Cisco IOS XE Software CLI Command Injection Multiple Vulnerabilities (cisco-sa-20180328-cmdinj)

2019-12-13T00:00:00
ID CISCO-SA-20180328-CMDINJ.NASL
Type nessus
Reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2020-02-02T00:00:00

Description

According to its self-reported version, Cisco IOS XE Software is affected by multiple vulnerabilities in the CLI parser because the affected software does not sufficiently sanitize command arguments before passing commands to the Linux shell for execution. An authenticated, local attacker can exploit this, by submitting a malicious CLI command, in order to gain access to the underlying Linux shell of an affected device and execute commands with root privileges on the device.

Please see the included Cisco BIDs and Cisco Security Advisory for more information.

Note that Nessus has not tested for this issue but has instead relied only on the application

                                        
                                            #TRUSTED 64fd41573ddd1093dc50969471e4e5c2e32c47e5c1bc0ac943ffb6b8330249fbd8a8e98427ca4d7818f2924f51bf2c195df4e8b5bbeab02ddf20d57610a753d76fbe8ee6dfb913ca4c5bb9698762643eb31928aa5b57188cc035a3e314bc3286d31d37ff35a19d765022ba400a256c51bdd067f490ca7de3cd6ba05c84f431034980a0b7fd214dd209e57c0a58f7e2b5b287a1c2922129dce6fb938275774e931b09e9d16d039af0603697a9bf1cd14b0509e9d0796a9f379876609547c006d96577f0de5e9a21db6320dcf9e7a0a883a05694e6aabf962cdeaa0f079e85fe20917f204ec86d8e1d4cd3b29301fcf3e842b8dbe5f9bb17b9f222412bd1cbd63248c1934059423aea119c41275e415baf1460d282a0f6b342b9e0289dc8b597032aca68a8267b02092f169e42770d1d07ed9edce2ccf74b123e478450e180c2592fe0a5b54e8c1dcc86dc0f0a9b142614bc61b4facff34a87a5cc6b520fd378a421fd25d360dc66f2aa72f52eb1e7196d0573973dc67917e5b522890ed0aeba3dbe6027429e025b1e3813ac61608bd5a967331bbd687e3063308e5271ace363f27c06601dea4b2885da68fd3211aecd0c932c46b50ba632fc114071c15f275a9ed5ae11d8d96f2e52c6e986d9b3434398298ecca076b7f9fde2d2d564b53fbf627dcc347ef0001d561d20c7ca0ad828fb5123229858e23e936fc7cb54b7aaf243
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(132052);
  script_version("1.4");
  script_cvs_date("Date: 2019/12/16");

  script_cve_id(
    "CVE-2018-0182",
    "CVE-2018-0185",
    "CVE-2018-0193",
    "CVE-2018-0194"
  );
  script_bugtraq_id(103547);
  script_xref(name:"CISCO-BUG-ID", value:"CSCuz03145");
  script_xref(name:"CISCO-BUG-ID", value:"CSCuz56419");
  script_xref(name:"CISCO-BUG-ID", value:"CSCva31971");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvb09542");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20180328-cmdinj");

  script_name(english:"Cisco IOS XE Software CLI Command Injection Multiple Vulnerabilities (cisco-sa-20180328-cmdinj)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco IOS XE Software is affected by multiple vulnerabilities in the CLI parser
because the affected software does not sufficiently sanitize command arguments before passing commands to the Linux
shell for execution. An authenticated, local attacker can exploit this, by submitting a malicious CLI command, in order
to gain access to the underlying Linux shell of an affected device and execute commands with root privileges on the
device.

Please see the included Cisco BIDs and Cisco Security Advisory for more information.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-cmdinj
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e07f0cfe");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuz03145");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuz56419");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCva31971");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb09542");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID(s) CSCuz03145, CSCuz56419, CSCva31971, and CSCvb09542.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-0182");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/03/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/03/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/13");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_xe_version.nasl");
  script_require_keys("Host/Cisco/IOS-XE/Version", "Settings/ParanoidReport");

  exit(0);
}

include('cisco_workarounds.inc');
include('ccf.inc');
include('audit.inc');

if (report_paranoia < 2) audit(AUDIT_PARANOID);

product_info = cisco::get_product_info(name:'Cisco IOS XE Software');

vuln_ranges = [{ 'min_ver' : '16.1', 'fix_ver' : '16.3.2' }];

workarounds = make_list(CISCO_WORKAROUNDS['no_workaround']);
workaround_params = make_list();

reporting = make_array(
  'port'     , 0,
  'severity' , SECURITY_HOLE,
  'version'  , product_info['version'],
  'bug_id'   , 'CSCuz03145, CSCuz56419, CSCva31971, CSCvb09542'
);

cisco::check_and_report(
  product_info:product_info,
  workarounds:workarounds,
  workaround_params:workaround_params,
  reporting:reporting,
  vuln_ranges:vuln_ranges
);