{"id": "CISCO-SA-20180502-ACS1.NASL", "bulletinFamily": "scanner", "title": "Cisco Secure Access Control (cisco-sa-20180502-acs1)", "description": "The version of Cisco Secure Access Control System (ACS) running on the\nremote host is prior to 5.8.0.32.7 Cumulative Patch. It is, therefore, \naffected by a flaw in the ACS Report component that is triggered when\n handling specially crafted Action Message Format (AMF) messages. \nThis may allow a remote attacker to potentially execute arbitrary \ncode.", "published": "2018-06-07T00:00:00", "modified": "2021-03-02T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://www.tenable.com/plugins/nessus/110399", "reporter": "This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.nessus.org/u?fb65122e", "http://www.nessus.org/u?4a07297b"], "cvelist": ["CVE-2018-0253"], "type": "nessus", "lastseen": "2021-03-01T01:40:22", "edition": 26, "viewCount": 12, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-0253"]}, {"type": "cisco", "idList": ["CISCO-SA-20180502-ACS1"]}, {"type": "ptsecurity", "idList": ["PT-2018-27"]}], "modified": "2021-03-01T01:40:22", "rev": 2}, "score": {"value": 7.1, "vector": "NONE", "modified": "2021-03-01T01:40:22", "rev": 2}, "vulnersScore": 7.1}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110399);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2019/11/04\");\n\n script_cve_id(\"CVE-2018-0253\");\n script_bugtraq_id(104075);\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCve69037\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20180502-acs1\");\n\n script_name(english:\"Cisco Secure Access Control (cisco-sa-20180502-acs1)\");\n script_summary(english:\"Checks the ACS version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a vendor-supplied security patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Cisco Secure Access Control System (ACS) running on the\nremote host is prior to 5.8.0.32.7 Cumulative Patch. It is, therefore, \naffected by a flaw in the ACS Report component that is triggered when\n handling specially crafted Action Message Format (AMF) messages. \nThis may allow a remote attacker to potentially execute arbitrary \ncode.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180502-acs1\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4a07297b\");\n # https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve69037\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fb65122e\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 5.8.0.32.7 Cumulative Patch or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/05/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/05/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:secure_access_control_system\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_secure_acs_version.nasl\");\n script_require_keys(\"Host/Cisco/ACS/Version\", \"Host/Cisco/ACS/DisplayVersion\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"cisco_func.inc\");\n\nver = get_kb_item_or_exit(\"Host/Cisco/ACS/Version\");\ndisplay_ver = get_kb_item_or_exit(\"Host/Cisco/ACS/DisplayVersion\");\n\nfix = '5.8.0.32.7';\n\nif ( ver_compare(ver:ver, fix:fix, strict:FALSE) < 0 )\n{\n security_report_cisco(\n port : 0,\n severity : SECURITY_HOLE,\n version : display_ver,\n bug_id : \"CSCve69037\",\n fix : fix\n );\n}\nelse\n audit(AUDIT_INST_VER_NOT_VULN, 'Secure ACS', display_ver);\n", "naslFamily": "CISCO", "pluginID": "110399", "cpe": ["cpe:/a:cisco:secure_access_control_system"], "scheme": null, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}

{"cve": [{"lastseen": "2021-02-02T06:52:21", "description": "A vulnerability in the ACS Report component of Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected system. Commands executed by the attacker are processed at the targeted user's privilege level. The vulnerability is due to insufficient validation of the Action Message Format (AMF) protocol. An attacker could exploit this vulnerability by sending a crafted AMF message that contains malicious code to a targeted user. A successful exploit could allow the attacker to execute arbitrary commands on the ACS device. This vulnerability affects all releases of Cisco Secure ACS prior to Release 5.8 Patch 7. Cisco Bug IDs: CSCve69037.", "edition": 6, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-05-02T22:29:00", "title": "CVE-2018-0253", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-0253"], "modified": "2019-10-09T23:31:00", "cpe": ["cpe:/a:cisco:secure_access_control_system:5.8\\(0.8\\)", "cpe:/a:cisco:secure_access_control_system:5.8"], "id": "CVE-2018-0253", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0253", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:cisco:secure_access_control_system:5.8:p4:*:*:*:*:*:*", "cpe:2.3:a:cisco:secure_access_control_system:5.8:p6:*:*:*:*:*:*", "cpe:2.3:a:cisco:secure_access_control_system:5.8:p3:*:*:*:*:*:*", "cpe:2.3:a:cisco:secure_access_control_system:5.8:p2:*:*:*:*:*:*", "cpe:2.3:a:cisco:secure_access_control_system:5.8:p1:*:*:*:*:*:*", "cpe:2.3:a:cisco:secure_access_control_system:5.8\\(0.8\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:secure_access_control_system:5.8:*:*:*:*:*:*:*"]}], "cisco": [{"lastseen": "2020-12-24T11:41:00", "bulletinFamily": "software", "cvelist": ["CVE-2018-0253"], "description": "A vulnerability in the ACS Report component of Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected system. Commands executed by the attacker are processed at the targeted user's privilege level.\n\nThe vulnerability is due to insufficient validation of the Action Message Format (AMF) protocol. An attacker could exploit this vulnerability by sending a crafted AMF message that contains malicious code to a targeted user. A successful exploit could allow the attacker to execute arbitrary commands on the ACS device.\n\nCisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.\n\nThis advisory is available at the following link:\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180502-acs1 [\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180502-acs1\"]", "modified": "2018-05-02T14:52:40", "published": "2018-05-02T16:00:00", "id": "CISCO-SA-20180502-ACS1", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180502-acs1", "type": "cisco", "title": "Cisco Secure Access Control System Remote Code Execution Vulnerability", "cvss": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "ptsecurity": [{"lastseen": "2020-06-11T19:05:25", "bulletinFamily": "info", "cvelist": ["CVE-2018-0253"], "description": "# PT-2018-27: Arbitrary Command Execution in Cisco Secure ACS\n\n**Vulnerable product**\n\nCisco ACS \nVersion: 5.8.0.32.6 and earlier \n\nLink: \n[https://www.cisco.com/](<https://www.cisco.com/c/en/us/products/security/secure-access-control-system/index.html>)\n\n**Severity level**\n\nSeverity level: High \nImpact: Remote command execution \nAccess Vector: Remote \n\n\nCVSS v3: \nBase Score: 9.8 \nVector: (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\nCVE: CVE-2018-0253 \n\n**Vulnerability description**\n\nThe specialists of the Positive Research center have detected an Arbitrary Command Execution vulnerability in Cisco Secure ACS. \n\nA vulnerability in Cisco Secure Access Control System (ACS), due to insufficient validation of the Action Message Format (AMF) protocol, allows unauthenticated, remote attackers to execute arbitrary commands on the ACS device by sending a crafted AMF message that contains malicious code. \n\n**How to fix**\n\nUse vendor's advisory: \n<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180502-acs1>\n\n**Advisory status**\n\n01.06.2017 - Vendor gets vulnerability details \n02.05.2018 - Vendor releases fixed version and details \n11.12.2018 - Public disclosure \n\n**Credits**\n\nThe vulnerability was detected by Mikhail Klyuchnikov, Yury Aleynov, Positive Research Center (Positive Technologies Company) \n\n**References**\n\n<http://en.securitylab.ru/lab/PT-2018-27> \n\n\nReports on the vulnerabilities previously discovered by Positive Research: \n\n[https://www.ptsecurity.com/](<https://www.ptsecurity.com/ww-en/analytics/threatscape/>) \n<https://en.securitylab.ru/lab/>\n\n**About Positive Technologies**\n\nPositive Technologies is a leading digital security firm with over 15 years of experience in 360\u00b0 protection of critical IT systems against the most advanced cyberthreats. State-of-the-art solutions are developed at the company's research center\u2014one of the largest in Europe. Positive Technologies experts have helped to identify and fix over 250 zero-day vulnerabilities in products from Cisco, Google, Honeywell, Huawei, Microsoft, Oracle, SAP, Schneider Electric, Siemens, and others, earning a reputation for world-class expertise in protection of devices and infrastructures at all scales from ATMs to nuclear power stations. Findings by Positive Technologies researchers are used for updating the MaxPatrol knowledge base and for development of security solutions including PT Application Firewall, PT Application Inspector, MaxPatrol. These products allow securing web applications, evaluating network protection, blocking attacks in real time, ensuring compliance with industry and national standards, and training security specialists. Positive Technologies is the organizer of the annual Positive Hack Days international forum and security competition. \n\n", "edition": 1, "modified": "1970-01-01T00:00:00", "published": "2018-11-12T00:00:00", "id": "PT-2018-27", "href": "https://www.ptsecurity.com/ww-en/analytics/threatscape/pt-2018-27/", "title": "PT-2018-27: Arbitrary Command Execution in Cisco Secure ACS", "type": "ptsecurity", "cvss": {}}]}