Cisco IOS XE Software Shell Access Authentication Bypass (cisco-sa-20180926-shell-access)

2019-04-05T00:00:00
ID CISCO-SA-20180926-SHELL-ACCESS.NASL
Type nessus
Reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2020-02-02T00:00:00

Description

According to its self-reported version, Cisco IOS XE Software is affected by the following vulnerability:

  • An Authentication bypass in the shell access request mechanism. An authenticated attacker could exploit this in order to bypass authentication and gain root access to the system. (CVE-2018-15371)

                                        
                                            #TRUSTED 837325fdf7d511bc30b3a25bac2e9283e5bbdc2e62646d5f40b59921d407e0087cc276da5efd2161861d0add2c6057085cab3c89fd0dd14401ddfec55eda8617900057c1b4b2ca66aa2cc53cad49b0b47d32eb23d48ca5e8de12d2411a4d91b27f303395598bb53b3f72d6b29bc5ae9f6ab0844e90c4ae512bca41ce597a9a992af6b952f47a4e6420089943e8f543e4ea93b7381e8c85d72f70adddcb3f13ef67d44c31055d5987b4d8a6d863ceebbc5efe46048d7214ef19d466bdb4836aa6a40c497b4dddea6ec0e9f94133dded386b22009b78f2659bb3faf10394b115904c83057a63547d00172c727b2346e0469d2f40bd2c623209a64c9f604038d9bf0483c403e20fcbccbf04b6698e4d95b2ecfe1069c60242a7ae7fb52e2c030cb632a0ebdb5cef18ea0546e677df25a2a4cb99b9cbb46391abf910b41dcacba8b2e233b1676efc6f9936f07df6ca68fe17b9ed1f55f498af46214a6a6723587d5d1673165a30b30800fb3fc7f0af6769841a341d3e4e3290152499d1517fddc897e648a4d5cc9188ffdb9c935d6cc4346d5947cbeb455ed1ee5b2570e528af55f66e09aec795d88b42012ab67954e76811d5520c2bb9e822e4d279805afa72d9b86437f1941b70a75f972511d72c121eea5536af6234238348eb93ce59bf47ed624e646f5010128f4cbcf8ab4bd0faa85f6d3cd546d515384336183b14ac000c7e
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(123788);
  script_version("1.4");
  script_cvs_date("Date: 2019/10/31 15:18:51");

  script_cve_id("CVE-2018-15371");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvb79289");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20180926-shell-access");
  script_xref(name:"IAVA", value:"2019-A-0097");

  script_name(english:"Cisco IOS XE Software Shell Access Authentication Bypass (cisco-sa-20180926-shell-access)");
  script_summary(english:"Checks the IOS XE version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco IOS XE Software is affected
by the following vulnerability:

  - An Authentication bypass in the shell access request 
    mechanism. An authenticated attacker could exploit this 
    in order to bypass authentication and gain root access 
    to the system. (CVE-2018-15371)");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-shell-access
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c0b2b2c9");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb79289");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID(s)
CSCvb79289.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-15371");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/09/26");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/09/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/04/05");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cpe:/o:cisco:ios_xe");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_xe_version.nasl");
  script_require_keys("Host/Cisco/IOS-XE/Version");

  exit(0);
}

include("audit.inc");
include("cisco_workarounds.inc");
include("ccf.inc");

product_info = cisco::get_product_info(name:"Cisco IOS XE Software");

# Checking models with regex, since ccf only does explicit ver list
#
# 4000 Series Integrated Services Routers
# ASR 900 Series Aggregation Services Routers
# ASR 1000 Series Aggregation Services Routers
# Cloud Services Router 1000V Series
# Integrated Services Virtual Router
#
model   = get_kb_item_or_exit("Host/Cisco/IOS-XE/Model");
if(
    model !~ "^ASR9\d{2}([^0-9]|$)" &&
    model !~ "^ASR1k" &&
    model !~ "^ASR10\d{2}([^0-9]|$)" &&
    model !~ "^ASR9\d{3}([^0-9]|$)" &&
    model !~ "^ISR4\d{3}([^0-9]|$)" &&
    model !~ "^CSR10\d{2}([^0-9]|$)" 
)
  audit(AUDIT_DEVICE_NOT_VULN, model);

version_list = make_list(
  "3.17.0S",
  "3.17.1aS",
  "3.17.1S",
  "3.17.2S ",
  "3.17.3S",
  "3.17.4S",
  "3.18.0aS",
  "3.18.0S",
  "3.18.0SP",
  "3.18.1aSP",
  "3.18.1bSP",
  "3.18.1cSP",
  "3.18.1gSP",
  "3.18.1hSP",
  "3.18.1iSP",
  "3.18.1S",
  "3.18.1SP",
  "3.18.2aSP",
  "3.18.2S",
  "3.18.2SP",
  "3.18.3aSP",
  "3.18.3bSP",
  "3.18.3S",
  "3.18.3SP",
  "3.18.4S",
  "3.18.4SP",
  "3.2.0JA",
  "16.2.1",
  "16.2.2",
  "16.3.1",
  "16.3.1a",
  "16.9.1b"
);

workarounds = make_list(CISCO_WORKAROUNDS['smart_license']);

reporting = make_array(
  'port'     , 0,
  'severity' , SECURITY_HOLE,
  'version'  , product_info['version'],
  'bug_id'   , "CSCvb79289",
  'cmds'     , make_list("show running-config")
);

cisco::check_and_report(product_info:product_info, workarounds:workarounds, reporting:reporting, vuln_versions:version_list);