320185.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320185.py index 3820950c..b1f976ab 100644 --- a/CVEasy/Cisco/2023/cisco_nxos/cve202320185.py +++ b/CVEasy/Cisco/2023/cisco_nxos/cve202320185.py @@ -12,8 +12,8 @@ def rule_cve202320185(configuration, commands, device, devices): """ This rule checks for the CVE-2023-20185 vulnerability in Cisco NX-OS System Software in ACI Mode. - The vulnerability is due to an issue with the implementation of the ciphers used by the - CloudSec encryption feature, which could allow an unauthenticated, remote attacker to read or modify + The vulnerability is due to an issue with the implementation of the ciphers used by the + CloudSec encryption feature, which could allow an unauthenticated, remote attacker to read or modify intersite encrypted traffic. """ # Extract the version information from the command output diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320187.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320187.py new file mode 100644 index 00000000..3ae0e266 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_nxos/cve202320187.py @@ -0,0 +1,63 @@ +from comfy import high + + +@high( + name='rule_cve202320187', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_platform='show inventory | include ASR1', + check_ipv6='show running-config | include ipv6 multicast' + ), +) +def rule_cve202320187(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20187 vulnerability in Cisco IOS XE Software for ASR 1000 Series routers. + The vulnerability is due to incorrect handling of certain IPv6 multicast packets when they are fanned out + more than seven times on an affected device. An attacker could exploit this vulnerability by sending + specific IPv6 multicast or IPv6 multicast VPN (MVPNv6) packets through the affected device. + """ + # Extract the output of the command to check platform type + platform_output = commands.check_platform + + # Check if the device is an ASR 1000 Series router + is_asr1000 = 'ASR1' in platform_output + + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions (from CVE details) + vulnerable_versions = [ + '3.7.1S', '3.7.2S', '3.7.3S', '3.7.4S', '3.7.5S', '3.7.6S', '3.7.7S', '3.7.2tS', + '3.8.0S', '3.8.1S', '3.8.2S', '3.9.0S', '3.9.1S', '3.9.2S', + '3.10.0S', '3.10.1S', '3.10.2S', '3.10.3S', '3.10.4S', '3.10.5S', '3.10.6S', + '3.10.7S', '3.10.8S', '3.10.9S', '3.10.10S', '3.10.1xbS', '3.10.8aS', + '3.11.0S', '3.11.1S', '3.11.2S', '3.11.3S', '3.11.4S', + '3.12.0S', '3.12.1S', '3.12.2S', '3.12.3S', '3.12.4S', + '3.13.0S', '3.13.1S', '3.13.2S', '3.13.3S', '3.13.4S', '3.13.5S', '3.13.2aS', + '3.13.5aS', '3.13.6S', '3.13.7S', '3.13.6aS', '3.13.8S', '3.13.9S', '3.13.10S', + '3.14.0S', '3.14.1S', '3.14.2S', '3.14.3S', '3.14.4S', + '3.15.0S', '3.15.1S', '3.15.2S', '3.15.3S', '3.15.4S', + '3.16.0S', '3.16.1aS', '3.16.2S', '3.16.3S', '3.16.2bS', '3.16.4aS', '3.16.4bS', + '3.16.5S', '3.16.6S', '3.16.7S', '3.16.6bS', '3.16.7aS', '3.16.7bS', '3.16.8S', + '3.16.9S', '3.16.10S', + '3.17.0S', '3.17.1S', '3.17.2S', '3.17.1aS', '3.17.3S', '3.17.4S' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # Extract the output of the command to check IPv6 multicast configuration + ipv6_output = commands.check_ipv6 + + # Check if IPv6 multicast is configured + ipv6_multicast_configured = 'ipv6 multicast' in ipv6_output + + # Assert that the device is not vulnerable + assert not (is_asr1000 and version_vulnerable and ipv6_multicast_configured), ( + f"Device {device.name} is vulnerable to CVE-2023-20187. " + "The device is an ASR 1000 Series router running a vulnerable version with IPv6 multicast configured, " + "which could allow an attacker to cause a denial of service. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-mlre-H93FswRz" + ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320198.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320198.py new file mode 100644 index 00000000..e97ecf90 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_nxos/cve202320198.py @@ -0,0 +1,77 @@ +from comfy import high + + +@high( + name='rule_cve202320198', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_webui='show running-config | include ip http|webui' + ), +) +def rule_cve202320198(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20198 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient protection of the web UI feature, which could allow + an unauthenticated, remote attacker to gain privileged access. This vulnerability has been + actively exploited in the wild and has a CVSS score of 10.0 (Critical). + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions (from CVE details) + vulnerable_versions = [ + # 16.1-16.3 versions + '16.1.1', '16.1.2', '16.1.3', '16.2.1', '16.2.2', + '16.3.1', '16.3.2', '16.3.3', '16.3.1a', '16.3.4', '16.3.5', '16.3.5b', + '16.3.6', '16.3.7', '16.3.8', '16.3.9', '16.3.10', '16.3.11', + # 16.4-16.9 versions + '16.4.1', '16.4.2', '16.4.3', '16.5.1', '16.5.1a', '16.5.1b', '16.5.2', '16.5.3', + '16.6.1', '16.6.2', '16.6.3', '16.6.4', '16.6.5', '16.6.4a', '16.6.5a', '16.6.6', + '16.6.7', '16.6.8', '16.6.9', '16.6.10', '16.7.1', '16.7.1a', '16.7.1b', '16.7.2', + '16.7.3', '16.7.4', '16.8.1', '16.8.1a', '16.8.1b', '16.8.1s', '16.8.1c', '16.8.1d', + '16.8.2', '16.8.1e', '16.8.3', '16.9.1', '16.9.2', '16.9.1a', '16.9.1b', '16.9.1s', + '16.9.3', '16.9.4', '16.9.3a', '16.9.5', '16.9.5f', '16.9.6', '16.9.7', '16.9.8', + # 16.10-16.12 versions + '16.10.1', '16.10.1a', '16.10.1b', '16.10.1s', '16.10.1c', '16.10.1e', '16.10.1d', + '16.10.2', '16.10.1f', '16.10.1g', '16.10.3', '16.11.1', '16.11.1a', '16.11.1b', + '16.11.2', '16.11.1s', '16.12.1', '16.12.1s', '16.12.1a', '16.12.1c', '16.12.1w', + '16.12.2', '16.12.1y', '16.12.2a', '16.12.3', '16.12.8', '16.12.2s', '16.12.1x', + '16.12.1t', '16.12.4', '16.12.3s', '16.12.3a', '16.12.4a', '16.12.5', '16.12.6', + '16.12.1z1', '16.12.5a', '16.12.5b', '16.12.1z2', '16.12.6a', '16.12.7', '16.12.9', + '16.12.10', + # 17.1-17.12 versions + '17.1.1', '17.1.1a', '17.1.1s', '17.1.1t', '17.1.3', '17.2.1', '17.2.1r', '17.2.1a', + '17.2.1v', '17.2.2', '17.2.3', '17.3.1', '17.3.2', '17.3.3', '17.3.1a', '17.3.1w', + '17.3.2a', '17.3.1x', '17.3.1z', '17.3.4', '17.3.5', '17.3.4a', '17.3.6', '17.3.4b', + '17.3.4c', '17.3.5a', '17.3.5b', '17.3.7', '17.3.8', '17.4.1', '17.4.2', '17.4.1a', + '17.4.1b', '17.4.2a', '17.5.1', '17.5.1a', '17.5.1b', '17.5.1c', '17.6.1', '17.6.2', + '17.6.1w', '17.6.1a', '17.6.1x', '17.6.3', '17.6.1y', '17.6.1z', '17.6.3a', '17.6.4', + '17.6.1z1', '17.6.5', '17.6.6', '17.7.1', '17.7.1a', '17.7.1b', '17.7.2', '17.8.1', + '17.8.1a', '17.9.1', '17.9.1w', '17.9.2', '17.9.1a', '17.9.1x', '17.9.1y', '17.9.3', + '17.9.2a', '17.9.1x1', '17.9.3a', '17.9.4', '17.9.1y1', '17.10.1', '17.10.1a', + '17.10.1b', '17.11.1', '17.11.1a', '17.12.1', '17.12.1a', '17.11.99SW' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check web UI configuration + webui_output = commands.check_webui + + # Check if web UI is enabled + webui_enabled = any(service in webui_output for service in ['ip http', 'webui']) + + # Assert that the device is not vulnerable + assert not webui_enabled, ( + f"Device {device.name} is vulnerable to CVE-2023-20198. " + "The device is running a vulnerable version AND has web UI enabled, " + "which could allow an attacker to gain privileged access. This vulnerability is being actively exploited. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-" + "sa-iosxe-webui-privesc-j22SaA4z" + ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320202.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320202.py new file mode 100644 index 00000000..05ff7fca --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_nxos/cve202320202.py @@ -0,0 +1,51 @@ +from comfy import high + + +@high( + name='rule_cve202320202', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_wncd='show running-config | include wireless|wncd' + ), +) +def rule_cve202320202(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20202 vulnerability in Cisco IOS XE Software for Wireless LAN Controllers. + The vulnerability is due to improper memory management in the Wireless Network Control daemon (wncd). + An attacker could exploit this vulnerability by sending a series of network requests to an affected device, + causing the wncd process to consume available memory and eventually cause the device to reload. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions (from CVE details) + vulnerable_versions = [ + # 17.9 versions + '17.9.1', '17.9.1w', '17.9.2', '17.9.1a', '17.9.1x', '17.9.1y', + '17.9.2a', '17.9.1x1', + # 17.10 versions + '17.10.1', '17.10.1a', '17.10.1b' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check WNCD configuration + wncd_output = commands.check_wncd + + # Check if wireless/WNCD is configured + wireless_configured = 'wireless' in wncd_output and 'wncd' in wncd_output + + # Assert that the device is not vulnerable + assert not wireless_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20202. " + "The device is running a vulnerable version AND has wireless LAN controller with WNCD configured, " + "which could allow an attacker to cause a denial of service. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-wncd-HFGMsfSD" + ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320226.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320226.py new file mode 100644 index 00000000..1c88984b --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_nxos/cve202320226.py @@ -0,0 +1,54 @@ +from comfy import high + + +@high( + name='rule_cve202320226', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_appqoe_utd='show running-config | include appqoe|utd' + ), +) +def rule_cve202320226(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20226 vulnerability in Cisco IOS XE Software. + The vulnerability is due to the mishandling of a crafted packet stream through the AppQoE or UTD application. + An attacker could exploit this vulnerability by sending a crafted packet stream through an affected device, + causing it to reload and resulting in a denial of service (DoS) condition. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions (from CVE details) + vulnerable_versions = [ + # 17.7 versions + '17.7.1', '17.7.1a', '17.7.2', + # 17.8 versions + '17.8.1', '17.8.1a', + # 17.9 versions + '17.9.1', '17.9.2', '17.9.1a', '17.9.2a', + # 17.10 versions + '17.10.1', '17.10.1a' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check AppQoE and UTD configuration + appqoe_utd_output = commands.check_appqoe_utd + + # Check if AppQoE or UTD is configured + features_configured = any(feature in appqoe_utd_output for feature in ['appqoe', 'utd']) + + # Assert that the device is not vulnerable + assert not features_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20226. " + "The device is running a vulnerable version AND has AppQoE or UTD configured, " + "which could allow an attacker to cause a denial of service. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-appqoe-utd-dos-p8O57p5y" + ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320227.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320227.py new file mode 100644 index 00000000..5e7a3547 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_nxos/cve202320227.py @@ -0,0 +1,67 @@ +from comfy import high + + +@high( + name='rule_cve202320227', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_l2tp='show running-config | include vpdn|l2tp' + ), +) +def rule_cve202320227(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20227 vulnerability in Cisco IOS XE Software. + The vulnerability is due to improper handling of certain L2TP packets. An attacker could + exploit this vulnerability by sending crafted L2TP packets to an affected device, causing + it to reload unexpectedly and resulting in a denial of service (DoS) condition. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions (from CVE details) + vulnerable_versions = [ + # 16.8-16.9 versions + '16.8.1', '16.8.1a', '16.8.1b', '16.8.1s', '16.8.1c', '16.8.1d', + '16.8.2', '16.8.1e', '16.8.3', '16.9.1', '16.9.2', '16.9.1a', + '16.9.1b', '16.9.1s', '16.9.3', '16.9.4', '16.9.5', '16.9.5f', + '16.9.6', '16.9.7', '16.9.8', + # 16.10-16.12 versions + '16.10.1', '16.10.1a', '16.10.1b', '16.10.1s', '16.10.1c', '16.10.1e', + '16.10.1d', '16.10.2', '16.10.1f', '16.10.1g', '16.10.3', '16.11.1', + '16.11.1a', '16.11.1b', '16.11.2', '16.11.1s', '16.12.1', '16.12.1s', + '16.12.1a', '16.12.1c', '16.12.1w', '16.12.2', '16.12.1y', '16.12.2a', + '16.12.3', '16.12.8', '16.12.2s', '16.12.1x', '16.12.1t', '16.12.4', + '16.12.3s', '16.12.4a', '16.12.5', '16.12.6', '16.12.1z1', '16.12.5a', + '16.12.1z2', '16.12.6a', '16.12.7', '16.12.10a', + # 17.1-17.5 versions + '17.1.1', '17.1.1a', '17.1.1s', '17.1.1t', '17.1.3', '17.2.1', '17.2.1r', + '17.2.1a', '17.2.1v', '17.2.2', '17.2.3', '17.3.1', '17.3.2', '17.3.3', + '17.3.1a', '17.3.1w', '17.3.2a', '17.3.1x', '17.3.1z', '17.3.4', '17.3.5', + '17.3.4a', '17.3.6', '17.3.4c', '17.3.5a', '17.3.5b', '17.3.7', '17.4.1', + '17.4.2', '17.4.1a', '17.4.1b', '17.4.2a', '17.5.1', '17.5.1a', '17.5.1b', + '17.5.1c' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check L2TP configuration + l2tp_output = commands.check_l2tp + + # Check if L2TP is configured + l2tp_configured = any(feature in l2tp_output for feature in ['vpdn', 'l2tp']) + + # Assert that the device is not vulnerable + assert not l2tp_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20227. " + "The device is running a vulnerable version AND has L2TP configured, " + "which could allow an attacker to cause a denial of service. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-" + "sa-ios-xe-l2tp-dos-eB5tuFmV" + ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320231.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320231.py new file mode 100644 index 00000000..68ad720a --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_nxos/cve202320231.py @@ -0,0 +1,65 @@ +from comfy import high + + +@high( + name='rule_cve202320231', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_webui='show running-config | include ip http|webui|lobby' + ), +) +def rule_cve202320231(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20231 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient input validation in the web UI. An attacker could + exploit this vulnerability by sending crafted input to the web UI using Lobby Ambassador credentials, + allowing them to execute arbitrary Cisco IOS XE Software CLI commands with level 15 privileges. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions (from CVE details) + vulnerable_versions = [ + # 16.12 versions + '16.12.4', '16.12.4a', '16.12.5', '16.12.5a', '16.12.5b', '16.12.6', + '16.12.6a', '16.12.7', '16.12.8', '16.12.9', + # 17.2-17.3 versions + '17.2.2', '17.2.3', '17.3.1', '17.3.1a', '17.3.1w', '17.3.1x', '17.3.1z', + '17.3.2', '17.3.2a', '17.3.3', '17.3.4', '17.3.4a', '17.3.4b', '17.3.4c', + '17.3.5', '17.3.5a', '17.3.5b', '17.3.6', + # 17.4-17.6 versions + '17.4.1', '17.4.1a', '17.4.1b', '17.4.2', '17.4.2a', + '17.5.1', '17.5.1a', '17.5.1b', '17.5.1c', + '17.6.1', '17.6.1a', '17.6.1w', '17.6.1x', '17.6.1y', '17.6.1z', '17.6.1z1', + '17.6.2', '17.6.3', '17.6.3a', '17.6.4', '17.6.5', '17.6.5a', + # 17.7-17.10 versions + '17.7.1', '17.7.1a', '17.7.1b', '17.7.2', + '17.8.1', '17.8.1a', + '17.9.1', '17.9.1a', '17.9.1w', '17.9.1x', '17.9.1x1', '17.9.1y', '17.9.2', + '17.9.2a', + '17.10.1', '17.10.1a', '17.10.1b' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check web UI and Lobby Ambassador configuration + webui_output = commands.check_webui + + # Check if web UI and Lobby Ambassador are configured + webui_enabled = any(service in webui_output for service in ['ip http', 'webui']) + lobby_configured = 'lobby' in webui_output + + # Assert that the device is not vulnerable + assert not (webui_enabled and lobby_configured), ( + f"Device {device.name} is vulnerable to CVE-2023-20231. " + "The device is running a vulnerable version AND has web UI with Lobby Ambassador configured, " + "which could allow an attacker to execute arbitrary commands with elevated privileges. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webui-cmdij-FzZAeXAy" + ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320235.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320235.py new file mode 100644 index 00000000..2b7eafc6 --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_nxos/cve202320235.py @@ -0,0 +1,63 @@ +from comfy import high + + +@high( + name='rule_cve202320235', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_iox='show running-config | include iox|app-hosting' + ), +) +def rule_cve202320235(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20235 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient protection of the on-device application development + workflow feature in the Cisco IOx application hosting infrastructure. An attacker could + exploit this vulnerability by using Docker CLI to access the underlying operating system + as the root user. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions (from CVE details) + vulnerable_versions = [ + # 17.3 versions + '17.3.1', '17.3.2', '17.3.3', '17.3.1a', '17.3.1w', '17.3.2a', '17.3.1x', + '17.3.1z', '17.3.4', '17.3.5', '17.3.4a', '17.3.6', '17.3.4b', '17.3.4c', + '17.3.5a', '17.3.5b', '17.3.7', + # 17.4-17.6 versions + '17.4.1', '17.4.2', '17.4.1a', '17.4.1b', '17.4.2a', + '17.5.1', '17.5.1a', '17.5.1b', '17.5.1c', + '17.6.1', '17.6.2', '17.6.1w', '17.6.1a', '17.6.1x', '17.6.3', '17.6.1y', + '17.6.1z', '17.6.3a', '17.6.4', '17.6.1z1', '17.6.5', '17.6.5a', + # 17.7-17.12 versions + '17.7.1', '17.7.1a', '17.7.1b', '17.7.2', + '17.8.1', '17.8.1a', + '17.9.1', '17.9.1w', '17.9.2', '17.9.1a', '17.9.1x', '17.9.1y', '17.9.3', + '17.9.2a', '17.9.1x1', '17.9.3a', '17.9.4', '17.9.1y1', '17.9.4a', + '17.10.1', '17.10.1a', '17.10.1b', + '17.11.1', '17.11.1a', '17.12.1', '17.12.1a', '17.11.99SW' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check IOx configuration + iox_output = commands.check_iox + + # Check if IOx or app-hosting is configured + iox_configured = any(feature in iox_output for feature in ['iox', 'app-hosting']) + + # Assert that the device is not vulnerable + assert not iox_configured, ( + f"Device {device.name} is vulnerable to CVE-2023-20235. " + "The device is running a vulnerable version AND has IOx/app-hosting configured, " + "which could allow an attacker to gain root access to the underlying operating system. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rdocker-uATbukKn" + ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320262.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320262.py index c0ed1a15..7a226ec9 100644 --- a/CVEasy/Cisco/2023/cisco_nxos/cve202320262.py +++ b/CVEasy/Cisco/2023/cisco_nxos/cve202320262.py @@ -13,7 +13,7 @@ def rule_cve202320262(configuration, commands, device, devices): """ This rule checks for the CVE-2023-20262 vulnerability in Cisco Catalyst SD-WAN Manager. The vulnerability is due to insufficient resource management when an affected system is in an error condition, - which could allow an unauthenticated, remote attacker to cause a process crash, resulting in a DoS condition + which could allow an unauthenticated, remote attacker to cause a process crash, resulting in a DoS condition for SSH access. """ # Extract the version information from the command output @@ -38,13 +38,15 @@ def rule_cve202320262(configuration, commands, device, devices): # 20.1 versions '20.1.1', '20.1.1.1', '20.1.11', '20.1.12', '20.1.2', '20.1.3', '20.1.3.1', # 20.3 versions - '20.3.1', '20.3.2', '20.3.2.1', '20.3.3', '20.3.3.1', '20.3.4', '20.3.4.1', '20.3.4.2', '20.3.4.3', '20.3.5', '20.3.5.1', '20.3.6', + '20.3.1', '20.3.2', '20.3.2.1', '20.3.3', '20.3.3.1', '20.3.4', '20.3.4.1', '20.3.4.2', '20.3.4.3', + '20.3.5', '20.3.5.1', '20.3.6', # 20.4 versions '20.4.1', '20.4.1.1', '20.4.1.2', '20.4.2', '20.4.2.1', '20.4.2.2', '20.4.2.3', # 20.5 versions '20.5.1', '20.5.1.1', '20.5.1.2', # 20.6 versions - '20.6.1', '20.6.1.1', '20.6.1.2', '20.6.2', '20.6.2.1', '20.6.2.2', '20.6.3', '20.6.3.1', '20.6.3.2', '20.6.3.3', '20.6.3.4', '20.6.4', '20.6.4.1', '20.6.4.2', '20.6.5', '20.6.5.2', '20.6.5.4', '20.6.5.5', + '20.6.1', '20.6.1.1', '20.6.1.2', '20.6.2', '20.6.2.1', '20.6.2.2', '20.6.3', '20.6.3.1', '20.6.3.2', + '20.6.3.3', '20.6.3.4', '20.6.4', '20.6.4.1', '20.6.4.2', '20.6.5', '20.6.5.2', '20.6.5.4', '20.6.5.5', # 20.7 versions '20.7.1', '20.7.1.1', # 20.8 versions diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320273.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320273.py new file mode 100644 index 00000000..9cd3613a --- /dev/null +++ b/CVEasy/Cisco/2023/cisco_nxos/cve202320273.py @@ -0,0 +1,79 @@ +from comfy import high + + +@high( + name='rule_cve202320273', + platform=['cisco_xe'], + commands=dict( + show_version='show version', + check_webui='show running-config | include ip http|webui' + ), +) +def rule_cve202320273(configuration, commands, device, devices): + """ + This rule checks for the CVE-2023-20273 vulnerability in Cisco IOS XE Software. + The vulnerability is due to insufficient input validation in the web UI feature. + An authenticated, remote attacker could exploit this vulnerability by sending crafted + input to the web UI, allowing them to inject commands to the underlying operating system + with root privileges. + """ + # Extract the version information from the command output + version_output = commands.show_version + + # List of vulnerable software versions (from CVE details) + vulnerable_versions = [ + # 16.1-16.3 versions + '16.1.1', '16.1.2', '16.1.3', '16.2.1', '16.2.2', + '16.3.1', '16.3.2', '16.3.3', '16.3.1a', '16.3.4', '16.3.5', '16.3.5b', + '16.3.6', '16.3.7', '16.3.8', '16.3.9', '16.3.10', '16.3.11', + # 16.4-16.9 versions + '16.4.1', '16.4.2', '16.4.3', '16.5.1', '16.5.1a', '16.5.1b', '16.5.2', '16.5.3', + '16.6.1', '16.6.2', '16.6.3', '16.6.4', '16.6.5', '16.6.4a', '16.6.5a', '16.6.6', + '16.6.7', '16.6.8', '16.6.9', '16.6.10', '16.7.1', '16.7.1a', '16.7.1b', '16.7.2', + '16.7.3', '16.7.4', '16.8.1', '16.8.1a', '16.8.1b', '16.8.1s', '16.8.1c', '16.8.1d', + '16.8.2', '16.8.1e', '16.8.3', '16.9.1', '16.9.2', '16.9.1a', '16.9.1b', '16.9.1s', + '16.9.3', '16.9.4', '16.9.3a', '16.9.5', '16.9.5f', '16.9.6', '16.9.7', '16.9.8', + # 16.10-16.12 versions + '16.10.1', '16.10.1a', '16.10.1b', '16.10.1s', '16.10.1c', '16.10.1e', '16.10.1d', + '16.10.2', '16.10.1f', '16.10.1g', '16.10.3', '16.11.1', '16.11.1a', '16.11.1b', + '16.11.2', '16.11.1s', '16.12.1', '16.12.1s', '16.12.1a', '16.12.1c', '16.12.1w', + '16.12.2', '16.12.1y', '16.12.2a', '16.12.3', '16.12.8', '16.12.2s', '16.12.1x', + '16.12.1t', '16.12.4', '16.12.3s', '16.12.3a', '16.12.4a', '16.12.5', '16.12.6', + '16.12.1z1', '16.12.5a', '16.12.5b', '16.12.1z2', '16.12.6a', '16.12.7', '16.12.9', + '16.12.10', + # 17.1-17.12 versions + '17.1.1', '17.1.1a', '17.1.1s', '17.1.1t', '17.1.3', '17.2.1', '17.2.1r', '17.2.1a', + '17.2.1v', '17.2.2', '17.2.3', '17.3.1', '17.3.2', '17.3.3', '17.3.1a', '17.3.1w', + '17.3.2a', '17.3.1x', '17.3.1z', '17.3.4', '17.3.5', '17.3.4a', '17.3.6', '17.3.4b', + '17.3.4c', '17.3.5a', '17.3.5b', '17.3.7', '17.3.8', '17.4.1', '17.4.2', '17.4.1a', + '17.4.1b', '17.4.2a', '17.5.1', '17.5.1a', '17.5.1b', '17.5.1c', '17.6.1', '17.6.2', + '17.6.1w', '17.6.1a', '17.6.1x', '17.6.3', '17.6.1y', '17.6.1z', '17.6.3a', '17.6.4', + '17.6.1z1', '17.6.5', '17.6.6', '17.7.1', '17.7.1a', '17.7.1b', '17.7.2', '17.8.1', + '17.8.1a', '17.9.1', '17.9.1w', '17.9.2', '17.9.1a', '17.9.1x', '17.9.1y', '17.9.3', + '17.9.2a', '17.9.1x1', '17.9.3a', '17.9.4', '17.9.1y1', '17.10.1', '17.10.1a', + '17.10.1b', '17.11.1', '17.11.1a', '17.12.1', '17.12.1a', '17.11.99SW' + ] + + # Check if the current device's software version is in the list of vulnerable versions + version_vulnerable = any(version in version_output for version in vulnerable_versions) + + # If version is not vulnerable, no need to check further + if not version_vulnerable: + return + + # Extract the output of the command to check web UI configuration + webui_output = commands.check_webui + + # Check if web UI is enabled + webui_enabled = any(service in webui_output for service in ['ip http', 'webui']) + + # Assert that the device is not vulnerable + assert not webui_enabled, ( + f"Device {device.name} is vulnerable to CVE-2023-20273. " + "The device is running a vulnerable version AND has web UI enabled, " + "which could allow an authenticated attacker to execute arbitrary commands with root privileges. " + "This vulnerability is being actively exploited. " + "For more information, see" + "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-" + "sa-iosxe-webui-privesc-j22SaA4z" + ) From 6a9d70eecd1fc142ac75ffd7baead87e33722590 Mon Sep 17 00:00:00 2001 From: mailsanjayhere Date: Tue, 3 Jun 2025 11:40:13 +0000 Subject: [PATCH 20/22] fixed cve 2023 nxos xe --- CVEasy/Cisco/2023/cisco_nxos/cve202320027.py | 32 -------- CVEasy/Cisco/2023/cisco_nxos/cve202320029.py | 32 -------- CVEasy/Cisco/2023/cisco_nxos/cve202320033.py | 59 --------------- CVEasy/Cisco/2023/cisco_nxos/cve202320035.py | 32 -------- CVEasy/Cisco/2023/cisco_nxos/cve202320065.py | 61 --------------- CVEasy/Cisco/2023/cisco_nxos/cve202320066.py | 32 -------- CVEasy/Cisco/2023/cisco_nxos/cve202320067.py | 33 -------- CVEasy/Cisco/2023/cisco_nxos/cve202320072.py | 32 -------- CVEasy/Cisco/2023/cisco_nxos/cve202320082.py | 40 ---------- CVEasy/Cisco/2023/cisco_nxos/cve202320100.py | 33 -------- CVEasy/Cisco/2023/cisco_nxos/cve202320187.py | 63 ---------------- CVEasy/Cisco/2023/cisco_nxos/cve202320198.py | 77 ------------------- CVEasy/Cisco/2023/cisco_nxos/cve202320202.py | 51 ------------- CVEasy/Cisco/2023/cisco_nxos/cve202320226.py | 54 ------------- CVEasy/Cisco/2023/cisco_nxos/cve202320227.py | 67 ----------------- CVEasy/Cisco/2023/cisco_nxos/cve202320231.py | 65 ---------------- CVEasy/Cisco/2023/cisco_nxos/cve202320235.py | 63 ---------------- CVEasy/Cisco/2023/cisco_nxos/cve202320273.py | 79 -------------------- CVEasy/Cisco/2023/cisco_xe/cve202320033.py | 4 +- CVEasy/Cisco/2023/cisco_xe/cve202320082.py | 8 +- 20 files changed, 6 insertions(+), 911 deletions(-) delete mode 100644 CVEasy/Cisco/2023/cisco_nxos/cve202320027.py delete mode 100644 CVEasy/Cisco/2023/cisco_nxos/cve202320029.py delete mode 100644 CVEasy/Cisco/2023/cisco_nxos/cve202320033.py delete mode 100644 CVEasy/Cisco/2023/cisco_nxos/cve202320035.py delete mode 100644 CVEasy/Cisco/2023/cisco_nxos/cve202320065.py delete mode 100644 CVEasy/Cisco/2023/cisco_nxos/cve202320066.py delete mode 100644 CVEasy/Cisco/2023/cisco_nxos/cve202320067.py delete mode 100644 CVEasy/Cisco/2023/cisco_nxos/cve202320072.py delete mode 100644 CVEasy/Cisco/2023/cisco_nxos/cve202320082.py delete mode 100644 CVEasy/Cisco/2023/cisco_nxos/cve202320100.py delete mode 100644 CVEasy/Cisco/2023/cisco_nxos/cve202320187.py delete mode 100644 CVEasy/Cisco/2023/cisco_nxos/cve202320198.py delete mode 100644 CVEasy/Cisco/2023/cisco_nxos/cve202320202.py delete mode 100644 CVEasy/Cisco/2023/cisco_nxos/cve202320226.py delete mode 100644 CVEasy/Cisco/2023/cisco_nxos/cve202320227.py delete mode 100644 CVEasy/Cisco/2023/cisco_nxos/cve202320231.py delete mode 100644 CVEasy/Cisco/2023/cisco_nxos/cve202320235.py delete mode 100644 CVEasy/Cisco/2023/cisco_nxos/cve202320273.py diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320027.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320027.py deleted file mode 100644 index ab5702a2..00000000 --- a/CVEasy/Cisco/2023/cisco_nxos/cve202320027.py +++ /dev/null @@ -1,32 +0,0 @@ -from comfy import high - - -@high( - name='rule_cve202320027', - platform=['cisco_xe'], - commands=dict( - show_version='show version', - check_vfr='show running-config | include ip virtual-reassembly' - ), -) -def rule_cve202320027(configuration, commands, device, devices): - """ - This rule checks for the CVE-2023-20027 vulnerability in Cisco IOS XE Software. - The vulnerability is due to improper reassembly of large packets when Virtual Fragmentation - Reassembly (VFR) is enabled on either a tunnel interface or on a physical interface that is - configured with an MTU greater than 4,615 bytes. - """ - # Extract the output of the command to check VFR configuration - vfr_output = commands.check_vfr - - # Check if VFR is configured - vfr_configured = 'ip virtual-reassembly' in vfr_output - - # Assert that the device is not vulnerable - assert not vfr_configured, ( - f"Device {device.name} is vulnerable to CVE-2023-20027. " - "The device has Virtual Fragmentation Reassembly (VFR) enabled, " - "which could allow an attacker to cause a denial of service. " - "For more information, see" - "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipv4-vfr-dos-CXxtFacb" - ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320029.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320029.py deleted file mode 100644 index 130310ce..00000000 --- a/CVEasy/Cisco/2023/cisco_nxos/cve202320029.py +++ /dev/null @@ -1,32 +0,0 @@ -from comfy import high - - -@high( - name='rule_cve202320029', - platform=['cisco_xe'], - commands=dict( - show_version='show version', - check_meraki='show running-config | include meraki' - ), -) -def rule_cve202320029(configuration, commands, device, devices): - """ - This rule checks for the CVE-2023-20029 vulnerability in Cisco IOS XE Software. - The vulnerability is due to insufficient memory protection in the Meraki onboarding feature. - An attacker could exploit this vulnerability by modifying the Meraki registration parameters, - which could allow them to elevate privileges to root. - """ - # Extract the output of the command to check Meraki configuration - meraki_output = commands.check_meraki - - # Check if Meraki onboarding is configured - meraki_configured = 'meraki' in meraki_output - - # Assert that the device is not vulnerable - assert not meraki_configured, ( - f"Device {device.name} is vulnerable to CVE-2023-20029. " - "The device has Meraki onboarding feature enabled, " - "which could allow an attacker to elevate privileges to root. " - "For more information, see" - "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-priv-esc-sABD8hcU" - ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320033.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320033.py deleted file mode 100644 index 879e054d..00000000 --- a/CVEasy/Cisco/2023/cisco_nxos/cve202320033.py +++ /dev/null @@ -1,59 +0,0 @@ -from comfy import high - - -@high( - name='rule_cve202320033', - platform=['cisco_xe'], - commands=dict( - show_version='show version', - check_mgmt='show running-config | include interface GigabitEthernet0' - ), -) -def rule_cve202320033(configuration, commands, device, devices): - """ - This rule checks for the CVE-2023-20033 vulnerability in Cisco IOS XE Software for - Catalyst 3650/3850 Series Switches. The vulnerability is due to improper resource - management when processing traffic received on the management interface. - An attacker could exploit this vulnerability by sending a high rate of traffic to - the management interface. - """ - # Extract the version information from the command output - version_output = commands.show_version - - # List of vulnerable software versions - vulnerable_versions = [ - # 16.3 versions - '16.3.1', '16.3.2', '16.3.3', '16.3.1a', '16.3.4', '16.3.5', '16.3.5b', - '16.3.6', '16.3.7', '16.3.8', '16.3.9', '16.3.10', '16.3.11', - # 16.4-16.9 versions - '16.4.1', '16.5.1', '16.5.1a', '16.6.1', '16.6.2', '16.6.3', '16.6.4', - '16.6.5', '16.6.4a', '16.6.6', '16.6.7', '16.6.8', '16.6.9', '16.6.10', - '16.7.1', '16.8.1', '16.8.1a', '16.8.1s', '16.9.1', '16.9.2', '16.9.1s', - '16.9.3', '16.9.4', '16.9.3a', '16.9.5', '16.9.6', '16.9.7', '16.9.8', - # 16.11-16.12 versions - '16.11.1', '16.11.2', '16.11.1s', '16.12.1', '16.12.1s', '16.12.2', - '16.12.3', '16.12.8', '16.12.4', '16.12.3s', '16.12.3a', '16.12.5', - '16.12.6', '16.12.5b', '16.12.6a', '16.12.7', '16.12.9' - ] - - # Check if the current device's software version is in the list of vulnerable versions - version_vulnerable = any(version in version_output for version in vulnerable_versions) - - # If version is not vulnerable, no need to check further - if not version_vulnerable: - return - - # Extract the output of the command to check management interface configuration - mgmt_output = commands.check_mgmt - - # Check if management interface is configured - mgmt_configured = 'interface GigabitEthernet0' in mgmt_output - - # Assert that the device is not vulnerable - assert not mgmt_configured, ( - f"Device {device.name} is vulnerable to CVE-2023-20033. " - "The device is running a vulnerable version AND has management interface configured, " - "which could allow an attacker to cause a denial of service. " - "For more information, see" - "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cat3k-dos-ZZA4Gb3r" - ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320035.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320035.py deleted file mode 100644 index 64f73331..00000000 --- a/CVEasy/Cisco/2023/cisco_nxos/cve202320035.py +++ /dev/null @@ -1,32 +0,0 @@ -from comfy import high - - -@high( - name='rule_cve202320035', - platform=['cisco_xe'], - commands=dict( - show_version='show version', - check_sdwan='show running-config | include sdwan' - ), -) -def rule_cve202320035(configuration, commands, device, devices): - """ - This rule checks for the CVE-2023-20035 vulnerability in Cisco IOS XE SD-WAN Software. - The vulnerability is due to insufficient input validation by the system CLI. - An attacker with privileges to run commands could exploit this vulnerability by submitting - crafted input to the system CLI, allowing them to execute commands with root-level privileges. - """ - # Extract the output of the command to check SD-WAN configuration - sdwan_output = commands.check_sdwan - - # Check if SD-WAN is configured - sdwan_configured = 'sdwan' in sdwan_output - - # Assert that the device is not vulnerable - assert not sdwan_configured, ( - f"Device {device.name} is vulnerable to CVE-2023-20035. " - "The device has SD-WAN configured with CLI access, " - "which could allow an attacker to execute arbitrary commands with root privileges. " - "For more information, see" - "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-xe-sdwan-VQAhEjYw" - ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320065.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320065.py deleted file mode 100644 index 7868db88..00000000 --- a/CVEasy/Cisco/2023/cisco_nxos/cve202320065.py +++ /dev/null @@ -1,61 +0,0 @@ -from comfy import high - - -@high( - name='rule_cve202320065', - platform=['cisco_xe'], - commands=dict( - show_version='show version', - check_iox='show running-config | include iox' - ), -) -def rule_cve202320065(configuration, commands, device, devices): - """ - This rule checks for the CVE-2023-20065 vulnerability in Cisco IOS XE Software. - The vulnerability is due to insufficient restrictions on the hosted application in the - Cisco IOx application hosting subsystem. An attacker could exploit this vulnerability - by logging in to and then escaping the Cisco IOx application container. - """ - # Extract the version information from the command output - version_output = commands.show_version - - # List of vulnerable software versions - vulnerable_versions = [ - # 16.4 versions - '16.4.1', '16.4.2', '16.4.3', - # 17.3 versions - '17.3.1', '17.3.2', '17.3.3', '17.3.1a', '17.3.1w', '17.3.2a', '17.3.1x', - '17.3.1z', '17.3.4', '17.3.5', '17.3.4a', '17.3.6', '17.3.4b', '17.3.4c', - '17.3.5a', '17.3.5b', - # 17.4-17.9 versions - '17.4.1', '17.4.2', '17.4.1a', '17.4.1b', '17.4.2a', - '17.5.1', '17.5.1a', '17.5.1b', '17.5.1c', - '17.6.1', '17.6.2', '17.6.1w', '17.6.1a', '17.6.1x', '17.6.3', '17.6.1y', - '17.6.1z', '17.6.3a', '17.6.4', '17.6.1z1', - '17.7.1', '17.7.1a', '17.7.1b', '17.7.2', - '17.8.1', '17.8.1a', - '17.9.1', '17.9.1w', '17.9.2', '17.9.1a', '17.9.2a' - ] - - # Check if the current device's software version is in the list of vulnerable versions - version_vulnerable = any(version in version_output for version in vulnerable_versions) - - # If version is not vulnerable, no need to check further - if not version_vulnerable: - return - - # Extract the output of the command to check IOx configuration - iox_output = commands.check_iox - - # Check if IOx is configured - iox_configured = 'iox' in iox_output - - # Assert that the device is not vulnerable - assert not iox_configured, ( - f"Device {device.name} is vulnerable to CVE-2023-20065. " - "The device is running a vulnerable version AND has IOx application hosting configured, " - "which could allow an attacker to elevate privileges to root. " - "For more information, see" - "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-" - "sa-iox-priv-escalate-Xg8zkyPk" - ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320066.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320066.py deleted file mode 100644 index fe5595f2..00000000 --- a/CVEasy/Cisco/2023/cisco_nxos/cve202320066.py +++ /dev/null @@ -1,32 +0,0 @@ -from comfy import high - - -@high( - name='rule_cve202320066', - platform=['cisco_xe'], - commands=dict( - show_version='show version', - check_webui='show running-config | include ip http|webui' - ), -) -def rule_cve202320066(configuration, commands, device, devices): - """ - This rule checks for the CVE-2023-20066 vulnerability in Cisco IOS XE Software. - The vulnerability is due to insufficient security configuration in the web UI. - An attacker could exploit this vulnerability by sending a crafted request to the web UI, - allowing them to gain read access to files outside the filesystem mountpoint. - """ - # Extract the output of the command to check web UI configuration - webui_output = commands.check_webui - - # Check if web UI is enabled - webui_enabled = any(service in webui_output for service in ['ip http', 'webui']) - - # Assert that the device is not vulnerable - assert not webui_enabled, ( - f"Device {device.name} is vulnerable to CVE-2023-20066. " - "The device has web UI enabled, which could allow an attacker to access files " - "outside the filesystem mountpoint through path traversal. " - "For more information, see" - "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webui-pthtrv-es7GSb9V" - ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320067.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320067.py deleted file mode 100644 index 99a14000..00000000 --- a/CVEasy/Cisco/2023/cisco_nxos/cve202320067.py +++ /dev/null @@ -1,33 +0,0 @@ -from comfy import high - - -@high( - name='rule_cve202320067', - platform=['cisco_xe'], - commands=dict( - show_version='show version', - check_wlc='show running-config | include wireless|http client' - ), -) -def rule_cve202320067(configuration, commands, device, devices): - """ - This rule checks for the CVE-2023-20067 vulnerability in Cisco IOS XE Software for Wireless LAN Controllers. - The vulnerability is due to insufficient input validation of received traffic in the " - "HTTP-based client profiling feature. - An attacker could exploit this vulnerability by sending crafted traffic through a wireless access point, - causing high CPU utilization and a denial of service condition. - """ - # Extract the output of the command to check WLC and HTTP client profiling configuration - wlc_output = commands.check_wlc - - # Check if WLC and HTTP client profiling are configured - wlc_configured = 'wireless' in wlc_output and 'http client' in wlc_output - - # Assert that the device is not vulnerable - assert not wlc_configured, ( - f"Device {device.name} is vulnerable to CVE-2023-20067. " - "The device has wireless LAN controller and HTTP client profiling enabled, " - "which could allow an attacker to cause a denial of service condition. " - "For more information, see" - "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewlc-dos-wFujBHKw" - ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320072.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320072.py deleted file mode 100644 index fdc3b154..00000000 --- a/CVEasy/Cisco/2023/cisco_nxos/cve202320072.py +++ /dev/null @@ -1,32 +0,0 @@ -from comfy import high - - -@high( - name='rule_cve202320072', - platform=['cisco_xe'], - commands=dict( - show_version='show version', - check_tunnel='show running-config | include tunnel|gre' - ), -) -def rule_cve202320072(configuration, commands, device, devices): - """ - This rule checks for the CVE-2023-20072 vulnerability in Cisco IOS XE Software. - The vulnerability is due to improper handling of large fragmented tunnel protocol packets. - An attacker could exploit this vulnerability by sending crafted fragmented packets to an affected system, - causing it to reload and resulting in a denial of service (DoS) condition. - """ - # Extract the output of the command to check tunnel configuration - tunnel_output = commands.check_tunnel - - # Check if any tunnel protocols (like GRE) are configured - tunnel_configured = any(protocol in tunnel_output for protocol in ['tunnel', 'gre']) - - # Assert that the device is not vulnerable - assert not tunnel_configured, ( - f"Device {device.name} is vulnerable to CVE-2023-20072. " - "The device has tunnel protocols configured (e.g., GRE), " - "which could allow an attacker to cause a denial of service through crafted fragmented packets. " - "For more information, see" - "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-gre-crash-p6nE5Sq5" - ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320082.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320082.py deleted file mode 100644 index 01596507..00000000 --- a/CVEasy/Cisco/2023/cisco_nxos/cve202320082.py +++ /dev/null @@ -1,40 +0,0 @@ -from comfy import high - - -@high( - name='rule_cve202320082', - platform=['cisco_xe'], - commands=dict( - show_version='show version', - check_platform='show inventory | include Chassis' - ), -) -def rule_cve202320082(configuration, commands, device, devices): - """ - This rule checks for the CVE-2023-20082 vulnerability in Cisco IOS XE Software - for Catalyst 9300 Series Switches. The vulnerability is due to errors that occur - when retrieving the public release key used for image signature verification. - An attacker could exploit this vulnerability by modifying specific variables in the - SPI flash memory, allowing them to execute persistent code at boot time and break - the chain of trust. - """ - # Extract the output of the command to check platform type - platform_output = commands.check_platform - - # Check if the device is a Catalyst 9300 Series Switch - is_cat9300 = 'C9300' in platform_output - - # Extract the version information from the command output - version_output = commands.show_version - - # Check if version is before 16.11.1 (more vulnerable) - version_pre_16_11_1 = not any(ver in version_output for ver in ['16.11.1', '16.12', '17.']) - - # Assert that the device is not vulnerable - assert not (is_cat9300 and version_pre_16_11_1), ( - f"Device {device.name} is vulnerable to CVE-2023-20082. " - "The device is a Catalyst 9300 Series Switch running a version before 16.11.1, " - "which could allow an attacker to execute persistent code at boot time. " - "For more information, see" - "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9300-spi-ace-yejYgnNQ" - ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320100.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320100.py deleted file mode 100644 index 058d47b6..00000000 --- a/CVEasy/Cisco/2023/cisco_nxos/cve202320100.py +++ /dev/null @@ -1,33 +0,0 @@ -from comfy import high - - -@high( - name='rule_cve202320100', - platform=['cisco_xe'], - commands=dict( - show_version='show version', - check_capwap='show running-config | include wireless|capwap' - ), -) -def rule_cve202320100(configuration, commands, device, devices): - """ - This rule checks for the CVE-2023-20100 vulnerability in Cisco IOS XE Software for Wireless LAN Controllers. - The vulnerability is due to a logic error in the access point (AP) joining process of the Control and - Provisioning of Wireless Access Points (CAPWAP) protocol. An attacker could exploit this vulnerability - by adding a malicious AP to the network and causing specific conditions during the AP joining process. - """ - # Extract the output of the command to check CAPWAP/wireless configuration - capwap_output = commands.check_capwap - - # Check if wireless/CAPWAP is configured - wireless_configured = 'wireless' in capwap_output and 'capwap' in capwap_output - - # Assert that the device is not vulnerable - assert not wireless_configured, ( - f"Device {device.name} is vulnerable to CVE-2023-20100. " - "The device has wireless LAN controller and CAPWAP configured, " - "which could allow an attacker to cause a denial of service through the AP joining process. " - "For more information, see" - "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-" - "sa-c9800-apjoin-dos-nXRHkt5" - ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320187.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320187.py deleted file mode 100644 index 3ae0e266..00000000 --- a/CVEasy/Cisco/2023/cisco_nxos/cve202320187.py +++ /dev/null @@ -1,63 +0,0 @@ -from comfy import high - - -@high( - name='rule_cve202320187', - platform=['cisco_xe'], - commands=dict( - show_version='show version', - check_platform='show inventory | include ASR1', - check_ipv6='show running-config | include ipv6 multicast' - ), -) -def rule_cve202320187(configuration, commands, device, devices): - """ - This rule checks for the CVE-2023-20187 vulnerability in Cisco IOS XE Software for ASR 1000 Series routers. - The vulnerability is due to incorrect handling of certain IPv6 multicast packets when they are fanned out - more than seven times on an affected device. An attacker could exploit this vulnerability by sending - specific IPv6 multicast or IPv6 multicast VPN (MVPNv6) packets through the affected device. - """ - # Extract the output of the command to check platform type - platform_output = commands.check_platform - - # Check if the device is an ASR 1000 Series router - is_asr1000 = 'ASR1' in platform_output - - # Extract the version information from the command output - version_output = commands.show_version - - # List of vulnerable software versions (from CVE details) - vulnerable_versions = [ - '3.7.1S', '3.7.2S', '3.7.3S', '3.7.4S', '3.7.5S', '3.7.6S', '3.7.7S', '3.7.2tS', - '3.8.0S', '3.8.1S', '3.8.2S', '3.9.0S', '3.9.1S', '3.9.2S', - '3.10.0S', '3.10.1S', '3.10.2S', '3.10.3S', '3.10.4S', '3.10.5S', '3.10.6S', - '3.10.7S', '3.10.8S', '3.10.9S', '3.10.10S', '3.10.1xbS', '3.10.8aS', - '3.11.0S', '3.11.1S', '3.11.2S', '3.11.3S', '3.11.4S', - '3.12.0S', '3.12.1S', '3.12.2S', '3.12.3S', '3.12.4S', - '3.13.0S', '3.13.1S', '3.13.2S', '3.13.3S', '3.13.4S', '3.13.5S', '3.13.2aS', - '3.13.5aS', '3.13.6S', '3.13.7S', '3.13.6aS', '3.13.8S', '3.13.9S', '3.13.10S', - '3.14.0S', '3.14.1S', '3.14.2S', '3.14.3S', '3.14.4S', - '3.15.0S', '3.15.1S', '3.15.2S', '3.15.3S', '3.15.4S', - '3.16.0S', '3.16.1aS', '3.16.2S', '3.16.3S', '3.16.2bS', '3.16.4aS', '3.16.4bS', - '3.16.5S', '3.16.6S', '3.16.7S', '3.16.6bS', '3.16.7aS', '3.16.7bS', '3.16.8S', - '3.16.9S', '3.16.10S', - '3.17.0S', '3.17.1S', '3.17.2S', '3.17.1aS', '3.17.3S', '3.17.4S' - ] - - # Check if the current device's software version is in the list of vulnerable versions - version_vulnerable = any(version in version_output for version in vulnerable_versions) - - # Extract the output of the command to check IPv6 multicast configuration - ipv6_output = commands.check_ipv6 - - # Check if IPv6 multicast is configured - ipv6_multicast_configured = 'ipv6 multicast' in ipv6_output - - # Assert that the device is not vulnerable - assert not (is_asr1000 and version_vulnerable and ipv6_multicast_configured), ( - f"Device {device.name} is vulnerable to CVE-2023-20187. " - "The device is an ASR 1000 Series router running a vulnerable version with IPv6 multicast configured, " - "which could allow an attacker to cause a denial of service. " - "For more information, see" - "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-mlre-H93FswRz" - ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320198.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320198.py deleted file mode 100644 index e97ecf90..00000000 --- a/CVEasy/Cisco/2023/cisco_nxos/cve202320198.py +++ /dev/null @@ -1,77 +0,0 @@ -from comfy import high - - -@high( - name='rule_cve202320198', - platform=['cisco_xe'], - commands=dict( - show_version='show version', - check_webui='show running-config | include ip http|webui' - ), -) -def rule_cve202320198(configuration, commands, device, devices): - """ - This rule checks for the CVE-2023-20198 vulnerability in Cisco IOS XE Software. - The vulnerability is due to insufficient protection of the web UI feature, which could allow - an unauthenticated, remote attacker to gain privileged access. This vulnerability has been - actively exploited in the wild and has a CVSS score of 10.0 (Critical). - """ - # Extract the version information from the command output - version_output = commands.show_version - - # List of vulnerable software versions (from CVE details) - vulnerable_versions = [ - # 16.1-16.3 versions - '16.1.1', '16.1.2', '16.1.3', '16.2.1', '16.2.2', - '16.3.1', '16.3.2', '16.3.3', '16.3.1a', '16.3.4', '16.3.5', '16.3.5b', - '16.3.6', '16.3.7', '16.3.8', '16.3.9', '16.3.10', '16.3.11', - # 16.4-16.9 versions - '16.4.1', '16.4.2', '16.4.3', '16.5.1', '16.5.1a', '16.5.1b', '16.5.2', '16.5.3', - '16.6.1', '16.6.2', '16.6.3', '16.6.4', '16.6.5', '16.6.4a', '16.6.5a', '16.6.6', - '16.6.7', '16.6.8', '16.6.9', '16.6.10', '16.7.1', '16.7.1a', '16.7.1b', '16.7.2', - '16.7.3', '16.7.4', '16.8.1', '16.8.1a', '16.8.1b', '16.8.1s', '16.8.1c', '16.8.1d', - '16.8.2', '16.8.1e', '16.8.3', '16.9.1', '16.9.2', '16.9.1a', '16.9.1b', '16.9.1s', - '16.9.3', '16.9.4', '16.9.3a', '16.9.5', '16.9.5f', '16.9.6', '16.9.7', '16.9.8', - # 16.10-16.12 versions - '16.10.1', '16.10.1a', '16.10.1b', '16.10.1s', '16.10.1c', '16.10.1e', '16.10.1d', - '16.10.2', '16.10.1f', '16.10.1g', '16.10.3', '16.11.1', '16.11.1a', '16.11.1b', - '16.11.2', '16.11.1s', '16.12.1', '16.12.1s', '16.12.1a', '16.12.1c', '16.12.1w', - '16.12.2', '16.12.1y', '16.12.2a', '16.12.3', '16.12.8', '16.12.2s', '16.12.1x', - '16.12.1t', '16.12.4', '16.12.3s', '16.12.3a', '16.12.4a', '16.12.5', '16.12.6', - '16.12.1z1', '16.12.5a', '16.12.5b', '16.12.1z2', '16.12.6a', '16.12.7', '16.12.9', - '16.12.10', - # 17.1-17.12 versions - '17.1.1', '17.1.1a', '17.1.1s', '17.1.1t', '17.1.3', '17.2.1', '17.2.1r', '17.2.1a', - '17.2.1v', '17.2.2', '17.2.3', '17.3.1', '17.3.2', '17.3.3', '17.3.1a', '17.3.1w', - '17.3.2a', '17.3.1x', '17.3.1z', '17.3.4', '17.3.5', '17.3.4a', '17.3.6', '17.3.4b', - '17.3.4c', '17.3.5a', '17.3.5b', '17.3.7', '17.3.8', '17.4.1', '17.4.2', '17.4.1a', - '17.4.1b', '17.4.2a', '17.5.1', '17.5.1a', '17.5.1b', '17.5.1c', '17.6.1', '17.6.2', - '17.6.1w', '17.6.1a', '17.6.1x', '17.6.3', '17.6.1y', '17.6.1z', '17.6.3a', '17.6.4', - '17.6.1z1', '17.6.5', '17.6.6', '17.7.1', '17.7.1a', '17.7.1b', '17.7.2', '17.8.1', - '17.8.1a', '17.9.1', '17.9.1w', '17.9.2', '17.9.1a', '17.9.1x', '17.9.1y', '17.9.3', - '17.9.2a', '17.9.1x1', '17.9.3a', '17.9.4', '17.9.1y1', '17.10.1', '17.10.1a', - '17.10.1b', '17.11.1', '17.11.1a', '17.12.1', '17.12.1a', '17.11.99SW' - ] - - # Check if the current device's software version is in the list of vulnerable versions - version_vulnerable = any(version in version_output for version in vulnerable_versions) - - # If version is not vulnerable, no need to check further - if not version_vulnerable: - return - - # Extract the output of the command to check web UI configuration - webui_output = commands.check_webui - - # Check if web UI is enabled - webui_enabled = any(service in webui_output for service in ['ip http', 'webui']) - - # Assert that the device is not vulnerable - assert not webui_enabled, ( - f"Device {device.name} is vulnerable to CVE-2023-20198. " - "The device is running a vulnerable version AND has web UI enabled, " - "which could allow an attacker to gain privileged access. This vulnerability is being actively exploited. " - "For more information, see" - "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-" - "sa-iosxe-webui-privesc-j22SaA4z" - ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320202.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320202.py deleted file mode 100644 index 05ff7fca..00000000 --- a/CVEasy/Cisco/2023/cisco_nxos/cve202320202.py +++ /dev/null @@ -1,51 +0,0 @@ -from comfy import high - - -@high( - name='rule_cve202320202', - platform=['cisco_xe'], - commands=dict( - show_version='show version', - check_wncd='show running-config | include wireless|wncd' - ), -) -def rule_cve202320202(configuration, commands, device, devices): - """ - This rule checks for the CVE-2023-20202 vulnerability in Cisco IOS XE Software for Wireless LAN Controllers. - The vulnerability is due to improper memory management in the Wireless Network Control daemon (wncd). - An attacker could exploit this vulnerability by sending a series of network requests to an affected device, - causing the wncd process to consume available memory and eventually cause the device to reload. - """ - # Extract the version information from the command output - version_output = commands.show_version - - # List of vulnerable software versions (from CVE details) - vulnerable_versions = [ - # 17.9 versions - '17.9.1', '17.9.1w', '17.9.2', '17.9.1a', '17.9.1x', '17.9.1y', - '17.9.2a', '17.9.1x1', - # 17.10 versions - '17.10.1', '17.10.1a', '17.10.1b' - ] - - # Check if the current device's software version is in the list of vulnerable versions - version_vulnerable = any(version in version_output for version in vulnerable_versions) - - # If version is not vulnerable, no need to check further - if not version_vulnerable: - return - - # Extract the output of the command to check WNCD configuration - wncd_output = commands.check_wncd - - # Check if wireless/WNCD is configured - wireless_configured = 'wireless' in wncd_output and 'wncd' in wncd_output - - # Assert that the device is not vulnerable - assert not wireless_configured, ( - f"Device {device.name} is vulnerable to CVE-2023-20202. " - "The device is running a vulnerable version AND has wireless LAN controller with WNCD configured, " - "which could allow an attacker to cause a denial of service. " - "For more information, see" - "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-wncd-HFGMsfSD" - ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320226.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320226.py deleted file mode 100644 index 1c88984b..00000000 --- a/CVEasy/Cisco/2023/cisco_nxos/cve202320226.py +++ /dev/null @@ -1,54 +0,0 @@ -from comfy import high - - -@high( - name='rule_cve202320226', - platform=['cisco_xe'], - commands=dict( - show_version='show version', - check_appqoe_utd='show running-config | include appqoe|utd' - ), -) -def rule_cve202320226(configuration, commands, device, devices): - """ - This rule checks for the CVE-2023-20226 vulnerability in Cisco IOS XE Software. - The vulnerability is due to the mishandling of a crafted packet stream through the AppQoE or UTD application. - An attacker could exploit this vulnerability by sending a crafted packet stream through an affected device, - causing it to reload and resulting in a denial of service (DoS) condition. - """ - # Extract the version information from the command output - version_output = commands.show_version - - # List of vulnerable software versions (from CVE details) - vulnerable_versions = [ - # 17.7 versions - '17.7.1', '17.7.1a', '17.7.2', - # 17.8 versions - '17.8.1', '17.8.1a', - # 17.9 versions - '17.9.1', '17.9.2', '17.9.1a', '17.9.2a', - # 17.10 versions - '17.10.1', '17.10.1a' - ] - - # Check if the current device's software version is in the list of vulnerable versions - version_vulnerable = any(version in version_output for version in vulnerable_versions) - - # If version is not vulnerable, no need to check further - if not version_vulnerable: - return - - # Extract the output of the command to check AppQoE and UTD configuration - appqoe_utd_output = commands.check_appqoe_utd - - # Check if AppQoE or UTD is configured - features_configured = any(feature in appqoe_utd_output for feature in ['appqoe', 'utd']) - - # Assert that the device is not vulnerable - assert not features_configured, ( - f"Device {device.name} is vulnerable to CVE-2023-20226. " - "The device is running a vulnerable version AND has AppQoE or UTD configured, " - "which could allow an attacker to cause a denial of service. " - "For more information, see" - "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-appqoe-utd-dos-p8O57p5y" - ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320227.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320227.py deleted file mode 100644 index 5e7a3547..00000000 --- a/CVEasy/Cisco/2023/cisco_nxos/cve202320227.py +++ /dev/null @@ -1,67 +0,0 @@ -from comfy import high - - -@high( - name='rule_cve202320227', - platform=['cisco_xe'], - commands=dict( - show_version='show version', - check_l2tp='show running-config | include vpdn|l2tp' - ), -) -def rule_cve202320227(configuration, commands, device, devices): - """ - This rule checks for the CVE-2023-20227 vulnerability in Cisco IOS XE Software. - The vulnerability is due to improper handling of certain L2TP packets. An attacker could - exploit this vulnerability by sending crafted L2TP packets to an affected device, causing - it to reload unexpectedly and resulting in a denial of service (DoS) condition. - """ - # Extract the version information from the command output - version_output = commands.show_version - - # List of vulnerable software versions (from CVE details) - vulnerable_versions = [ - # 16.8-16.9 versions - '16.8.1', '16.8.1a', '16.8.1b', '16.8.1s', '16.8.1c', '16.8.1d', - '16.8.2', '16.8.1e', '16.8.3', '16.9.1', '16.9.2', '16.9.1a', - '16.9.1b', '16.9.1s', '16.9.3', '16.9.4', '16.9.5', '16.9.5f', - '16.9.6', '16.9.7', '16.9.8', - # 16.10-16.12 versions - '16.10.1', '16.10.1a', '16.10.1b', '16.10.1s', '16.10.1c', '16.10.1e', - '16.10.1d', '16.10.2', '16.10.1f', '16.10.1g', '16.10.3', '16.11.1', - '16.11.1a', '16.11.1b', '16.11.2', '16.11.1s', '16.12.1', '16.12.1s', - '16.12.1a', '16.12.1c', '16.12.1w', '16.12.2', '16.12.1y', '16.12.2a', - '16.12.3', '16.12.8', '16.12.2s', '16.12.1x', '16.12.1t', '16.12.4', - '16.12.3s', '16.12.4a', '16.12.5', '16.12.6', '16.12.1z1', '16.12.5a', - '16.12.1z2', '16.12.6a', '16.12.7', '16.12.10a', - # 17.1-17.5 versions - '17.1.1', '17.1.1a', '17.1.1s', '17.1.1t', '17.1.3', '17.2.1', '17.2.1r', - '17.2.1a', '17.2.1v', '17.2.2', '17.2.3', '17.3.1', '17.3.2', '17.3.3', - '17.3.1a', '17.3.1w', '17.3.2a', '17.3.1x', '17.3.1z', '17.3.4', '17.3.5', - '17.3.4a', '17.3.6', '17.3.4c', '17.3.5a', '17.3.5b', '17.3.7', '17.4.1', - '17.4.2', '17.4.1a', '17.4.1b', '17.4.2a', '17.5.1', '17.5.1a', '17.5.1b', - '17.5.1c' - ] - - # Check if the current device's software version is in the list of vulnerable versions - version_vulnerable = any(version in version_output for version in vulnerable_versions) - - # If version is not vulnerable, no need to check further - if not version_vulnerable: - return - - # Extract the output of the command to check L2TP configuration - l2tp_output = commands.check_l2tp - - # Check if L2TP is configured - l2tp_configured = any(feature in l2tp_output for feature in ['vpdn', 'l2tp']) - - # Assert that the device is not vulnerable - assert not l2tp_configured, ( - f"Device {device.name} is vulnerable to CVE-2023-20227. " - "The device is running a vulnerable version AND has L2TP configured, " - "which could allow an attacker to cause a denial of service. " - "For more information, see" - "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-" - "sa-ios-xe-l2tp-dos-eB5tuFmV" - ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320231.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320231.py deleted file mode 100644 index 68ad720a..00000000 --- a/CVEasy/Cisco/2023/cisco_nxos/cve202320231.py +++ /dev/null @@ -1,65 +0,0 @@ -from comfy import high - - -@high( - name='rule_cve202320231', - platform=['cisco_xe'], - commands=dict( - show_version='show version', - check_webui='show running-config | include ip http|webui|lobby' - ), -) -def rule_cve202320231(configuration, commands, device, devices): - """ - This rule checks for the CVE-2023-20231 vulnerability in Cisco IOS XE Software. - The vulnerability is due to insufficient input validation in the web UI. An attacker could - exploit this vulnerability by sending crafted input to the web UI using Lobby Ambassador credentials, - allowing them to execute arbitrary Cisco IOS XE Software CLI commands with level 15 privileges. - """ - # Extract the version information from the command output - version_output = commands.show_version - - # List of vulnerable software versions (from CVE details) - vulnerable_versions = [ - # 16.12 versions - '16.12.4', '16.12.4a', '16.12.5', '16.12.5a', '16.12.5b', '16.12.6', - '16.12.6a', '16.12.7', '16.12.8', '16.12.9', - # 17.2-17.3 versions - '17.2.2', '17.2.3', '17.3.1', '17.3.1a', '17.3.1w', '17.3.1x', '17.3.1z', - '17.3.2', '17.3.2a', '17.3.3', '17.3.4', '17.3.4a', '17.3.4b', '17.3.4c', - '17.3.5', '17.3.5a', '17.3.5b', '17.3.6', - # 17.4-17.6 versions - '17.4.1', '17.4.1a', '17.4.1b', '17.4.2', '17.4.2a', - '17.5.1', '17.5.1a', '17.5.1b', '17.5.1c', - '17.6.1', '17.6.1a', '17.6.1w', '17.6.1x', '17.6.1y', '17.6.1z', '17.6.1z1', - '17.6.2', '17.6.3', '17.6.3a', '17.6.4', '17.6.5', '17.6.5a', - # 17.7-17.10 versions - '17.7.1', '17.7.1a', '17.7.1b', '17.7.2', - '17.8.1', '17.8.1a', - '17.9.1', '17.9.1a', '17.9.1w', '17.9.1x', '17.9.1x1', '17.9.1y', '17.9.2', - '17.9.2a', - '17.10.1', '17.10.1a', '17.10.1b' - ] - - # Check if the current device's software version is in the list of vulnerable versions - version_vulnerable = any(version in version_output for version in vulnerable_versions) - - # If version is not vulnerable, no need to check further - if not version_vulnerable: - return - - # Extract the output of the command to check web UI and Lobby Ambassador configuration - webui_output = commands.check_webui - - # Check if web UI and Lobby Ambassador are configured - webui_enabled = any(service in webui_output for service in ['ip http', 'webui']) - lobby_configured = 'lobby' in webui_output - - # Assert that the device is not vulnerable - assert not (webui_enabled and lobby_configured), ( - f"Device {device.name} is vulnerable to CVE-2023-20231. " - "The device is running a vulnerable version AND has web UI with Lobby Ambassador configured, " - "which could allow an attacker to execute arbitrary commands with elevated privileges. " - "For more information, see" - "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webui-cmdij-FzZAeXAy" - ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320235.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320235.py deleted file mode 100644 index 2b7eafc6..00000000 --- a/CVEasy/Cisco/2023/cisco_nxos/cve202320235.py +++ /dev/null @@ -1,63 +0,0 @@ -from comfy import high - - -@high( - name='rule_cve202320235', - platform=['cisco_xe'], - commands=dict( - show_version='show version', - check_iox='show running-config | include iox|app-hosting' - ), -) -def rule_cve202320235(configuration, commands, device, devices): - """ - This rule checks for the CVE-2023-20235 vulnerability in Cisco IOS XE Software. - The vulnerability is due to insufficient protection of the on-device application development - workflow feature in the Cisco IOx application hosting infrastructure. An attacker could - exploit this vulnerability by using Docker CLI to access the underlying operating system - as the root user. - """ - # Extract the version information from the command output - version_output = commands.show_version - - # List of vulnerable software versions (from CVE details) - vulnerable_versions = [ - # 17.3 versions - '17.3.1', '17.3.2', '17.3.3', '17.3.1a', '17.3.1w', '17.3.2a', '17.3.1x', - '17.3.1z', '17.3.4', '17.3.5', '17.3.4a', '17.3.6', '17.3.4b', '17.3.4c', - '17.3.5a', '17.3.5b', '17.3.7', - # 17.4-17.6 versions - '17.4.1', '17.4.2', '17.4.1a', '17.4.1b', '17.4.2a', - '17.5.1', '17.5.1a', '17.5.1b', '17.5.1c', - '17.6.1', '17.6.2', '17.6.1w', '17.6.1a', '17.6.1x', '17.6.3', '17.6.1y', - '17.6.1z', '17.6.3a', '17.6.4', '17.6.1z1', '17.6.5', '17.6.5a', - # 17.7-17.12 versions - '17.7.1', '17.7.1a', '17.7.1b', '17.7.2', - '17.8.1', '17.8.1a', - '17.9.1', '17.9.1w', '17.9.2', '17.9.1a', '17.9.1x', '17.9.1y', '17.9.3', - '17.9.2a', '17.9.1x1', '17.9.3a', '17.9.4', '17.9.1y1', '17.9.4a', - '17.10.1', '17.10.1a', '17.10.1b', - '17.11.1', '17.11.1a', '17.12.1', '17.12.1a', '17.11.99SW' - ] - - # Check if the current device's software version is in the list of vulnerable versions - version_vulnerable = any(version in version_output for version in vulnerable_versions) - - # If version is not vulnerable, no need to check further - if not version_vulnerable: - return - - # Extract the output of the command to check IOx configuration - iox_output = commands.check_iox - - # Check if IOx or app-hosting is configured - iox_configured = any(feature in iox_output for feature in ['iox', 'app-hosting']) - - # Assert that the device is not vulnerable - assert not iox_configured, ( - f"Device {device.name} is vulnerable to CVE-2023-20235. " - "The device is running a vulnerable version AND has IOx/app-hosting configured, " - "which could allow an attacker to gain root access to the underlying operating system. " - "For more information, see" - "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rdocker-uATbukKn" - ) diff --git a/CVEasy/Cisco/2023/cisco_nxos/cve202320273.py b/CVEasy/Cisco/2023/cisco_nxos/cve202320273.py deleted file mode 100644 index 9cd3613a..00000000 --- a/CVEasy/Cisco/2023/cisco_nxos/cve202320273.py +++ /dev/null @@ -1,79 +0,0 @@ -from comfy import high - - -@high( - name='rule_cve202320273', - platform=['cisco_xe'], - commands=dict( - show_version='show version', - check_webui='show running-config | include ip http|webui' - ), -) -def rule_cve202320273(configuration, commands, device, devices): - """ - This rule checks for the CVE-2023-20273 vulnerability in Cisco IOS XE Software. - The vulnerability is due to insufficient input validation in the web UI feature. - An authenticated, remote attacker could exploit this vulnerability by sending crafted - input to the web UI, allowing them to inject commands to the underlying operating system - with root privileges. - """ - # Extract the version information from the command output - version_output = commands.show_version - - # List of vulnerable software versions (from CVE details) - vulnerable_versions = [ - # 16.1-16.3 versions - '16.1.1', '16.1.2', '16.1.3', '16.2.1', '16.2.2', - '16.3.1', '16.3.2', '16.3.3', '16.3.1a', '16.3.4', '16.3.5', '16.3.5b', - '16.3.6', '16.3.7', '16.3.8', '16.3.9', '16.3.10', '16.3.11', - # 16.4-16.9 versions - '16.4.1', '16.4.2', '16.4.3', '16.5.1', '16.5.1a', '16.5.1b', '16.5.2', '16.5.3', - '16.6.1', '16.6.2', '16.6.3', '16.6.4', '16.6.5', '16.6.4a', '16.6.5a', '16.6.6', - '16.6.7', '16.6.8', '16.6.9', '16.6.10', '16.7.1', '16.7.1a', '16.7.1b', '16.7.2', - '16.7.3', '16.7.4', '16.8.1', '16.8.1a', '16.8.1b', '16.8.1s', '16.8.1c', '16.8.1d', - '16.8.2', '16.8.1e', '16.8.3', '16.9.1', '16.9.2', '16.9.1a', '16.9.1b', '16.9.1s', - '16.9.3', '16.9.4', '16.9.3a', '16.9.5', '16.9.5f', '16.9.6', '16.9.7', '16.9.8', - # 16.10-16.12 versions - '16.10.1', '16.10.1a', '16.10.1b', '16.10.1s', '16.10.1c', '16.10.1e', '16.10.1d', - '16.10.2', '16.10.1f', '16.10.1g', '16.10.3', '16.11.1', '16.11.1a', '16.11.1b', - '16.11.2', '16.11.1s', '16.12.1', '16.12.1s', '16.12.1a', '16.12.1c', '16.12.1w', - '16.12.2', '16.12.1y', '16.12.2a', '16.12.3', '16.12.8', '16.12.2s', '16.12.1x', - '16.12.1t', '16.12.4', '16.12.3s', '16.12.3a', '16.12.4a', '16.12.5', '16.12.6', - '16.12.1z1', '16.12.5a', '16.12.5b', '16.12.1z2', '16.12.6a', '16.12.7', '16.12.9', - '16.12.10', - # 17.1-17.12 versions - '17.1.1', '17.1.1a', '17.1.1s', '17.1.1t', '17.1.3', '17.2.1', '17.2.1r', '17.2.1a', - '17.2.1v', '17.2.2', '17.2.3', '17.3.1', '17.3.2', '17.3.3', '17.3.1a', '17.3.1w', - '17.3.2a', '17.3.1x', '17.3.1z', '17.3.4', '17.3.5', '17.3.4a', '17.3.6', '17.3.4b', - '17.3.4c', '17.3.5a', '17.3.5b', '17.3.7', '17.3.8', '17.4.1', '17.4.2', '17.4.1a', - '17.4.1b', '17.4.2a', '17.5.1', '17.5.1a', '17.5.1b', '17.5.1c', '17.6.1', '17.6.2', - '17.6.1w', '17.6.1a', '17.6.1x', '17.6.3', '17.6.1y', '17.6.1z', '17.6.3a', '17.6.4', - '17.6.1z1', '17.6.5', '17.6.6', '17.7.1', '17.7.1a', '17.7.1b', '17.7.2', '17.8.1', - '17.8.1a', '17.9.1', '17.9.1w', '17.9.2', '17.9.1a', '17.9.1x', '17.9.1y', '17.9.3', - '17.9.2a', '17.9.1x1', '17.9.3a', '17.9.4', '17.9.1y1', '17.10.1', '17.10.1a', - '17.10.1b', '17.11.1', '17.11.1a', '17.12.1', '17.12.1a', '17.11.99SW' - ] - - # Check if the current device's software version is in the list of vulnerable versions - version_vulnerable = any(version in version_output for version in vulnerable_versions) - - # If version is not vulnerable, no need to check further - if not version_vulnerable: - return - - # Extract the output of the command to check web UI configuration - webui_output = commands.check_webui - - # Check if web UI is enabled - webui_enabled = any(service in webui_output for service in ['ip http', 'webui']) - - # Assert that the device is not vulnerable - assert not webui_enabled, ( - f"Device {device.name} is vulnerable to CVE-2023-20273. " - "The device is running a vulnerable version AND has web UI enabled, " - "which could allow an authenticated attacker to execute arbitrary commands with root privileges. " - "This vulnerability is being actively exploited. " - "For more information, see" - "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-" - "sa-iosxe-webui-privesc-j22SaA4z" - ) diff --git a/CVEasy/Cisco/2023/cisco_xe/cve202320033.py b/CVEasy/Cisco/2023/cisco_xe/cve202320033.py index 1e5db748..879e054d 100644 --- a/CVEasy/Cisco/2023/cisco_xe/cve202320033.py +++ b/CVEasy/Cisco/2023/cisco_xe/cve202320033.py @@ -13,8 +13,8 @@ def rule_cve202320033(configuration, commands, device, devices): """ This rule checks for the CVE-2023-20033 vulnerability in Cisco IOS XE Software for Catalyst 3650/3850 Series Switches. The vulnerability is due to improper resource - management when processing traffic received on the management interface. - An attacker could exploit this vulnerability by sending a high rate of traffic to + management when processing traffic received on the management interface. + An attacker could exploit this vulnerability by sending a high rate of traffic to the management interface. """ # Extract the version information from the command output diff --git a/CVEasy/Cisco/2023/cisco_xe/cve202320082.py b/CVEasy/Cisco/2023/cisco_xe/cve202320082.py index 6aa7e3e7..01596507 100644 --- a/CVEasy/Cisco/2023/cisco_xe/cve202320082.py +++ b/CVEasy/Cisco/2023/cisco_xe/cve202320082.py @@ -11,11 +11,11 @@ ) def rule_cve202320082(configuration, commands, device, devices): """ - This rule checks for the CVE-2023-20082 vulnerability in Cisco IOS XE Software - for Catalyst 9300 Series Switches. The vulnerability is due to errors that occur + This rule checks for the CVE-2023-20082 vulnerability in Cisco IOS XE Software + for Catalyst 9300 Series Switches. The vulnerability is due to errors that occur when retrieving the public release key used for image signature verification. - An attacker could exploit this vulnerability by modifying specific variables in the - SPI flash memory, allowing them to execute persistent code at boot time and break + An attacker could exploit this vulnerability by modifying specific variables in the + SPI flash memory, allowing them to execute persistent code at boot time and break the chain of trust. """ # Extract the output of the command to check platform type From 185b12ec6fa1ade587ad146c51b23c6c4b151b96 Mon Sep 17 00:00:00 2001 From: mailsanjayhere Date: Tue, 3 Jun 2025 11:57:59 +0000 Subject: [PATCH 21/22] deleted: 2023/rule_cve_2023_20273.py --- CVEasy/Cisco/2023/rule_cve_2023_20273.py | 32 ------------------------ 1 file changed, 32 deletions(-) delete mode 100644 CVEasy/Cisco/2023/rule_cve_2023_20273.py diff --git a/CVEasy/Cisco/2023/rule_cve_2023_20273.py b/CVEasy/Cisco/2023/rule_cve_2023_20273.py deleted file mode 100644 index 41c2cd12..00000000 --- a/CVEasy/Cisco/2023/rule_cve_2023_20273.py +++ /dev/null @@ -1,32 +0,0 @@ -from comfy import high -import re -from packaging import version - - -@high( - name="rule_cve_2023_20273", - platform=["cisco_xe"], - commands=dict( - chk_cmd="show version | include RELEASE SOFTWARE" - ) -) -def rule_cve_2023_20273(commands, ref): - output = str(commands.chk_cmd) - - # Extract version number using regex - match = re.search(r"Version (\d+\.\d+\.\d+)", output) - if not match: - raise AssertionError(f"Could not parse version from output: {output}") - - ver_str = match.group(1) - ver = version.parse(ver_str) - - # Determine if the version is vulnerable - vulnerable = ( - (ver.major == 17 and ver.minor == 3 and ver < version.parse("17.3.8")) or - (ver.major == 17 and ver.minor == 6 and ver < version.parse("17.6.6")) or - (ver.major == 17 and ver.minor == 9 and ver < version.parse("17.9.4")) or - (ver.major == 16 and ver.minor == 12 and ver < version.parse("16.12.10")) - ) - - assert not vulnerable, f"Device is running vulnerable IOS XE version: {ver_str}" From 197f265e231448e1de0643d01b44578dc38a7521 Mon Sep 17 00:00:00 2001 From: mailsanjayhere Date: Tue, 3 Jun 2025 12:04:27 +0000 Subject: [PATCH 22/22] Restore rule_cve_2023_20273.py for matching test --- CVEasy/Cisco/2023/rule_cve_2023_20273.py | 32 ++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 CVEasy/Cisco/2023/rule_cve_2023_20273.py diff --git a/CVEasy/Cisco/2023/rule_cve_2023_20273.py b/CVEasy/Cisco/2023/rule_cve_2023_20273.py new file mode 100644 index 00000000..41c2cd12 --- /dev/null +++ b/CVEasy/Cisco/2023/rule_cve_2023_20273.py @@ -0,0 +1,32 @@ +from comfy import high +import re +from packaging import version + + +@high( + name="rule_cve_2023_20273", + platform=["cisco_xe"], + commands=dict( + chk_cmd="show version | include RELEASE SOFTWARE" + ) +) +def rule_cve_2023_20273(commands, ref): + output = str(commands.chk_cmd) + + # Extract version number using regex + match = re.search(r"Version (\d+\.\d+\.\d+)", output) + if not match: + raise AssertionError(f"Could not parse version from output: {output}") + + ver_str = match.group(1) + ver = version.parse(ver_str) + + # Determine if the version is vulnerable + vulnerable = ( + (ver.major == 17 and ver.minor == 3 and ver < version.parse("17.3.8")) or + (ver.major == 17 and ver.minor == 6 and ver < version.parse("17.6.6")) or + (ver.major == 17 and ver.minor == 9 and ver < version.parse("17.9.4")) or + (ver.major == 16 and ver.minor == 12 and ver < version.parse("16.12.10")) + ) + + assert not vulnerable, f"Device is running vulnerable IOS XE version: {ver_str}"