updated cisco_nxos vulnerabiliteis with software versions and doc files for them

Author: mailsanjayhere

CVEasy/Cisco/2022/cve202220623.py

@@ -1,6 +1,7 @@
 from comfy import high
 import re
 
+
 @high(
     name='rule_cve202220623',
     platform=['cisco_nxos'],
@@ -12,44 +13,52 @@
 def rule_cve202220623(configuration, commands, device, devices):
     """
     CVE-2022-20623: BFD DoS vulnerability in Cisco NX-OS.
-    Affects Nexus 9000 Series if BFD is enabled and version ≤ 7.0(3)I7(10) or ≤ 9.3(8).
+    Affects Nexus 9500 Series switches with BFD enabled on:
+      - NX-OS versions < 7.0.3.I7.10
+      - NX-OS versions < 9.3(8)
+      - NX-OS 10.2(2) *only* if GX ASIC is in use (not checked here)
+    Note: Nexus 9200/9300 not affected even on same NX-OS versions.
     """
-    platform_output = commands.show_version
+    version_output = commands.show_version
     bfd_output = commands.check_bfd
 
-    # 1. Check if device is a Nexus 9000
-    is_n9k = 'Nexus 9000' in platform_output
-    if not is_n9k:
+    # Skip if BFD is not enabled
+    if 'feature bfd' not in bfd_output:
         return
 
-    # 2. Check if BFD is enabled
-    bfd_enabled = 'feature bfd' in bfd_output
-    if not bfd_enabled:
+    # Skip if platform is not Nexus 9500
+    if 'Nexus 9500' not in version_output:
         return
 
-    # 3. Extract NX-OS version
-    match = re.search(r'NXOS:\s+version\s+([\w\.\(\)]+)', platform_output, re.IGNORECASE)
+    # Extract NX-OS version
+    match = re.search(r'NXOS:\s+version\s+([\w\.\(\)]+)', version_output, re.IGNORECASE)
     if not match:
-        return  # Can't extract version
+        return
 
     version = match.group(1)
 
-    def parse_version(ver):
-        return [int(x) if x.isdigit() else x for x in re.split(r'[\.\(\)I]+', ver) if x]
+    def parse_version(v):
+        return [int(x) if x.isdigit() else x for x in re.split(r'[.\(\)I]+', v) if x]
 
     v = parse_version(version)
-    is_vulnerable = False
-
-    # 4. Compare version against vulnerable builds
-    if version.startswith("7.0.3") and 'I' in version:
-        is_vulnerable = v <= parse_version("7.0.3.I7.10")
-    elif version.startswith("9.3"):
-        is_vulnerable = v <= parse_version("9.3.8")
-
-    # 5. Assert only if BFD is enabled and version is affected
-    assert not is_vulnerable, (
-        f"Device {device.name} is vulnerable to CVE-2022-20623. "
-        f"Nexus 9000 Series switch with NX-OS version {version} has BFD enabled, "
-        "which could allow a remote attacker to cause BFD session flaps and a denial of service. "
-        "See: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-bfd-dos-wGQXrzxn"
+
+    # Determine the correct threshold based on major.minor version
+    if v[:2] == parse_version("7.0")[:2]:
+        is_safe = v >= parse_version("7.0.3.I7.10")
+    elif v[:2] == parse_version("9.3")[:2]:
+        is_safe = v >= parse_version("9.3.8")
+    elif v[:2] == parse_version("10.2")[:2]:
+        # 10.2.2 requires GX ASIC, which we're not checking — skip
+        return
+    else:
+        # Unknown version family — skip check
+        return
+
+    # Assert only if device is vulnerable
+    assert is_safe, (
+        f"Device {device.name or device.ipaddress or 'unknown'} is vulnerable to CVE-2022-20623. "
+        f"NX-OS version {version} on a Nexus 9500 with BFD enabled may allow denial of service. "
+        "Upgrade to a fixed release or apply the appropriate SMU. "
+        "See: "
+        "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-bfd-dos-wGQXrzxn"
     )

CVEasy/Cisco/2022/cve202220624.py

@@ -1,48 +1,65 @@
 from comfy import high
 import re
 
+
 @high(
-    name='rule_cve202220624',
-    platform=['cisco_nxos'],
+    name="rule_cve202220624",
+    platform=["cisco_nxos"],
     commands=dict(
-        show_version='show version',
-        check_cfs='show running-config | include cfs ipv4 distribute'
+        show_version="show version",
+        show_cfs_status="show cfs status",
     ),
 )
 def rule_cve202220624(configuration, commands, device, devices):
     """
-    CVE-2022-20624: NX-OS CFSoIP DoS vulnerability.
-    Affects NX-OS ≤ 7.0(3)I7(10) or ≤ 9.3(8), only if CFSoIP is enabled.
+    CVE-2022-20624:
+    Cisco Fabric Services over IP (CFSoIP) DoS vulnerability in Cisco NX-OS.
     """
-    cfs_output = commands.check_cfs
+
     version_output = commands.show_version
+    cfs_output = commands.show_cfs_status
+
+    # Skip if CFSoIP is not enabled
+    if "Distribution over IP : Enabled" not in cfs_output:
+        return
 
-    # Check if CFSoIP is enabled
-    cfs_enabled = 'cfs ipv4 distribute' in cfs_output
-    if not cfs_enabled:
-        return  # Not vulnerable if CFSoIP is off
+    # Skip if not one of the affected platforms
+    if not any(p in version_output for p in ["Nexus 3000", "Nexus 9000", "UCS 6400"]):
+        return
 
-    # Extract NX-OS version from show version
-    match = re.search(r'NXOS:\s+version\s+([\w\.\(\)]+)', version_output, re.IGNORECASE)
+    # Extract NX-OS version
+    match = re.search(r'NXOS:\s+version\s+([\w\.\(\)]+)', version_output)
     if not match:
-        return  # Version unknown, skip
+        return
 
     version = match.group(1)
 
     def parse_version(v):
-        return [int(x) if x.isdigit() else x for x in re.split(r'[\.\(\)I]+', v) if x]
+        return [int(x) if x.isdigit() else x for x in re.split(r'[.\(\)I]+', v) if x]
 
     v = parse_version(version)
-    is_vulnerable = False
 
-    if version.startswith("7.0.3") and 'I' in version:
-        is_vulnerable = v < parse_version("7.0.3.I7.10")
-    elif version.startswith("9.3"):
-        is_vulnerable = v < parse_version("9.3.8")
+    # Determine if the version is vulnerable based on platform
+    if "UCS 6400" in version_output:
+        # UCS 6400 fixed in: 4.1(3h), 4.2(1l)
+        is_safe = (
+            v >= parse_version("4.1.3h") or
+            v >= parse_version("4.2.1l")
+        )
+    else:
+        # Nexus 3000/9000 fixed in: 7.0(3)I7(10) or 9.3(8)
+        if v[:2] == parse_version("7.0")[:2]:
+            is_safe = v >= parse_version("7.0.3.I7.10")
+        elif v[:2] == parse_version("9.3")[:2]:
+            is_safe = v >= parse_version("9.3.8")
+        else:
+            # Unknown family — skip
+            return
 
-    assert not is_vulnerable, (
-        f"Device {device.name} is vulnerable to CVE-2022-20624. "
-        f"NX-OS version {version} has CFSoIP enabled, which allows unauthenticated DoS attacks. "
-        "Upgrade to a fixed version or disable CFSoIP. "
+    # Assert only if device is vulnerable
+    assert is_safe, (
+        f"Device {device.name or device.ipaddress or 'unknown'} is vulnerable to CVE-2022-20624. "
+        f"NX-OS version {version} with CFSoIP enabled may allow a remote DoS. "
+        "Upgrade to a fixed release or apply the appropriate SMU. "
         "See: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cfsoip-dos-tpykyDr"
     )

CVEasy/Cisco/2022/cve202220625.py

@@ -1,51 +1,60 @@
 from comfy import high
 import re
 
+
 @high(
-    name='rule_cve202220625',
-    platform=['cisco_nxos'],
+    name="rule_cve202220625",
+    platform=["cisco_nxos"],
     commands=dict(
-        show_version='show version',
-        check_cdp='show running-config | include no cdp enable|cdp enable'
+        show_version="show version",
+        show_running_config_cdp="show running-config cdp all | include \"cdp enable\"",
     ),
 )
 def rule_cve202220625(configuration, commands, device, devices):
     """
-    CVE-2022-20625: DoS via CDP in NX-OS.
-    Vulnerable if CDP is enabled AND version is < fixed.
-    Fixed in: 7.0(3)I7(10), 8.4(5), 9.3(8)
+    CVE-2022-20625: Cisco Discovery Protocol Service DoS Vulnerability
+    An unauthenticated attacker on the local network can send crafted CDP messages
+    that restart the service, possibly the whole device. This affects multiple platforms.
     """
-    cdp_output = commands.check_cdp
+
     version_output = commands.show_version
+    cdp_output = commands.show_running_config_cdp
+
+    if "cdp enable" not in cdp_output:
+        return
 
-    # Check if CDP is enabled
-    cdp_enabled = 'cdp enable' in cdp_output
-    if not cdp_enabled:
-        return  # Safe
+    if not any(model in version_output for model in [
+        "Nexus 3000", "Nexus 5500", "Nexus 5600", "Nexus 6000", "Nexus 7000",
+        "Nexus 9000", "UCS 6200", "UCS 6300", "UCS 6400", "Firepower 4100", "Firepower 9300",
+        "MDS 9000", "Nexus 1000V"
+    ]):
+        return
 
-    # Extract NX-OS version
-    match = re.search(r'NXOS:\s+version\s+([\w\.\(\)]+)', version_output, re.IGNORECASE)
+    match = re.search(r"NXOS:\s+version\s+([\w\.\(\)]+)", version_output, re.IGNORECASE)
     if not match:
-        return  # Unknown version, skip
+        return
 
     version = match.group(1)
 
     def parse_version(v):
-        return [int(x) if x.isdigit() else x for x in re.split(r'[\.\(\)I]+', v) if x]
+        return [int(x) if x.isdigit() else x for x in re.split(r"[.\(\)I]+", v) if x]
 
     v = parse_version(version)
-    is_vulnerable = False
-
-    if version.startswith("7.0.3") and 'I' in version:
-        is_vulnerable = v < parse_version("7.0.3.I7.10")
-    elif version.startswith("8.4"):
-        is_vulnerable = v < parse_version("8.4.5")
-    elif version.startswith("9.3"):
-        is_vulnerable = v < parse_version("9.3.8")
-
-    assert not is_vulnerable, (
+    is_safe = False
+
+    if v[:2] == parse_version("7.0")[:2]:
+        is_safe = v >= parse_version("7.0.3.I7.10")
+    elif v[:2] == parse_version("8.4")[:2]:
+        is_safe = v >= parse_version("8.4.5")
+    elif v[:2] == parse_version("9.3")[:2]:
+        is_safe = v >= parse_version("9.3.8")
+    elif v[:2] == parse_version("4.1")[:2]:
+        is_safe = v >= parse_version("4.1.3")
+    elif v[:2] == parse_version("4.2")[:2]:
+        is_safe = v >= parse_version("4.2.1")
+
+    assert is_safe, (
         f"Device {device.name or device.ipaddress or 'unknown'} is vulnerable to CVE-2022-20625. "
-        f"NX-OS version {version} with CDP enabled allows an adjacent attacker to crash the service or device. "
-        "Upgrade to a fixed release. "
+        "Upgrade to a fixed version or disable CDP globally where applicable. "
         "See: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cdp-dos-G8DPLWYG"
     )

CVEasy/Cisco/2022/cve202220650.py

@@ -1,37 +1,53 @@
 from comfy import high
+import re
 
 
 @high(
-    name='rule_cve202220650',
-    platform=['cisco_nxos'],
+    name="rule_cve202220650",
+    platform=["cisco_nxos"],
     commands=dict(
-        show_version='show version',
-        check_nxapi='show running-config | include feature nxapi'
+        show_version="show version",
+        show_feature_nxapi="show feature | include nxapi",
     ),
 )
 def rule_cve202220650(configuration, commands, device, devices):
     """
-    This rule checks for the CVE-2022-20650 vulnerability in Cisco NX-OS Software.
-    The vulnerability is due to insufficient input validation of user supplied data that is sent to the NX-API.
-    An authenticated, remote attacker could exploit this vulnerability by sending a crafted HTTP POST request
-    to the NX-API of an affected device, allowing them to execute arbitrary commands with root privileges.
-    Note: The NX-API feature is disabled by default.
+    CVE-2022-20650: NX-API command injection vulnerability in Cisco NX-OS
+    An authenticated attacker could exploit the NX-API feature to run arbitrary
+    OS commands as root due to improper input sanitization.
     """
-    # Extract the output of the command to check NX-API configuration
-    nxapi_output = commands.check_nxapi
 
-    # Check if NX-API is enabled
-    nxapi_enabled = 'feature nxapi' in nxapi_output
+    version_output = commands.show_version
+    nxapi_output = commands.show_feature_nxapi
 
-    # If NX-API is not enabled, device is not vulnerable
-    if not nxapi_enabled:
+    if "nxapi" not in nxapi_output or "enabled" not in nxapi_output:
         return
 
-    # Assert that the device is not vulnerable
-    assert not nxapi_enabled, (
-        f"Device {device.name} is vulnerable to CVE-2022-20650. "
-        "The device has NX-API enabled, which could allow an authenticated attacker "
-        "to execute arbitrary commands with root privileges through crafted HTTP POST requests. "
-        "For more information, see"
-        "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-nxapi-cmdinject-ULukNMZ2"
+    if not any(model in version_output for model in [
+        "Nexus 3000", "Nexus 5500", "Nexus 5600", "Nexus 6000", "Nexus 9000"
+    ]):
+        return
+
+    match = re.search(r"NXOS:\s+version\s+([\w\.\(\)]+)", version_output, re.IGNORECASE)
+    if not match:
+        return
+
+    version = match.group(1)
+
+    def parse_version(v):
+        return [int(x) if x.isdigit() else x for x in re.split(r"[.\(\)I]+", v) if x]
+
+    v = parse_version(version)
+    is_safe = False
+
+    if v[:2] == parse_version("7.0")[:2]:
+        is_safe = v >= parse_version("7.0.3.I7.10")
+    elif v[:2] == parse_version("9.3")[:2]:
+        is_safe = v >= parse_version("9.3.8")
+
+    assert is_safe, (
+        f"Device {device.name or device.ipaddress or 'unknown'} is vulnerable to CVE-2022-20650. "
+        "NX-API is enabled and the software version is unpatched. "
+        "See: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-"
+        "sa-nxos-nxapi-cmdinject-ULukNMZ2"
     )