Cisco Application Extension Platform (AXP) Privilege Escalation (cisco-sa-20100609-axp)

2013-09-27T00:00:00
ID CISCO-SA-20100609-AXP.NASL
Type nessus
Reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2020-04-02T00:00:00

Description

The remote Cisco Application Extension Platform (AXP) is affected by a privilege escalation vulnerability. The vulnerability could allow an authenticated user to gain administrative access to a vulnerable Cisco AXP module.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(70164);
  script_version("1.6");
  script_cvs_date("Date: 2019/09/26 15:14:18");

  script_cve_id( "CVE-2010-1572");
  script_bugtraq_id(40682);
  script_xref(name:"CISCO-BUG-ID", value:"CSCub85692");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20100609-axp");

  script_name(english:"Cisco Application Extension Platform (AXP) Privilege Escalation (cisco-sa-20100609-axp)");
  script_summary(english:"Check AXP model and version");

  script_set_attribute(
    attribute:"synopsis",
    value:
"The remote host is running Cisco AXP, which is affected by a privilege
escalation vulnerability."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The remote Cisco Application Extension Platform (AXP) is affected by a
privilege escalation vulnerability.  The vulnerability could allow an
authenticated user to gain administrative access to a vulnerable Cisco
AXP module."
  );
  script_set_attribute(attribute:"see_also", value:"https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20100609-axp.html");
  script_set_attribute(
    attribute:"solution",
    value:
"Upgrade to Cisco AXP version 1.1.7 or later.  Note: Cisco AXP version
1.1.5 may or may not be vulnerable depending upon the upgrade path used. 
Installs upgraded from version 1.0 or a clean installation are not
vulnerable.  Installs upgraded from version 1.1 are vulnerable.  Refer
to the vendor's advisory for upgrade steps."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2010/06/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2010/06/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/09/27");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:application_extension_framework");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/Cisco/show_software_version", "Settings/ParanoidReport");
  exit(0);
}

include("audit.inc");
include("cisco_func.inc");

application = "Cisco Application Extension Platform (AXP)";
showsoftware = get_kb_item_or_exit("Host/Cisco/show_software_version");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

version = "";

axp = egrep(pattern:"^Application eXtension Platform \(AXP\) version \([0-9.]+\).*", string:showsoftware);
if (axp)
{
  ## Application eXtension Platform (AXP) version (1.6.1)
  match =  eregmatch(pattern:".*version \(([0-9.]+)\)", string:axp);
  if (isnull(match)) exit(1, "The version of "+application+" - "+match+" - is non-numeric and, therefore, can not be used to make a determination.");
  version = match[1];
}
else audit(AUDIT_VER_FAIL, application);

notvuln = "1.0";
fixed = "1.1.6";

if (
  ver_compare(ver:version, fix:notvuln, strict:FALSE) == 0 ||
  ver_compare(ver:version, fix:fixed, strict:FALSE) >= 0
) audit(AUDIT_INST_VER_NOT_VULN, application, version);


# for 1.1 & upgraded from 1.1 to 1.1.5
report = NULL;

if (report_verbosity > 0)
{
    report =
    '\n  Installed release : ' + version +
    '\n  Fixed release     :  1.1.7 / 1.5.x' +
    '\n' +
    '\n  Note:  Users running AXP version 1.1.5 may or may not be' +
    '\n  vulnerable depending upon their upgrade path used.' +
    '\n  Those upgraded from version 1.0 or a clean installation' +
    '\n  are not vulnerable. Installs upgraded from version 1.1 are' +
    '\n  vulnerable. Refer to the vendor\'s advisory for upgrade steps.';
}
security_hole(port:0, extra:report);