cisco_xe cve 2023 (#172)

* arista 2021 cves

* Fix flake8 and syntax errors in Arista CVE scripts

* cisco_ios 2022 cves

* cisco_xe 2022 cves

* cisco_xe 2022 cves

* cisco_xr 2022 cves

* cisco_xr 2022 cves

* cisco_nxos 2022 cves

* cisco_nxos 2022 cves

* arista 2022 2024 cve

* arista 2022 2024 cve

* Arista 2023

* Arista 2023

* cisco_ios 2023 cve

* cisco_ios 2023 cve

* cisco_xe cve 2023

* cisco_xe cve 2023

---------

Co-authored-by: mailsanjayhere <mailsanjayhere@gmail.com>

Author: netpicker

CVEasy/Cisco/2023/cisco_xe/__init__.py

@@ -0,0 +1,32 @@
+from comfy import high
+
+
+@high(
+    name='rule_cve202320027',
+    platform=['cisco_xe'],
+    commands=dict(
+        show_version='show version',
+        check_vfr='show running-config | include ip virtual-reassembly'
+    ),
+)
+def rule_cve202320027(configuration, commands, device, devices):
+    """
+    This rule checks for the CVE-2023-20027 vulnerability in Cisco IOS XE Software.
+    The vulnerability is due to improper reassembly of large packets when Virtual Fragmentation
+    Reassembly (VFR) is enabled on either a tunnel interface or on a physical interface that is
+    configured with an MTU greater than 4,615 bytes.
+    """
+    # Extract the output of the command to check VFR configuration
+    vfr_output = commands.check_vfr
+
+    # Check if VFR is configured
+    vfr_configured = 'ip virtual-reassembly' in vfr_output
+
+    # Assert that the device is not vulnerable
+    assert not vfr_configured, (
+        f"Device {device.name} is vulnerable to CVE-2023-20027. "
+        "The device has Virtual Fragmentation Reassembly (VFR) enabled, "
+        "which could allow an attacker to cause a denial of service. "
+        "For more information, see"
+        "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipv4-vfr-dos-CXxtFacb"
+    )

CVEasy/Cisco/2023/cisco_xe/cve202320027.py

@@ -0,0 +1,32 @@
+from comfy import high
+
+
+@high(
+    name='rule_cve202320029',
+    platform=['cisco_xe'],
+    commands=dict(
+        show_version='show version',
+        check_meraki='show running-config | include meraki'
+    ),
+)
+def rule_cve202320029(configuration, commands, device, devices):
+    """
+    This rule checks for the CVE-2023-20029 vulnerability in Cisco IOS XE Software.
+    The vulnerability is due to insufficient memory protection in the Meraki onboarding feature.
+    An attacker could exploit this vulnerability by modifying the Meraki registration parameters,
+    which could allow them to elevate privileges to root.
+    """
+    # Extract the output of the command to check Meraki configuration
+    meraki_output = commands.check_meraki
+
+    # Check if Meraki onboarding is configured
+    meraki_configured = 'meraki' in meraki_output
+
+    # Assert that the device is not vulnerable
+    assert not meraki_configured, (
+        f"Device {device.name} is vulnerable to CVE-2023-20029. "
+        "The device has Meraki onboarding feature enabled, "
+        "which could allow an attacker to elevate privileges to root. "
+        "For more information, see"
+        "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-priv-esc-sABD8hcU"
+    )

CVEasy/Cisco/2023/cisco_xe/cve202320029.py

@@ -0,0 +1,59 @@
+from comfy import high
+
+
+@high(
+    name='rule_cve202320033',
+    platform=['cisco_xe'],
+    commands=dict(
+        show_version='show version',
+        check_mgmt='show running-config | include interface GigabitEthernet0'
+    ),
+)
+def rule_cve202320033(configuration, commands, device, devices):
+    """
+    This rule checks for the CVE-2023-20033 vulnerability in Cisco IOS XE Software for
+    Catalyst 3650/3850 Series Switches. The vulnerability is due to improper resource
+    management when processing traffic received on the management interface.  
+    An attacker could exploit this vulnerability by sending a high rate of traffic to 
+    the management interface.
+    """
+    # Extract the version information from the command output
+    version_output = commands.show_version
+
+    # List of vulnerable software versions
+    vulnerable_versions = [
+        # 16.3 versions
+        '16.3.1', '16.3.2', '16.3.3', '16.3.1a', '16.3.4', '16.3.5', '16.3.5b',
+        '16.3.6', '16.3.7', '16.3.8', '16.3.9', '16.3.10', '16.3.11',
+        # 16.4-16.9 versions
+        '16.4.1', '16.5.1', '16.5.1a', '16.6.1', '16.6.2', '16.6.3', '16.6.4',
+        '16.6.5', '16.6.4a', '16.6.6', '16.6.7', '16.6.8', '16.6.9', '16.6.10',
+        '16.7.1', '16.8.1', '16.8.1a', '16.8.1s', '16.9.1', '16.9.2', '16.9.1s',
+        '16.9.3', '16.9.4', '16.9.3a', '16.9.5', '16.9.6', '16.9.7', '16.9.8',
+        # 16.11-16.12 versions
+        '16.11.1', '16.11.2', '16.11.1s', '16.12.1', '16.12.1s', '16.12.2',
+        '16.12.3', '16.12.8', '16.12.4', '16.12.3s', '16.12.3a', '16.12.5',
+        '16.12.6', '16.12.5b', '16.12.6a', '16.12.7', '16.12.9'
+    ]
+
+    # Check if the current device's software version is in the list of vulnerable versions
+    version_vulnerable = any(version in version_output for version in vulnerable_versions)
+
+    # If version is not vulnerable, no need to check further
+    if not version_vulnerable:
+        return
+
+    # Extract the output of the command to check management interface configuration
+    mgmt_output = commands.check_mgmt
+
+    # Check if management interface is configured
+    mgmt_configured = 'interface GigabitEthernet0' in mgmt_output
+
+    # Assert that the device is not vulnerable
+    assert not mgmt_configured, (
+        f"Device {device.name} is vulnerable to CVE-2023-20033. "
+        "The device is running a vulnerable version AND has management interface configured, "
+        "which could allow an attacker to cause a denial of service. "
+        "For more information, see"
+        "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cat3k-dos-ZZA4Gb3r"
+    )

CVEasy/Cisco/2023/cisco_xe/cve202320033.py

@@ -0,0 +1,32 @@
+from comfy import high
+
+
+@high(
+    name='rule_cve202320035',
+    platform=['cisco_xe'],
+    commands=dict(
+        show_version='show version',
+        check_sdwan='show running-config | include sdwan'
+    ),
+)
+def rule_cve202320035(configuration, commands, device, devices):
+    """
+    This rule checks for the CVE-2023-20035 vulnerability in Cisco IOS XE SD-WAN Software.
+    The vulnerability is due to insufficient input validation by the system CLI.
+    An attacker with privileges to run commands could exploit this vulnerability by submitting
+    crafted input to the system CLI, allowing them to execute commands with root-level privileges.
+    """
+    # Extract the output of the command to check SD-WAN configuration
+    sdwan_output = commands.check_sdwan
+
+    # Check if SD-WAN is configured
+    sdwan_configured = 'sdwan' in sdwan_output
+
+    # Assert that the device is not vulnerable
+    assert not sdwan_configured, (
+        f"Device {device.name} is vulnerable to CVE-2023-20035. "
+        "The device has SD-WAN configured with CLI access, "
+        "which could allow an attacker to execute arbitrary commands with root privileges. "
+        "For more information, see"
+        "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-xe-sdwan-VQAhEjYw"
+    )

CVEasy/Cisco/2023/cisco_xe/cve202320035.py

@@ -0,0 +1,61 @@
+from comfy import high
+
+
+@high(
+    name='rule_cve202320065',
+    platform=['cisco_xe'],
+    commands=dict(
+        show_version='show version',
+        check_iox='show running-config | include iox'
+    ),
+)
+def rule_cve202320065(configuration, commands, device, devices):
+    """
+    This rule checks for the CVE-2023-20065 vulnerability in Cisco IOS XE Software.
+    The vulnerability is due to insufficient restrictions on the hosted application in the
+    Cisco IOx application hosting subsystem. An attacker could exploit this vulnerability
+    by logging in to and then escaping the Cisco IOx application container.
+    """
+    # Extract the version information from the command output
+    version_output = commands.show_version
+
+    # List of vulnerable software versions
+    vulnerable_versions = [
+        # 16.4 versions
+        '16.4.1', '16.4.2', '16.4.3',
+        # 17.3 versions
+        '17.3.1', '17.3.2', '17.3.3', '17.3.1a', '17.3.1w', '17.3.2a', '17.3.1x',
+        '17.3.1z', '17.3.4', '17.3.5', '17.3.4a', '17.3.6', '17.3.4b', '17.3.4c',
+        '17.3.5a', '17.3.5b',
+        # 17.4-17.9 versions
+        '17.4.1', '17.4.2', '17.4.1a', '17.4.1b', '17.4.2a',
+        '17.5.1', '17.5.1a', '17.5.1b', '17.5.1c',
+        '17.6.1', '17.6.2', '17.6.1w', '17.6.1a', '17.6.1x', '17.6.3', '17.6.1y',
+        '17.6.1z', '17.6.3a', '17.6.4', '17.6.1z1',
+        '17.7.1', '17.7.1a', '17.7.1b', '17.7.2',
+        '17.8.1', '17.8.1a',
+        '17.9.1', '17.9.1w', '17.9.2', '17.9.1a', '17.9.2a'
+    ]
+
+    # Check if the current device's software version is in the list of vulnerable versions
+    version_vulnerable = any(version in version_output for version in vulnerable_versions)
+
+    # If version is not vulnerable, no need to check further
+    if not version_vulnerable:
+        return
+
+    # Extract the output of the command to check IOx configuration
+    iox_output = commands.check_iox
+
+    # Check if IOx is configured
+    iox_configured = 'iox' in iox_output
+
+    # Assert that the device is not vulnerable
+    assert not iox_configured, (
+        f"Device {device.name} is vulnerable to CVE-2023-20065. "
+        "The device is running a vulnerable version AND has IOx application hosting configured, "
+        "which could allow an attacker to elevate privileges to root. "
+        "For more information, see"
+        "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-"
+        "sa-iox-priv-escalate-Xg8zkyPk"
+    )

CVEasy/Cisco/2023/cisco_xe/cve202320065.py

@@ -0,0 +1,32 @@
+from comfy import high
+
+
+@high(
+    name='rule_cve202320066',
+    platform=['cisco_xe'],
+    commands=dict(
+        show_version='show version',
+        check_webui='show running-config | include ip http|webui'
+    ),
+)
+def rule_cve202320066(configuration, commands, device, devices):
+    """
+    This rule checks for the CVE-2023-20066 vulnerability in Cisco IOS XE Software.
+    The vulnerability is due to insufficient security configuration in the web UI.
+    An attacker could exploit this vulnerability by sending a crafted request to the web UI,
+    allowing them to gain read access to files outside the filesystem mountpoint.
+    """
+    # Extract the output of the command to check web UI configuration
+    webui_output = commands.check_webui
+
+    # Check if web UI is enabled
+    webui_enabled = any(service in webui_output for service in ['ip http', 'webui'])
+
+    # Assert that the device is not vulnerable
+    assert not webui_enabled, (
+        f"Device {device.name} is vulnerable to CVE-2023-20066. "
+        "The device has web UI enabled, which could allow an attacker to access files "
+        "outside the filesystem mountpoint through path traversal. "
+        "For more information, see"
+        "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webui-pthtrv-es7GSb9V"
+    )

CVEasy/Cisco/2023/cisco_xe/cve202320066.py

@@ -0,0 +1,33 @@
+from comfy import high
+
+
+@high(
+    name='rule_cve202320067',
+    platform=['cisco_xe'],
+    commands=dict(
+        show_version='show version',
+        check_wlc='show running-config | include wireless|http client'
+    ),
+)
+def rule_cve202320067(configuration, commands, device, devices):
+    """
+    This rule checks for the CVE-2023-20067 vulnerability in Cisco IOS XE Software for Wireless LAN Controllers.
+    The vulnerability is due to insufficient input validation of received traffic in the "
+    "HTTP-based client profiling feature.
+    An attacker could exploit this vulnerability by sending crafted traffic through a wireless access point,
+    causing high CPU utilization and a denial of service condition.
+    """
+    # Extract the output of the command to check WLC and HTTP client profiling configuration
+    wlc_output = commands.check_wlc
+
+    # Check if WLC and HTTP client profiling are configured
+    wlc_configured = 'wireless' in wlc_output and 'http client' in wlc_output
+
+    # Assert that the device is not vulnerable
+    assert not wlc_configured, (
+        f"Device {device.name} is vulnerable to CVE-2023-20067. "
+        "The device has wireless LAN controller and HTTP client profiling enabled, "
+        "which could allow an attacker to cause a denial of service condition. "
+        "For more information, see"
+        "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewlc-dos-wFujBHKw"
+    )

CVEasy/Cisco/2023/cisco_xe/cve202320067.py

@@ -0,0 +1,32 @@
+from comfy import high
+
+
+@high(
+    name='rule_cve202320072',
+    platform=['cisco_xe'],
+    commands=dict(
+        show_version='show version',
+        check_tunnel='show running-config | include tunnel|gre'
+    ),
+)
+def rule_cve202320072(configuration, commands, device, devices):
+    """
+    This rule checks for the CVE-2023-20072 vulnerability in Cisco IOS XE Software.
+    The vulnerability is due to improper handling of large fragmented tunnel protocol packets.
+    An attacker could exploit this vulnerability by sending crafted fragmented packets to an affected system,
+    causing it to reload and resulting in a denial of service (DoS) condition.
+    """
+    # Extract the output of the command to check tunnel configuration
+    tunnel_output = commands.check_tunnel
+
+    # Check if any tunnel protocols (like GRE) are configured
+    tunnel_configured = any(protocol in tunnel_output for protocol in ['tunnel', 'gre'])
+
+    # Assert that the device is not vulnerable
+    assert not tunnel_configured, (
+        f"Device {device.name} is vulnerable to CVE-2023-20072. "
+        "The device has tunnel protocols configured (e.g., GRE), "
+        "which could allow an attacker to cause a denial of service through crafted fragmented packets. "
+        "For more information, see"
+        "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-gre-crash-p6nE5Sq5"
+    )

CVEasy/Cisco/2023/cisco_xe/cve202320072.py

@@ -0,0 +1,40 @@
+from comfy import high
+
+
+@high(
+    name='rule_cve202320082',
+    platform=['cisco_xe'],
+    commands=dict(
+        show_version='show version',
+        check_platform='show inventory | include Chassis'
+    ),
+)
+def rule_cve202320082(configuration, commands, device, devices):
+    """
+    This rule checks for the CVE-2023-20082 vulnerability in Cisco IOS XE Software 
+    for Catalyst 9300 Series Switches. The vulnerability is due to errors that occur 
+    when retrieving the public release key used for image signature verification.
+    An attacker could exploit this vulnerability by modifying specific variables in the 
+    SPI flash memory, allowing them to execute persistent code at boot time and break 
+    the chain of trust.
+    """
+    # Extract the output of the command to check platform type
+    platform_output = commands.check_platform
+
+    # Check if the device is a Catalyst 9300 Series Switch
+    is_cat9300 = 'C9300' in platform_output
+
+    # Extract the version information from the command output
+    version_output = commands.show_version
+
+    # Check if version is before 16.11.1 (more vulnerable)
+    version_pre_16_11_1 = not any(ver in version_output for ver in ['16.11.1', '16.12', '17.'])
+
+    # Assert that the device is not vulnerable
+    assert not (is_cat9300 and version_pre_16_11_1), (
+        f"Device {device.name} is vulnerable to CVE-2023-20082. "
+        "The device is a Catalyst 9300 Series Switch running a version before 16.11.1, "
+        "which could allow an attacker to execute persistent code at boot time. "
+        "For more information, see"
+        "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9300-spi-ace-yejYgnNQ"
+    )