cisco_xe 2022 cves (#163)

* arista 2021 cves

* Fix flake8 and syntax errors in Arista CVE scripts

* cisco_ios 2022 cves

* cisco_xe 2022 cves

* cisco_xe 2022 cves

---------

Co-authored-by: mailsanjayhere <mailsanjayhere@gmail.com>

Author: netpicker

CVEasy/Cisco/2022/cisco_xe/__init__.py

@@ -0,0 +1,32 @@
+from comfy import high
+
+
+@high(
+    name='rule_cve202220676',
+    platform=['cisco_xe'],
+    commands=dict(
+        show_version='show version',
+        check_tcl='show running-config | include tclsh'
+    ),
+)
+def rule_cve202220676(configuration, commands, device, devices):
+    """
+    This rule checks for the CVE-2022-20676 vulnerability in Cisco IOS XE Software.
+    The vulnerability is due to insufficient input validation of data that is passed into the Tcl interpreter.
+    An authenticated, local attacker with privilege level 15 could exploit this vulnerability by loading
+    malicious Tcl code on an affected device, allowing them to escalate to root-level privileges.
+    """
+    # Extract the output of the command to check Tcl configuration
+    tcl_output = commands.check_tcl
+
+    # Check if Tcl shell access is enabled
+    tcl_enabled = 'tclsh' in tcl_output
+
+    # Assert that the device is not vulnerable
+    assert not tcl_enabled, (
+        f"Device {device.name} is vulnerable to CVE-2022-20676. "
+        "The device has Tcl shell access enabled, "
+        "which could allow an authenticated attacker with privilege level 15 to escalate to root privileges. "
+        "For more information, see"
+        "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-priv-esc-grbtubU"
+    )

CVEasy/Cisco/2022/cisco_xe/cve202220676.py

@@ -0,0 +1,35 @@
+from comfy import high
+
+
+@high(
+    name='rule_cve202220678',
+    platform=['cisco_xe'],
+    commands=dict(
+        show_version='show version',
+        check_appnav='show running-config | include appnav-controller|service-insertion'
+    ),
+)
+def rule_cve202220678(configuration, commands, device, devices):
+    """
+    This rule checks for the CVE-2022-20678 vulnerability in Cisco IOS XE Software.
+    The vulnerability is due to incorrect handling of certain TCP segments in the AppNav-XE feature.
+    An unauthenticated, remote attacker could exploit this vulnerability by sending a stream of crafted
+    TCP traffic at a high rate through an interface with AppNav interception enabled, causing the device
+    to reload and resulting in a denial of service (DoS) condition.
+    """
+    # Extract the output of the command to check AppNav configuration
+    appnav_output = commands.check_appnav
+
+    # Check if AppNav-XE is configured
+    appnav_configured = any(feature in appnav_output for feature in [
+        'appnav-controller', 'service-insertion'
+    ])
+
+    # Assert that the device is not vulnerable
+    assert not appnav_configured, (
+        f"Device {device.name} is vulnerable to CVE-2022-20678. "
+        "The device has AppNav-XE configured, "
+        "which could allow an unauthenticated attacker to cause a denial of service through crafted TCP traffic. "
+        "For more information, see"
+        "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-appnav-xe-dos-j5MXTR4"
+    )

CVEasy/Cisco/2022/cisco_xe/cve202220678.py

@@ -0,0 +1,47 @@
+import re  # Add regex module
+from comfy import high
+
+
+@high(
+    name='rule_cve202220679',
+    platform=['cisco_xe'],
+    commands=dict(
+        show_version='show version',
+        check_ipsec='show running-config | include crypto ipsec',
+        check_mtu='show interfaces | include MTU'
+    ),
+)
+def rule_cve202220679(configuration, commands, device, devices):
+    # Convert command outputs to strings to handle None values
+    ipsec_output = str(commands.check_ipsec or "")
+    mtu_output = str(commands.check_mtu or "")
+
+    # Check if IPsec is configured
+    ipsec_configured = 'crypto ipsec' in ipsec_output
+
+    # Check if any interface has MTU >= 1800 using regex
+    high_mtu = False
+    for line in mtu_output.splitlines():
+        if 'MTU' in line:
+            # Use regex to find the first sequence of digits after "MTU"
+            match = re.search(r'MTU.*?(\d+)', line)
+            if match:
+                try:
+                    mtu = int(match.group(1))
+                    if mtu >= 1800:
+                        high_mtu = True
+                        break
+                except ValueError:
+                    continue
+
+    # Device is vulnerable if both conditions are met
+    is_vulnerable = ipsec_configured and high_mtu
+
+    # Assert that the device is not vulnerable
+    assert not is_vulnerable, (
+        f"Device {device.name} is vulnerable to CVE-2022-20679. "
+        "The device has IPsec configured and interfaces with MTU >= 1800 bytes, "
+        "which could allow an attacker to cause a denial of service. "
+        "For more information, see"
+        "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-qfp-ipsec-GQmqvtqV"
+    )

CVEasy/Cisco/2022/cisco_xe/cve202220679.py

@@ -0,0 +1,42 @@
+from comfy import high
+
+
+@high(
+    name='rule_cve202220681',
+    platform=['cisco_xe'],
+    commands=dict(
+        show_version='show version',
+        check_platform='show inventory | include Chassis'
+    ),
+)
+def rule_cve202220681(configuration, commands, device, devices):
+    """
+    This rule checks for the CVE-2022-20681 vulnerability in Cisco IOS XE Software.
+    The vulnerability is due to insufficient validation of user privileges after executing certain CLI commands
+    on Cisco Catalyst 9000 Family Switches and Wireless Controllers. An authenticated, local attacker with low
+    privileges could exploit this vulnerability by executing certain CLI commands to elevate their privileges
+    to level 15.
+    """
+    # Extract the version information from the command output
+    version_output = commands.show_version
+
+    _ = version_output  # intentionally unused
+
+    # Extract the platform information
+    platform_output = commands.check_platform
+
+    # Check if the device is a Catalyst 9000 Series
+    is_cat9k = 'C9' in platform_output
+
+    # If not a Catalyst 9000 device, it's not vulnerable
+    if not is_cat9k:
+        return
+
+    # Assert that the device is not vulnerable
+    assert not is_cat9k, (
+        f"Device {device.name} is vulnerable to CVE-2022-20681. "
+        "The device is a Catalyst 9000 Series switch/wireless controller, "
+        "which could allow an authenticated attacker to elevate privileges to level 15 through certain CLI commands. "
+        "For more information, see"
+        "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewlc-priv-esc-ybvHKO5"
+    )

CVEasy/Cisco/2022/cisco_xe/cve202220681.py

@@ -0,0 +1,47 @@
+from comfy import high
+
+
+@high(
+    name='rule_cve202220682',
+    platform=['cisco_xe'],
+    commands=dict(
+        show_version='show version',
+        check_platform='show inventory | include Chassis',
+        check_wireless='show running-config | include wireless|capwap'
+    ),
+)
+def rule_cve202220682(configuration, commands, device, devices):
+    """
+    This rule checks for the CVE-2022-20682 vulnerability in Cisco IOS XE Software.
+    The vulnerability is due to inadequate input validation of incoming CAPWAP packets encapsulating
+    multicast DNS (mDNS) queries in the Catalyst 9000 Family Wireless Controllers. An attacker could
+    exploit this vulnerability by connecting to a wireless network and sending a crafted mDNS query,
+    which would flow through and be processed by the wireless controller.
+    """
+    # Extract the platform information
+    platform_output = commands.check_platform
+
+    # Check if the device is a Catalyst 9000 Series
+    is_cat9k = 'C9' in platform_output
+
+    # If not a Catalyst 9000 device, it's not vulnerable
+    if not is_cat9k:
+        return
+
+    # Extract the output of the command to check wireless/CAPWAP configuration
+    wireless_output = commands.check_wireless
+
+    # Check if wireless controller and CAPWAP are configured
+    wireless_configured = any(feature in wireless_output for feature in ['wireless', 'capwap'])
+
+    # Device is vulnerable if it's a Cat9K and has wireless/CAPWAP configured
+    is_vulnerable = is_cat9k and wireless_configured
+
+    # Assert that the device is not vulnerable
+    assert not is_vulnerable, (
+        f"Device {device.name} is vulnerable to CVE-2022-20682. "
+        "The device is a Catalyst 9000 Series wireless controller with CAPWAP configured, "
+        "which could allow an unauthenticated attacker to cause a denial of service through crafted mDNS queries. "
+        "For more information, see"
+        "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9800-capwap-mdns-6PSn7gKU"
+    )

CVEasy/Cisco/2022/cisco_xe/cve202220682.py

@@ -0,0 +1,47 @@
+from comfy import high
+
+
+@high(
+    name='rule_cve202220683',
+    platform=['cisco_xe'],
+    commands=dict(
+        show_version='show version',
+        check_platform='show inventory | include Chassis',
+        check_fnf='show running-config | include flow|performance monitor'
+    ),
+)
+def rule_cve202220683(configuration, commands, device, devices):
+    """
+    This rule checks for the CVE-2022-20683 vulnerability in Cisco IOS XE Software.
+    The vulnerability is due to insufficient packet verification for traffic inspected by the AVC feature
+    in Cisco Catalyst 9800 Series Wireless Controllers. An unauthenticated, remote attacker could exploit
+    this vulnerability by sending crafted packets from the wired network to a wireless client, causing
+    the wireless controller to reload and resulting in a denial of service (DoS) condition.
+    """
+    # Extract the platform information
+    platform_output = commands.check_platform
+
+    # Check if the device is a Catalyst 9800 Series
+    is_cat9800 = 'C9800' in platform_output
+
+    # If not a Catalyst 9800 device, it's not vulnerable
+    if not is_cat9800:
+        return
+
+    # Extract the output of the command to check AVC/FNF configuration
+    fnf_output = commands.check_fnf
+
+    # Check if AVC/FNF is configured
+    fnf_configured = any(feature in fnf_output for feature in ['flow', 'performance monitor'])
+
+    # Device is vulnerable if it's a Cat9800 and has AVC/FNF configured
+    is_vulnerable = is_cat9800 and fnf_configured
+
+    # Assert that the device is not vulnerable
+    assert not is_vulnerable, (
+        f"Device {device.name} is vulnerable to CVE-2022-20683. "
+        "The device is a Catalyst 9800 Series wireless controller with AVC/FNF configured, "
+        "which could allow an unauthenticated attacker to cause a denial of service through crafted packets. "
+        "For more information, see"
+        "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9800-fnf-dos-bOL5vLge"
+    )

CVEasy/Cisco/2022/cisco_xe/cve202220683.py

@@ -0,0 +1,48 @@
+from comfy import high
+
+
+@high(
+    name='rule_cve202220684',
+    platform=['cisco_xe'],
+    commands=dict(
+        show_version='show version',
+        check_platform='show inventory | include Chassis',
+        check_wireless='show running-config | include wireless|snmp-server'
+    ),
+)
+def rule_cve202220684(configuration, commands, device, devices):
+    """
+    This rule checks for the CVE-2022-20684 vulnerability in Cisco IOS XE Software.
+    The vulnerability is due to a lack of input validation of the information used to generate an SNMP trap
+    related to a wireless client connection event in Catalyst 9000 Family Wireless Controllers. An attacker
+    could exploit this vulnerability by sending an 802.1x packet with crafted parameters during the wireless
+    authentication setup phase of a connection.
+    """
+    # Extract the platform information
+    platform_output = commands.check_platform
+
+    # Check if the device is a Catalyst 9000 Series
+    is_cat9k = 'C9' in platform_output
+
+    # If not a Catalyst 9000 device, it's not vulnerable
+    if not is_cat9k:
+        return
+
+    # Extract the output of the command to check wireless and SNMP configuration
+    wireless_output = commands.check_wireless
+
+    # Check if wireless controller and SNMP traps are configured
+    wireless_configured = 'wireless' in wireless_output
+    snmp_configured = 'snmp-server' in wireless_output
+
+    # Device is vulnerable if it's a Cat9K and has both wireless and SNMP configured
+    is_vulnerable = is_cat9k and wireless_configured and snmp_configured
+
+    # Assert that the device is not vulnerable
+    assert not is_vulnerable, (
+        f"Device {device.name} is vulnerable to CVE-2022-20684. "
+        "The device is a Catalyst 9000 Series wireless controller with SNMP traps configured, "
+        "which could allow an unauthenticated attacker to cause a denial of service through crafted 802.1x packets. "
+        "For more information, see"
+        "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9800-snmp-trap-dos-mjent3Ey"
+    )

CVEasy/Cisco/2022/cisco_xe/cve202220684.py

@@ -0,0 +1,33 @@
+from comfy import high
+
+
+@high(
+    name='rule_cve202220692',
+    platform=['cisco_xe'],
+    commands=dict(
+        show_version='show version',
+        check_netconf='show running-config | include netconf-yang|ssh'
+    ),
+)
+def rule_cve202220692(configuration, commands, device, devices):
+    """
+    This rule checks for the CVE-2022-20692 vulnerability in Cisco IOS XE Software.
+    The vulnerability is due to insufficient resource management in the NETCONF over SSH feature.
+    A low-privileged, authenticated, remote attacker could exploit this vulnerability by initiating
+    a large number of NETCONF over SSH connections, causing the device to reload and resulting in
+    a denial of service (DoS) condition.
+    """
+    # Extract the output of the command to check NETCONF configuration
+    netconf_output = commands.check_netconf
+
+    # Check if NETCONF over SSH is enabled
+    netconf_enabled = 'netconf-yang' in netconf_output and 'ssh' in netconf_output
+
+    # Assert that the device is not vulnerable
+    assert not netconf_enabled, (
+        f"Device {device.name} is vulnerable to CVE-2022-20692. "
+        "The device has NETCONF over SSH enabled, "
+        "which could allow an authenticated attacker to cause a denial of service through multiple connections. "
+        "For more information, see"
+        "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ncossh-dos-ZAkfOdq8"
+    )

CVEasy/Cisco/2022/cisco_xe/cve202220692.py

@@ -0,0 +1,38 @@
+from comfy import high
+
+
+@high(
+    name='rule_cve202220693',
+    platform=['cisco_xe'],
+    commands=dict(
+        show_version='show version',
+        check_webui='show running-config | include ip http|restconf'
+    ),
+)
+def rule_cve202220693(configuration, commands, device, devices):
+    """
+    This rule checks for the CVE-2022-20693 vulnerability in Cisco IOS XE Software.
+    The vulnerability is due to insufficient input validation in the web UI feature.
+    An authenticated, remote attacker could exploit this vulnerability by sending crafted input
+    to the web UI API, allowing them to inject commands to the underlying operating system with
+    root privileges.
+    """
+    # Extract the output of the command to check web UI configuration
+    webui_output = commands.check_webui
+
+    # Check if web UI or RESTCONF is enabled
+    webui_enabled = any(feature in webui_output for feature in [
+        'ip http server',
+        'ip http secure-server',
+        'restconf'
+    ])
+
+    # Assert that the device is not vulnerable
+    assert not webui_enabled, (
+        f"Device {device.name} is vulnerable to CVE-2022-20693. "
+        "The device has web UI or RESTCONF enabled, "
+        "which could allow an authenticated attacker to inject commands with root privileges through "
+        "crafted API input. "
+        "For more information, see"
+        "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webuiapi-inj-Nyrq92Od"
+    )