cisco_xr 2022 cves (#164)

netpicker · mailsanjayhere · web-flow · commit 590c3bf46309 · 2025-06-02T01:57:35.000+05:30
* arista 2021 cves

* Fix flake8 and syntax errors in Arista CVE scripts

* cisco_ios 2022 cves

* cisco_xe 2022 cves

* cisco_xe 2022 cves

* cisco_xr 2022 cves

* cisco_xr 2022 cves

---------

Co-authored-by: mailsanjayhere &lt;mailsanjayhere@gmail.com&gt;
diff --git a/CVEasy/Cisco/2022/cisco_xr/__init__.py b/CVEasy/Cisco/2022/cisco_xr/__init__.py
diff --git a/CVEasy/Cisco/2022/cisco_xr/cve202220655.py b/CVEasy/Cisco/2022/cisco_xr/cve202220655.py
@@ -0,0 +1,54 @@
+from comfy import high
+
+
+@high(
+    name='rule_cve202220655',
+    platform=['cisco_xr'],
+    commands=dict(
+        show_version='show version',
+        check_confd='show processes confd'
+    ),
+)
+def rule_cve202220655(configuration, commands, device, devices):
+    """
+    This rule checks for the CVE-2022-20655 vulnerability in Cisco IOS XR Software.
+    The vulnerability is due to insufficient validation of a process argument in the ConfD CLI.
+    An authenticated, local attacker could exploit this vulnerability by injecting commands during
+    the execution of this process, allowing them to execute arbitrary commands on the underlying
+    operating system with root privileges.
+    """
+    # List of vulnerable versions
+    vulnerable_versions = [
+        '7.0.1', '7.0.2', '7.0.3', '7.1.0',  # IOS XR versions
+        '2.6.5',  # Virtual Topology System versions
+        '4.3.9.1', '4.4.5.6', '4.5.7', '4.6.1.7', '4.7.1', '5.1.0.1',  # Network Services Orchestrator versions
+        '3.12.1',  # Enterprise NFV Infrastructure Software versions
+        '18.4.4', '19.2.1',  # Catalyst SD-WAN Manager versions
+        '16.10.2', '16.12.1b', '17.2.1r',  # IOS XE Catalyst SD-WAN versions
+        '18.4.4', '19.2.1'  # SD-WAN vEdge Router versions
+    ]
+
+    # Extract the version information
+    version_output = commands.show_version
+
+    # Check if version is vulnerable
+    version_vulnerable = any(version in version_output for version in vulnerable_versions)
+
+    # If version is not vulnerable, no need to check further
+    if not version_vulnerable:
+        return
+
+    # Extract the output of the command to check ConfD process
+    confd_output = commands.check_confd
+
+    # Check if ConfD is running
+    confd_running = 'confd' in confd_output
+
+    # Assert that the device is not vulnerable
+    assert not confd_running, (
+        f"Device {device.name} is vulnerable to CVE-2022-20655. "
+        "The device is running a vulnerable version with ConfD enabled, "
+        "which could allow an authenticated attacker to execute arbitrary commands with root privileges. "
+        "For more information, see"
+        "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cli-cmdinj-4MttWZPB"
+    )
diff --git a/CVEasy/Cisco/2022/cisco_xr/cve202220714.py b/CVEasy/Cisco/2022/cisco_xr/cve202220714.py
@@ -0,0 +1,33 @@
+from comfy import high
+
+
+@high(
+    name='rule_cve202220714',
+    platform=['cisco_xr'],
+    commands=dict(
+        show_version='show version',
+        check_linecard='show inventory | include Lightspeed-Plus'
+    ),
+)
+def rule_cve202220714(configuration, commands, device, devices):
+    """
+    This rule checks for the CVE-2022-20714 vulnerability in Cisco IOS XR Software.
+    The vulnerability is due to incorrect handling of malformed packets in the data plane microcode
+    of Lightspeed-Plus line cards for ASR 9000 Series routers. An unauthenticated, remote attacker
+    could exploit this vulnerability by sending crafted IPv4 or IPv6 packets through an affected device,
+    causing the line card to reset and resulting in a denial of service condition.
+    """
+    # Extract the output of the command to check for Lightspeed-Plus line cards
+    linecard_output = commands.check_linecard
+
+    # Check if Lightspeed-Plus line cards are present
+    lightspeed_plus_present = 'Lightspeed-Plus' in linecard_output
+
+    # Assert that the device is not vulnerable
+    assert not lightspeed_plus_present, (
+        f"Device {device.name} is vulnerable to CVE-2022-20714. "
+        "The device has Lightspeed-Plus line cards installed, "
+        "which could allow an unauthenticated attacker to cause a denial of service through crafted IPv4/IPv6 packets. "
+        "For more information, see"
+        "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-lsplus-Z6AQEOjk"
+    )
diff --git a/CVEasy/Cisco/2022/cisco_xr/cve202220758.py b/CVEasy/Cisco/2022/cisco_xr/cve202220758.py
@@ -0,0 +1,38 @@
+from comfy import high
+
+
+@high(
+    name='rule_cve202220758',
+    platform=['cisco_xr'],
+    commands=dict(
+        show_version='show version',
+        check_bgp='show running-config | include router bgp|address-family l2vpn evpn'
+    ),
+)
+def rule_cve202220758(configuration, commands, device, devices):
+    """
+    This rule checks for the CVE-2022-20758 vulnerability in Cisco IOS XR Software.
+    The vulnerability is due to incorrect processing of BGP update messages containing specific EVPN attributes.
+    An unauthenticated, remote attacker could exploit this vulnerability by sending crafted BGP update messages
+    through an established trusted peer connection, causing the BGP process to restart and resulting in a
+    denial of service (DoS) condition.
+    """
+    # Extract the output of the command to check BGP EVPN configuration
+    bgp_output = commands.check_bgp
+
+    # Check if BGP is configured with L2VPN EVPN address family
+    bgp_configured = 'router bgp' in bgp_output
+    evpn_configured = 'address-family l2vpn evpn' in bgp_output
+
+    # Device is vulnerable if both BGP and L2VPN EVPN are configured
+    is_vulnerable = bgp_configured and evpn_configured
+
+    # Assert that the device is not vulnerable
+    assert not is_vulnerable, (
+        f"Device {device.name} is vulnerable to CVE-2022-20758. "
+        "The device has BGP configured with L2VPN EVPN address-family, "
+        "which could allow an unauthenticated attacker to cause a denial of service through crafted "
+        "BGP update messages. "
+        "For more information, see"
+        "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bgpevpn-zWTRtPBb"
+    )
diff --git a/CVEasy/Cisco/2022/cisco_xr/cve202220821.py b/CVEasy/Cisco/2022/cisco_xr/cve202220821.py
@@ -0,0 +1,39 @@
+from comfy import high
+
+
+@high(
+    name='rule_cve202220821',
+    platform=['cisco_xr'],
+    commands=dict(
+        show_version='show version',
+        check_redis='show processes | include redis',
+        check_port='show processes | include 6379'
+    ),
+)
+def rule_cve202220821(configuration, commands, device, devices):
+    """
+    This rule checks for the CVE-2022-20821 vulnerability in Cisco IOS XR Software.
+    The vulnerability is due to the health check RPM opening TCP port 6379 by default upon activation.
+    An unauthenticated, remote attacker could exploit this vulnerability by connecting to the Redis
+    instance on the open port, allowing them to write to the Redis in-memory database, write arbitrary
+    files to the container filesystem, and retrieve information about the Redis database.
+    """
+    # Extract the output of the commands
+    redis_output = commands.check_redis
+    port_output = commands.check_port
+
+    # Check if Redis is running and port 6379 is open
+    redis_running = 'redis' in redis_output
+    port_open = '6379' in port_output
+
+    # Device is vulnerable if Redis is running and port 6379 is open
+    is_vulnerable = redis_running and port_open
+
+    # Assert that the device is not vulnerable
+    assert not is_vulnerable, (
+        f"Device {device.name} is vulnerable to CVE-2022-20821. "
+        "The device has Redis running with port 6379 open, "
+        "which could allow an unauthenticated attacker to access and modify the Redis database. "
+        "For more information, see"
+        "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-redis-ABJyE5xK"
+    )
diff --git a/CVEasy/Cisco/2022/cisco_xr/cve202220845.py b/CVEasy/Cisco/2022/cisco_xr/cve202220845.py
@@ -0,0 +1,59 @@
+from comfy import high
+
+
+@high(
+    name='rule_cve202220845',
+    platform=['cisco_xr'],
+    commands=dict(
+        show_version='show version',
+        check_platform='show inventory | include Chassis',
+        check_tl1='show processes | include tl1'
+    ),
+)
+def rule_cve202220845(configuration, commands, device, devices):
+    """
+    This rule checks for the CVE-2022-20845 vulnerability in Cisco IOS XR Software.
+    The vulnerability is due to TL1 not freeing memory under some conditions in NCS 4000 Series devices.
+    An authenticated, local attacker could exploit this vulnerability by connecting to the device and
+    issuing TL1 commands, causing the TL1 process to consume large amounts of memory and potentially
+    leading to a denial of service condition.
+    """
+    # List of vulnerable versions
+    vulnerable_versions = [
+        '6.5.25', '6.5.26', '6.5.28', '6.5.29', '6.5.31', '6.5.32'
+    ]
+
+    # Extract the version information
+    version_output = commands.show_version
+
+    # Check if version is vulnerable
+    version_vulnerable = any(version in version_output for version in vulnerable_versions)
+
+    # If version is not vulnerable, no need to check further
+    if not version_vulnerable:
+        return
+
+    # Extract the platform information
+    platform_output = commands.check_platform
+
+    # Check if the device is an NCS 4000 Series
+    is_ncs4k = 'NCS-4' in platform_output
+
+    # If not an NCS 4000 device, it's not vulnerable
+    if not is_ncs4k:
+        return
+
+    # Extract the output of the command to check TL1 process
+    tl1_output = commands.check_tl1
+
+    # Check if TL1 process is running
+    tl1_running = 'tl1' in tl1_output
+
+    # Assert that the device is not vulnerable
+    assert not tl1_running, (
+        f"Device {device.name} is vulnerable to CVE-2022-20845. "
+        "The device is an NCS 4000 Series running a vulnerable version with TL1 process enabled, "
+        "which could allow an authenticated attacker to cause a denial of service through memory exhaustion. "
+        "For more information, see"
+        "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ncs4k-tl1-GNnLwC6"
+    )
diff --git a/CVEasy/Cisco/2022/cisco_xr/cve202220846.py b/CVEasy/Cisco/2022/cisco_xr/cve202220846.py
@@ -0,0 +1,58 @@
+from comfy import high
+
+
+@high(
+    name='rule_cve202220846',
+    platform=['cisco_xr'],
+    commands=dict(
+        show_version='show version',
+        check_cdp='show running-config | include cdp'
+    ),
+)
+def rule_cve202220846(configuration, commands, device, devices):
+    """
+    This rule checks for the CVE-2022-20846 vulnerability in Cisco IOS XR Software.
+    The vulnerability is due to a heap buffer overflow in certain Cisco Discovery Protocol messages.
+    An unauthenticated, adjacent attacker could exploit this vulnerability by sending malicious
+    Cisco Discovery Protocol packets to an affected device, causing the CDP process to reload.
+    """
+    # List of vulnerable versions
+    vulnerable_versions = [
+        '6.5.1', '6.5.2', '6.5.3', '6.5.15', '6.5.25', '6.5.26', '6.5.28', '6.5.29',
+        '6.5.31', '6.5.32', '6.5.90', '6.5.92', '6.5.93',
+        '6.6.1', '6.6.2', '6.6.3', '6.6.4', '6.6.11', '6.6.12', '6.6.25',
+        '6.7.1', '6.7.2', '6.7.3', '6.7.4', '6.7.35',
+        '6.8.1', '6.8.2', '6.9.1',
+        '7.0.0', '7.0.1', '7.0.2', '7.0.11', '7.0.12', '7.0.14', '7.0.90',
+        '7.1.1', '7.1.2', '7.1.3', '7.1.15', '7.1.25',
+        '7.2.0', '7.2.1', '7.2.2', '7.2.12',
+        '7.3.1', '7.3.2', '7.3.3', '7.3.4', '7.3.15', '7.3.16', '7.3.27',
+        '7.4.1', '7.4.2', '7.4.15', '7.4.16',
+        '7.5.1', '7.5.2', '7.5.12',
+        '7.6.1', '7.6.15'
+    ]
+
+    # Extract the version information
+    version_output = commands.show_version
+
+    # Check if version is vulnerable
+    version_vulnerable = any(version in version_output for version in vulnerable_versions)
+
+    # If version is not vulnerable, no need to check further
+    if not version_vulnerable:
+        return
+
+    # Extract the output of the command to check CDP configuration
+    cdp_output = commands.check_cdp
+
+    # Check if CDP is enabled (CDP is enabled by default unless explicitly disabled)
+    cdp_disabled = 'no cdp' in cdp_output
+
+    # Assert that the device is not vulnerable
+    assert cdp_disabled, (
+        f"Device {device.name} is vulnerable to CVE-2022-20846. "
+        "The device is running a vulnerable version with CDP enabled, "
+        "which could allow an adjacent attacker to cause a denial of service through malicious CDP packets. "
+        "For more information, see"
+        "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xr-cdp-wnALzvT2"
+    )
diff --git a/CVEasy/Cisco/2022/cisco_xr/cve202220849.py b/CVEasy/Cisco/2022/cisco_xr/cve202220849.py
@@ -0,0 +1,55 @@
+from comfy import high
+
+
+@high(
+    name='rule_cve202220849',
+    platform=['cisco_xr'],
+    commands=dict(
+        show_version='show version',
+        check_pppoe='show running-config | include bba-group pppoe|pppoe enable'
+    ),
+)
+def rule_cve202220849(configuration, commands, device, devices):
+    """
+    This rule checks for the CVE-2022-20849 vulnerability in Cisco IOS XR Software.
+    The vulnerability is due to improper handling of error conditions within specific PPPoE packet
+    sequences in the Broadband Network Gateway feature. An unauthenticated, adjacent attacker could
+    exploit this vulnerability by sending a sequence of specific PPPoE packets from controlled CPE,
+    causing the PPPoE process to continually restart and resulting in a denial of service condition.
+    """
+    # List of vulnerable versions
+    vulnerable_versions = [
+        '6.5.1', '6.5.2', '6.5.3', '6.5.15', '6.6.1', '6.6.2', '6.6.3', '6.6.4', '6.6.25',
+        '6.7.1', '6.7.2', '6.7.3', '6.7.35', '6.8.1', '6.8.2', '6.9.1',
+        '7.0.1', '7.0.2', '7.0.90', '7.1.1', '7.1.2', '7.1.3', '7.1.15', '7.1.25',
+        '7.2.1', '7.2.2', '7.3.1', '7.3.2', '7.3.3', '7.3.4', '7.4.1', '7.4.2',
+        '7.5.1'
+    ]
+
+    # Extract the version information
+    version_output = commands.show_version
+
+    # Check if version is vulnerable
+    version_vulnerable = any(version in version_output for version in vulnerable_versions)
+
+    # If version is not vulnerable, no need to check further
+    if not version_vulnerable:
+        return
+
+    # Extract the output of the command to check PPPoE configuration
+    pppoe_output = commands.check_pppoe
+
+    # Check if PPPoE is configured
+    pppoe_configured = any(feature in pppoe_output for feature in [
+        'bba-group pppoe',
+        'pppoe enable'
+    ])
+
+    # Assert that the device is not vulnerable
+    assert not pppoe_configured, (
+        f"Device {device.name} is vulnerable to CVE-2022-20849. "
+        "The device is running a vulnerable version with PPPoE enabled, "
+        "which could allow an adjacent attacker to cause a denial of service through crafted PPPoE packets. "
+        "For more information, see"
+        "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-bng-Gmg5Gxt"
+    )
