ARRIS Touchstone DG950A SNMP Information Disclosure (CVE-2014-4863)

#TRUSTED 62adba98ace83815d59f7a95ecfc5affe91967037374a9e6cfaa8c1da8b617936f7bc5a77a6b2b23648acb9cb6f19e2e187815a7a5ec1e380684bff9e01a3ec7867e3dd5dbcd970f1a13e257219f8c564cfe43b97962681fc81c8e82bea04590ff9b42524627f45fa8f654ceecc179a8806f4cd9b54f50c5c8c703e2cac8cb7c740bfe18ad9ad7ec6f44ed20b19cf3da35b4239857a6f1bb0aeb3ab2993f8f3bd13f91537b000d231ce8f26855596ab59c4767adfea61f8a7a816f2d81abf90ce1a87b7f0db74cb4de06878fa7e2d95d77de297c645aa919578d06592b07b3a22f1c3af6c35a58d2b3c7f74fa754518830b60336652f5f4e53242e6e6af5a5f7ba43c4c53709572938160fa448dbfe5950fdc0703dcf48e6518ab15e1dcbaab7d73f801419db87be61806148793e65007b7d8e8e88cb89688c36949c71ee7c08930b529b7aae5ec0ee947bab1c3e8e0a4d2154d3d1a80b8683589b639c1f7b4e3de5b469111c8810589aa45093a667a34defaeadee24288d6d19899c0e7c436782be4e4827e28017a66530c7920b8d0dbfed16c789cbcaf498ada70140315dcfa9f18e052ea968aa20a3fdfe0512a5cfb451cdde63102e8d5b0714a832d9021bd52913227076fe27c8cf724e1c770f49a2fdb4b7333746e24fd4dd3a7524829a4d7737e67f63494d835c1358dc9eea09ce8d542c5298d41ffc2322f47d53aa69
#TRUST-RSA-SHA256 59a6bdc06a2629b004f28d6c8c6a156d41d411f4f1242624191136132ee83fc73ccfba96b13a25d54094f9659fdfc7b22817a54998bea426a441e01e2b9767959a8b2050ed0b4d47ac1489ff0d8efb58ba5994259df628af286a436cd1b1839133eaf32e508510623284faff87caa618147e0853737e55f9bc6d1d897ee0f15e3c5c41e2022b5da4d4e5c9e42c1683f0b63ce2dc82079cfbedc471f450ac8d86f5121bfff11798480a967bfcdb22c98fc3261eb587ba7e5099fc57c9ed2995179dda742eff5d31d6ac4e725c08789e0ce60e6a76e709d6ccc6625ae231d0ba959094d496c9c6eeedbbafaf33fa1cbfa05a286e161cf5a97c83f0592adf18c757872b254b319daff2a00b031cecaf810521c3bad1032c7ccfa364fff662c2a6c47fa2a3a3a0692ab36d689bd550304967d3b8c2f0f51abef64c5dd4389fe8dfccc36a8259a2e95ccc9fa033290d2fa6c59d8da24e99ee06a6e08eb34d23116f707c167260dd81fb685e13667269983dc8e53537b6eea5ddcf8af913d87f22404df9b82cf6d2faa57b795f5af6cc0ff37c8ae48894284f614f66205474ace0f117f24649e36d062c60cdc2749eb9f5f3fc61d84352c104a295bfb58e7490bb969533687f17c9be3e67eb8ead817ca0124def7a41cf3202d51f7ffca054b4e4ca9ef739fb9764c5bfa0f2c3f495159083e467583f64315858cb1e52b3626f16be6b
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(78921);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/11/08");

  script_cve_id("CVE-2014-4863");
  script_bugtraq_id(69631);
  script_xref(name:"CERT", value:"855836");

  script_name(english:"ARRIS Touchstone DG950A SNMP Information Disclosure (CVE-2014-4863)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is affected by an information disclosure
vulnerability.");
  script_set_attribute(attribute:"description", value:
"It is possible to read the plaintext password, SSID, and other
sensitive information from the remote ARRIS Touchstone cable modems
using an SNMP request.");
  script_set_attribute(attribute:"solution", value:
"Disable the SNMP service on the device.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-4863");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/08/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/11/07");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:arris:touchstone_dg950a");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"SNMP");

  script_copyright(english:"This script is Copyright (C) 2014-2023 Tenable Network Security, Inc.");

  script_dependencies("arris_touchstone_cable_modem_detect.nbin", "snmp_default_communities.nasl");
  script_require_keys("Host/Arris/Touchstone/model");
  script_require_ports("SNMP/community", "SNMP/default/community");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("snmp_func.inc");
include("misc_func.inc");
include("string.inc");

# Jump out if no public community
community = get_kb_item("SNMP/community");
if (isnull(community) || community != "public")
{
  community = join(sep:" ", get_kb_list_or_exit("SNMP/default/community"));
  if (community !~ "public\s?") exit(0, "Device does not respond to the public community");
}

device    = "Arris Touchstone Cable Modem";
community = "public";  # It's specifically the public community
model     = get_kb_item_or_exit("Host/Arris/Touchstone/model");

# Limit to just this model
if ("DG950A" >!< model && !thorough_tests) audit(AUDIT_HOST_NOT, device+" DG950A");

port = get_kb_item("SNMP/port");
if (isnull(port)) port = 161;

# Port / Sock checks
if (!get_udp_port_state(port)) audit(AUDIT_PORT_CLOSED, port);

soc = open_sock_udp(port);
if (!soc) audit(AUDIT_SOCK_FAIL, port);

# Try the request
password = snmp_request(socket:soc, community:community, oid:"1.3.6.1.4.1.4491.2.4.1.1.6.1.2.0");
ssid     = snmp_request(socket:soc, community:community, oid:"1.3.6.1.4.1.4115.1.20.1.1.3.22.1.2.12");

if (!isnull(password) || !isnull(ssid))
{
  if (report_verbosity > 0)
  {
    report =
    '\n' + 'The following information was obtained from the device : ';
    if (!isnull(password)) report +=
    '\n' + '  Password : '+mask_string(password,mask_length:0);
    if (!isnull(ssid)) report +=
    '\n' + '  SSID     : '+ssid;
    security_warning(port:port, extra:report+'\n', protocol:"udp");
  }
  else security_warning(port:port, protocol:"udp");
}
else audit(AUDIT_DEVICE_NOT_VULN, device);