Add more CVEasy examples (#124)

ottocoster · web-flow · commit eafc2b072784 · 2025-04-28T17:44:30.000+02:00
* Remove CVE folder

* Add CVEasy example

* Other example

* Linter

* Aruba

* Lint

* More vendors

* Fix linter errors

* Fix linter issues

* Fix linter issues

* Indent

* Indent (2)
diff --git a/CVEasy/Aruba/2024/cve20241356.py b/CVEasy/Aruba/2024/cve20241356.py
@@ -0,0 +1,51 @@
+from comfy import high
+
+
+@high(
+    name='rule_cve20241356',
+    platform=['aruba_os'],
+    commands=dict(
+        show_version='show version',
+        show_cli_config='show cli-config'
+    ),
+)
+def rule_cve20241356(configuration, commands, device, devices):
+    """
+    This rule checks for CVE-2024-1356 vulnerability in ArubaOS Wi-Fi Controllers and Campus/Remote Access Points.
+    The vulnerability allows authenticated users to execute arbitrary commands as a privileged user through
+    command injection vulnerabilities in the CLI interface.
+    """
+    # Extract the version information from the command output
+    version_output = commands.show_version
+
+    # Define the vulnerable versions
+    vulnerable_versions = [
+        # ArubaOS 10.5.x.x versions
+        '10.5.0.0', '10.5.0.1',
+        # ArubaOS 10.4.x.x versions
+        '10.4.0.0', '10.4.0.1', '10.4.0.2', '10.4.0.3',
+        # ArubaOS 8.11.x.x versions
+        '8.11.0.0', '8.11.1.0', '8.11.2.0',
+        # ArubaOS 8.10.x.x versions
+        '8.10.0.0', '8.10.0.1', '8.10.0.2', '8.10.0.3', '8.10.0.4',
+        '8.10.0.5', '8.10.0.6', '8.10.0.7', '8.10.0.8', '8.10.0.9'
+    ]
+
+    # Check if the current version is vulnerable
+    version_vulnerable = any(version in version_output for version in vulnerable_versions)
+
+    # If version is not vulnerable, exit early
+    if not version_vulnerable:
+        return
+
+    # Check if CLI access is enabled
+    cli_config = commands.show_cli_config
+    cli_enabled = 'cli-config enabled' in cli_config
+
+    # Assert that the device is not vulnerable
+    assert not cli_enabled, (
+        f"Device {device.name} is vulnerable to CVE-2024-1356. "
+        "The device is running a vulnerable version with CLI access enabled, "
+        "which makes it susceptible to authenticated command injection attacks. "
+        "For more information, see https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-002.txt"
+    )
diff --git a/CVEasy/Cisco/2024/cve202420276.py b/CVEasy/Cisco/2024/cve202420276.py
@@ -0,0 +1,65 @@
+from comfy import high
+
+
+@high(
+    name='rule_cve202420276',
+    platform=['cisco_ios'],
+    commands=dict(
+        show_version='show version',
+        show_running_config='show running-config | include interface|port-security|device classifier|'
+                            'system-auth-control|port-control|mab'
+    ),
+)
+def rule_cve202420276(configuration, commands, device, devices):
+    """
+    This rule checks for the presence of CVE-2024-20276 vulnerability in Cisco Catalyst 6000 Series Switches.
+    The vulnerability is due to improper handling of process-switched traffic, which can be exploited by an
+    unauthenticated, adjacent attacker to cause a denial of service (DoS) condition by reloading the device.
+    """
+    # Extract the version information from the command output
+    version_output = commands.show_version
+
+    # List of vulnerable software versions
+    vulnerable_versions = [
+        # 15.5(1)SY versions
+        '15.5(1)SY5', '15.5(1)SY6', '15.5(1)SY7', '15.5(1)SY8',
+        '15.5(1)SY9', '15.5(1)SY10', '15.5(1)SY11'
+    ]
+
+    # Check if the current device's software version is in the list of vulnerable versions
+    version_vulnerable = any(version in version_output for version in vulnerable_versions)
+
+    # If version is not vulnerable, no need to check further
+    if not version_vulnerable:
+        return
+
+    # If version is vulnerable, check for enabled features
+    config_output = commands.show_running_config
+
+    # Check if port security is enabled
+    port_security_enabled = 'switchport port-security' in config_output
+
+    # Check if device classifier is enabled
+    device_classifier_enabled = 'device classifier' in config_output
+
+    # Check if AAA is enabled
+    aaa_enabled = any(keyword in config_output for keyword in [
+        'dot1x system-auth-control',
+        'authentication order',
+        'authentication priority',
+        'authentication port-control',
+        'mab'
+    ])
+
+    # If any of the above features are enabled, the device is vulnerable
+    is_vulnerable = port_security_enabled or device_classifier_enabled or aaa_enabled
+
+    # Assert that the device is not vulnerable
+    # If the device is vulnerable, the test will fail, indicating the presence of the vulnerability
+    assert not is_vulnerable, (
+        f"Device {device.name} is vulnerable to CVE-2024-20276. "
+        "The device is running a vulnerable version AND has port security, device classifier, or AAA enabled, "
+        "which makes it susceptible to DoS attacks. "
+        "For more information, see "
+        "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-dos-Hq4d3tZG"
+    )
diff --git a/CVEasy/Fortinet/2024/cve202423110.py b/CVEasy/Fortinet/2024/cve202423110.py
@@ -0,0 +1,43 @@
+from comfy import high
+
+
+@high(
+    name='rule_cve202423110',
+    platform=['fortinet'],
+    commands=dict(
+        show_version='get system status'
+    ),
+)
+def rule_cve202423110(configuration, commands, device, devices):
+    """
+    This rule checks for the CVE-2024-23110 vulnerability in Fortinet FortiOS.
+    The vulnerability is a stack-based buffer overflow that allows an attacker to execute
+    unauthorized code or commands via specially crafted commands.
+    """
+    # Extract the version information from the command output
+    version_output = commands.show_version
+
+    # List of vulnerable software versions
+    vulnerable_versions = [
+        '7.4.0', '7.4.1', '7.4.2',
+        '7.2.0', '7.2.1', '7.2.2', '7.2.3', '7.2.4', '7.2.5', '7.2.6',
+        '7.0.0', '7.0.1', '7.0.2', '7.0.3', '7.0.4', '7.0.5', '7.0.6', '7.0.7', '7.0.8', '7.0.9', '7.0.10',
+        '7.0.11', '7.0.12', '7.0.13',
+        '6.4.0', '6.4.1', '6.4.2', '6.4.3', '6.4.4', '6.4.5', '6.4.6', '6.4.7', '6.4.8', '6.4.9', '6.4.10',
+        '6.4.11', '6.4.12', '6.4.13', '6.4.14',
+        '6.2.0', '6.2.1', '6.2.2', '6.2.3', '6.2.4', '6.2.5', '6.2.6', '6.2.7', '6.2.8', '6.2.9', '6.2.10',
+        '6.2.11', '6.2.12', '6.2.13', '6.2.14', '6.2.15',
+        '6.0.0', '6.0.1', '6.0.2', '6.0.3', '6.0.4', '6.0.5', '6.0.6', '6.0.7', '6.0.8', '6.0.9', '6.0.10',
+        '6.0.11', '6.0.12', '6.0.13', '6.0.14', '6.0.15', '6.0.16', '6.0.17', '6.0.18'
+    ]
+
+    # Check if the current device's software version is in the list of vulnerable versions
+    version_vulnerable = any(version in version_output for version in vulnerable_versions)
+
+    # Assert that the device is not vulnerable
+    assert not version_vulnerable, (
+        f"Device {device.name} is vulnerable to CVE-2024-23110. "
+        "The device is running a vulnerable version, which makes it susceptible to stack-based buffer"
+        "overflow attacks. For more information, see "
+        "https://fortiguard.com/psirt/FG-IR-23-460"
+    )
diff --git a/CVEasy/Juniper/2024/cve20242973.py b/CVEasy/Juniper/2024/cve20242973.py
@@ -0,0 +1,60 @@
+from comfy import high
+
+
+@high(
+    name='rule_cve20242973',
+    platform=['juniper_junos'],
+    commands=dict(
+        show_version='show version',
+        show_config_ha='show configuration | display set | match "high-availability"'
+    )
+)
+def rule_cve20242973(configuration, commands, device, devices):
+    """
+    This rule checks for CVE-2024-2973 vulnerability in Juniper Networks Session Smart Router (SSR),
+    Session Smart Conductor, and WAN Assurance Router. The vulnerability allows an unauthenticated,
+    network-based attacker to bypass authentication and take full control of devices in redundant
+    router deployments.
+
+    Args:
+        configuration (str): The full device configuration
+        commands (dict): Output of the executed commands
+        device: The current device object
+        devices: All devices in the test scope
+    """
+    # Extract version information
+    version_output = commands.show_version
+
+    # List of vulnerable software versions
+    vulnerable_versions = [
+        # SSR versions before 5.6.15
+        '5.6.14', '5.6.13', '5.6.12', '5.6.11', '5.6.10',
+        '5.6.9', '5.6.8', '5.6.7', '5.6.6', '5.6.5',
+        '5.6.4', '5.6.3', '5.6.2', '5.6.1', '5.6.0',
+        # 6.0 versions before 6.1.9-lts
+        '6.0.0', '6.0.1', '6.0.2', '6.0.3', '6.0.4',
+        '6.1.0', '6.1.1', '6.1.2', '6.1.3', '6.1.4',
+        '6.1.5', '6.1.6', '6.1.7', '6.1.8',
+        # 6.2 versions before 6.2.5-sts
+        '6.2.0', '6.2.1', '6.2.2', '6.2.3', '6.2.4'
+    ]
+
+    # Check if version is vulnerable
+    version_vulnerable = any(version in version_output for version in vulnerable_versions)
+
+    if not version_vulnerable:
+        return
+
+    # Check if high-availability is configured
+    ha_config = commands.show_config_ha
+    ha_enabled = 'high-availability' in ha_config
+
+    assert not ha_enabled, (
+        f"Device {device.name} is vulnerable to CVE-2024-2973. "
+        "The device is running a vulnerable version with high-availability configured. "
+        "This configuration can allow an attacker to bypass authentication and take full control. "
+        "Please upgrade to one of the following fixed versions: "
+        "SSR-5.6.15, SSR-6.1.9-lts, SSR-6.2.5-sts, or later. "
+        "For Conductor-managed deployments, upgrading Conductor nodes is sufficient. "
+        "For more information, see https://supportportal.juniper.net/JSA83126"
+    )
