Cisco Firepower Threat Defense Device Manager Web UI Request Handling Arbitrary Log Entry Injection (cisco-sa-20170201-fpw2)

2017-04-14T00:00:00
ID CISCO-SA-20170201-FPW2.NASL
Type nessus
Reporter Tenable
Modified 2017-05-30T00:00:00

Description

According to its version and configuration, the Cisco Firepower Threat Defense (FTD) software installed on the remote device is affected by an arbitrary log entry injection vulnerability in the Firepower Device Manager (FDM) due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted request to the web UI, to add arbitrary entires and false alarms to the audit log.

                                        
                                            #TRUSTED 1eaa2fe091008ce6b02bb833587630386088e38192fb3df9a390d6c46e188dbdf6cb3edbde0262a049e852daa2e4c79c5e73dfec6ef4f8c8124945af00238d19a5fc3acee524d5a7d79267c9b33e143667844b266312f38f3451978ed6af4050ba09327cdf5bc136897b5ff138229ae84d6879227047b8f3c0f8c8aceb92c5fb73cf616819a9eb47ef61f7b20a352ef425f133c24ab797d26e227e8c909fae8e7306f770e2c61a33f89bb383b1176c6f049652fa9526b8fd827743cfd93665ec950f41036bf1bdb88962d9d7e196e2ba54dd241d5c94940ce0e09fe1cccbcf89e1b300c8ddf1b189a2e8a67f142021f8029c84a5356cd196e3d0dd101fc7b281d76caf9fd9a69060c2eb71957ae63b27a78cffb68c3767afc0c8f4eac525db648142e357bc411e2930497b70ae085dc0279f320efdd1b0ca5022311bd8e794863b569ade48475e177fcc8c32a1e542857da655904e89ffaa315e5202f16c3324d2f59dac1bb5bac3802ad4384d1b466dea4c97213e699918cdb86c0d8060a604705c18970b809441ba35de77ad6ddf045bf45353af181856ccfc1a24d24e4516dfe5e39be97892c45bf56d9d842358efd69d31fa471c1684a06c2014cc64ce0b15c84fde0fdafbcaa185569d0b4b1363ebdd24c28ed15988b477b5abbd75e332956653fe491667aad6041c56841e3fdeca87469c5dc62fcf1bf96f6bc7a8d8d0
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(99400);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2017/05/30");

  script_cve_id("CVE-2017-3822");
  script_bugtraq_id(95944);
  script_osvdb_id(151287);
  script_xref(name:"CISCO-BUG-ID", value:"CSCvb86860");
  script_xref(name:"IAVB", value:"2017-B-0019");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20170201-fpw2");
  
  script_name(english:"Cisco Firepower Threat Defense Device Manager Web UI Request Handling Arbitrary Log Entry Injection (cisco-sa-20170201-fpw2)");
  script_summary(english:"Checks the version of Cisco Firepower System.");

  script_set_attribute(attribute:"synopsis", value:
"The packet inspection software installed on the remote host is
affected by an arbitrary log entry injection vulnerability.");
  script_set_attribute(attribute:"description", value:
"According to its version and configuration, the Cisco Firepower Threat
Defense (FTD) software installed on the remote device is affected by
an arbitrary log entry injection vulnerability in the Firepower Device
Manager (FDM) due to improper validation of user-supplied input. An
unauthenticated, remote attacker can exploit this, via a specially
crafted request to the web UI, to add arbitrary entires and false
alarms to the audit log.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170201-fpw2
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e8709094");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID
CSCvb86860.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/02/01");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/02/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/14");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type",value:"local");
  script_set_attribute(attribute:"cpe",value:"cpe:/a:cisco:firepower_threat_defense");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2017 Tenable Network Security, Inc.");

  script_dependencies("ssh_get_info.nasl", "os_fingerprint.nasl");
  script_require_keys("Host/Cisco/ASA", "Host/Cisco/ASA/model", "Settings/ParanoidReport");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("cisco_func.inc");
include("cisco_kb_cmd_func.inc");
include("obj.inc");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

show_ver = get_kb_item_or_exit('Host/Cisco/show_ver');
model = get_kb_item_or_exit('Host/Cisco/ASA/model');

# Affected Models:
# 5506-X
# 5506W-X
# 5506H-X
# 5508-X
# 5512-X
# 5515-X
# 5516-X
# 5525-X
# 5545-X
# 5555-X
if (
  model !~ '^5506[WH]?-X' &&
  model !~ '^5508-X' &&
  model !~ '^551[256]-X' &&
  model !~ '^5525-X' &&
  model !~ '^5545-X' &&
  model !~ '^5555-X'
) audit(AUDIT_HOST_NOT, "an affect Cisco ASA product model");

flag = 0;
override = 0;

fdm_ver = pregmatch(string:show_ver, pattern:"\s*Model\s*:\s+Cisco.*Threat\s+Defense.*Version\s+([0-9.]+)");

if (isnull(fdm_ver)) audit(AUDIT_HOST_NOT, "affected");

if (fdm_ver[1] =~ "^6\.1\.")
  flag= 1;

cmds = make_list();
if (get_kb_item("Host/local_checks_enabled"))
{
  if (flag)
  {
    flag = 0;
    buf = cisco_command_kb_item("Host/Cisco/Config/show_managers", "show managers");
    if (check_cisco_result(buf))
    {
      # Vulnerable if managed locally
      if (preg(pattern:"^\s*Managed locally", multiline:TRUE, string:buf))
      {
        flag = 1;
        cmds = make_list(cmds, "show managers");
      }
    } else if (cisco_needs_enable(buf)) { flag = 1; override = 1; }
  }
}

if (flag)
{
  security_report_cisco(
    port     : 0,
    severity : SECURITY_WARNING,
    override : override,
    version  : fdm_ver[1],
    bug_id   : "CSCvb86860",
    cmds     : cmds
  );
} else audit(AUDIT_HOST_NOT, "affected");