cisco_nxos 2022 cves (#165)

netpicker · mailsanjayhere · web-flow · commit ac846883b7bb · 2025-06-02T02:07:30.000+05:30
* arista 2021 cves

* Fix flake8 and syntax errors in Arista CVE scripts

* cisco_ios 2022 cves

* cisco_xe 2022 cves

* cisco_xe 2022 cves

* cisco_xr 2022 cves

* cisco_xr 2022 cves

* cisco_nxos 2022 cves

* cisco_nxos 2022 cves

---------

Co-authored-by: mailsanjayhere &lt;mailsanjayhere@gmail.com&gt;
diff --git a/CVEasy/Cisco/2022/cisco_nxos/__init__.py b/CVEasy/Cisco/2022/cisco_nxos/__init__.py
diff --git a/CVEasy/Cisco/2022/cisco_nxos/cve202220623.py b/CVEasy/Cisco/2022/cisco_nxos/cve202220623.py
@@ -0,0 +1,44 @@
+from comfy import high
+
+
+@high(
+    name='rule_cve202220623',
+    platform=['cisco_nxos'],
+    commands=dict(
+        show_version='show version',
+        check_bfd='show running-config | include feature bfd'
+    ),
+)
+def rule_cve202220623(configuration, commands, device, devices):
+    """
+    This rule checks for the CVE-2022-20623 vulnerability in Cisco NX-OS Software.
+    The vulnerability is due to a logic error in the BFD rate limiter functionality of Nexus 9000 Series Switches.
+    An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted stream of traffic
+    through the device, causing BFD traffic to be dropped and resulting in BFD session flaps, route instability,
+    and a denial of service condition.
+    """
+    # Extract the platform information
+    platform_output = commands.show_version
+
+    # Check if the device is a Nexus 9000 Series
+    is_n9k = 'Nexus 9000' in platform_output
+
+    # If not a Nexus 9000 device, it's not vulnerable
+    if not is_n9k:
+        return
+
+    # Extract the output of the command to check BFD configuration
+    bfd_output = commands.check_bfd
+
+    # Check if BFD is enabled
+    bfd_enabled = 'feature bfd' in bfd_output
+
+    # Assert that the device is not vulnerable
+    assert not bfd_enabled, (
+        f"Device {device.name} is vulnerable to CVE-2022-20623. "
+        "The device is a Nexus 9000 Series switch with BFD enabled, "
+        "which could allow an unauthenticated attacker to cause BFD session flaps and a denial of service "
+        "through crafted traffic. "
+        "For more information, see"
+        "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-bfd-dos-wGQXrzxn"
+    )
diff --git a/CVEasy/Cisco/2022/cisco_nxos/cve202220624.py b/CVEasy/Cisco/2022/cisco_nxos/cve202220624.py
@@ -0,0 +1,38 @@
+from comfy import high
+
+
+@high(
+    name='rule_cve202220624',
+    platform=['cisco_nxos'],
+    commands=dict(
+        show_version='show version',
+        check_cfs='show running-config | include cfs ipv4 distribute'
+    ),
+)
+def rule_cve202220624(configuration, commands, device, devices):
+    """
+    This rule checks for the CVE-2022-20624 vulnerability in Cisco NX-OS Software.
+    The vulnerability is due to insufficient validation of incoming CFSoIP packets.
+    An unauthenticated, remote attacker could exploit this vulnerability by sending crafted
+    CFSoIP packets to an affected device, causing it to reload and resulting in a denial of
+    service condition.
+    """
+    # Extract the output of the command to check CFS configuration
+    cfs_output = commands.check_cfs
+
+    # Check if CFSoIP is enabled
+    cfs_enabled = 'cfs ipv4 distribute' in cfs_output
+
+    # If CFSoIP is not enabled, device is not vulnerable
+    if not cfs_enabled:
+        return
+
+    # Assert that the device is not vulnerable
+    assert not cfs_enabled, (
+        f"Device {device.name} is vulnerable to CVE-2022-20624. "
+        "The device has Cisco Fabric Services over IP (CFSoIP) enabled, "
+        "which could allow an unauthenticated attacker to cause a denial of service through crafted "
+        "CFSoIP packets. "
+        "For more information, see"
+        "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cfsoip-dos-tpykyDr"
+    )
diff --git a/CVEasy/Cisco/2022/cisco_nxos/cve202220625.py b/CVEasy/Cisco/2022/cisco_nxos/cve202220625.py
@@ -0,0 +1,38 @@
+from comfy import high
+
+
+@high(
+    name='rule_cve202220625',
+    platform=['cisco_nxos'],
+    commands=dict(
+        show_version='show version',
+        check_cdp='show running-config | include no cdp enable|cdp enable'
+    ),
+)
+def rule_cve202220625(configuration, commands, device, devices):
+    """
+    This rule checks for the CVE-2022-20625 vulnerability in Cisco NX-OS Software.
+    The vulnerability is due to improper handling of Cisco Discovery Protocol messages.
+    An unauthenticated, adjacent attacker could exploit this vulnerability by sending
+    malicious CDP packets to an affected device, causing the CDP service to fail and
+    restart, and in rare conditions, causing the entire device to restart.
+    """
+    # Extract the output of the command to check CDP configuration
+    cdp_output = commands.check_cdp
+
+    # Check if CDP is enabled
+    cdp_enabled = 'cdp enable' in cdp_output
+
+    # If CDP is not enabled, device is not vulnerable
+    if not cdp_enabled:
+        return
+
+    # Assert that the device is not vulnerable
+    assert not cdp_enabled, (
+        f"Device {device.name} is vulnerable to CVE-2022-20625. "
+        "The device has Cisco Discovery Protocol enabled, "
+        "which could allow an adjacent attacker to cause a denial of service through "
+        "malicious CDP packets. "
+        "For more information, see"
+        "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cdp-dos-G8DPLWYG"
+    )
diff --git a/CVEasy/Cisco/2022/cisco_nxos/cve202220650.py b/CVEasy/Cisco/2022/cisco_nxos/cve202220650.py
@@ -0,0 +1,37 @@
+from comfy import high
+
+
+@high(
+    name='rule_cve202220650',
+    platform=['cisco_nxos'],
+    commands=dict(
+        show_version='show version',
+        check_nxapi='show running-config | include feature nxapi'
+    ),
+)
+def rule_cve202220650(configuration, commands, device, devices):
+    """
+    This rule checks for the CVE-2022-20650 vulnerability in Cisco NX-OS Software.
+    The vulnerability is due to insufficient input validation of user supplied data that is sent to the NX-API.
+    An authenticated, remote attacker could exploit this vulnerability by sending a crafted HTTP POST request
+    to the NX-API of an affected device, allowing them to execute arbitrary commands with root privileges.
+    Note: The NX-API feature is disabled by default.
+    """
+    # Extract the output of the command to check NX-API configuration
+    nxapi_output = commands.check_nxapi
+
+    # Check if NX-API is enabled
+    nxapi_enabled = 'feature nxapi' in nxapi_output
+
+    # If NX-API is not enabled, device is not vulnerable
+    if not nxapi_enabled:
+        return
+
+    # Assert that the device is not vulnerable
+    assert not nxapi_enabled, (
+        f"Device {device.name} is vulnerable to CVE-2022-20650. "
+        "The device has NX-API enabled, which could allow an authenticated attacker "
+        "to execute arbitrary commands with root privileges through crafted HTTP POST requests. "
+        "For more information, see"
+        "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-nxapi-cmdinject-ULukNMZ2"
+    )
diff --git a/CVEasy/Cisco/2022/cisco_nxos/cve202220823.py b/CVEasy/Cisco/2022/cisco_nxos/cve202220823.py
@@ -0,0 +1,41 @@
+from comfy import high
+
+
+@high(
+    name='rule_cve202220823',
+    platform=['cisco_nxos'],
+    commands=dict(
+        show_version='show version',
+        check_ospfv3='show running-config | include router ospfv3|ipv6 router ospf'
+    ),
+)
+def rule_cve202220823(configuration, commands, device, devices):
+    """
+    This rule checks for the CVE-2022-20823 vulnerability in Cisco NX-OS Software.
+    The vulnerability is due to incomplete input validation of specific OSPFv3 packets.
+    An unauthenticated, remote attacker could exploit this vulnerability by sending a malicious
+    OSPFv3 link-state advertisement (LSA) to an affected device, causing the OSPFv3 process to
+    crash and restart multiple times, leading to a denial of service condition.
+    Note: The OSPFv3 feature is disabled by default.
+    """
+    # Extract the output of the command to check OSPFv3 configuration
+    ospfv3_output = commands.check_ospfv3
+
+    # Check if OSPFv3 is enabled (either via 'router ospfv3' or 'ipv6 router ospf')
+    ospfv3_enabled = any(feature in ospfv3_output for feature in [
+        'router ospfv3',
+        'ipv6 router ospf'
+    ])
+
+    # If OSPFv3 is not enabled, device is not vulnerable
+    if not ospfv3_enabled:
+        return
+
+    # Assert that the device is not vulnerable
+    assert not ospfv3_enabled, (
+        f"Device {device.name} is vulnerable to CVE-2022-20823. "
+        "The device has OSPFv3 enabled, which could allow an unauthenticated attacker "
+        "to cause a denial of service through malicious OSPFv3 LSA packets. "
+        "For more information, see"
+        "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-ospfv3-dos-48qutcu"
+    )
diff --git a/CVEasy/Cisco/2022/cisco_nxos/cve202220824.py b/CVEasy/Cisco/2022/cisco_nxos/cve202220824.py
@@ -0,0 +1,38 @@
+from comfy import high
+
+
+@high(
+    name='rule_cve202220824',
+    platform=['cisco_nxos'],
+    commands=dict(
+        show_version='show version',
+        check_cdp='show running-config | include no cdp enable|cdp enable'
+    ),
+)
+def rule_cve202220824(configuration, commands, device, devices):
+    """
+    This rule checks for the CVE-2022-20824 vulnerability in Cisco NX-OS Software.
+    The vulnerability is due to improper input validation of specific values within Cisco Discovery Protocol messages.
+    An unauthenticated, adjacent attacker could exploit this vulnerability by sending malicious CDP packets to an
+    affected device, allowing them to execute arbitrary code with root privileges or cause a denial of "
+    "service condition.
+    Note: CDP is enabled by default, and the attacker must be in the same broadcast domain (Layer 2 adjacent).
+    """
+    # Extract the output of the command to check CDP configuration
+    cdp_output = commands.check_cdp
+
+    # Check if CDP is enabled
+    cdp_enabled = 'cdp enable' in cdp_output
+
+    # If CDP is not enabled, device is not vulnerable
+    if not cdp_enabled:
+        return
+
+    # Assert that the device is not vulnerable
+    assert not cdp_enabled, (
+        f"Device {device.name} is vulnerable to CVE-2022-20824. "
+        "The device has Cisco Discovery Protocol enabled, "
+        "which could allow an adjacent attacker to execute arbitrary code with root privileges or cause a "
+        "denial of service. For more information, see"
+        "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-cdp-dos-ce-wWvPucC9"
+    )
