Cisco Web Security Appliance Decryption Policy Bypass Vulnerability (cisco-sa-20190206-wsa-bypass)

2020-02-25T00:00:00
ID CISCO-SA-20190206-WSA-BYPASS.NASL
Type nessus
Reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2020-02-25T00:00:00

Description

According to its self-reported version, Cisco Web Security Appliance (WSA) is affected by a decryption policy bypass vulnerability. An unauthenticated, remote attacker can bypass a configured drop policy and allow unauthorized traffic onto the network. Please see the included Cisco BIDs and Cisco Security Advisory for more information

                                        
                                            #TRUSTED 9445d5b7f8cef97baeb18b401de4f796c59d7323bd0ac2c3892bd9166450ed727ca4808fa691301b2eed1e75ddaccb2e0faf8dccb4405febdbe31842989f0aa62de489e44b35e739fd6d95ae30d002f78064224c52615bd34551c6c0ac59766edb59366375b2ce13e0a4973cc28cb83a535ac931db31d93e29fa95c0e8116174d650a9619698da32a235d5a3b65b10dc6ade7aee8fe45b52bd9619a441120e108873b66cd2e32546243fca8ba660f3c5b7822ddb0005fc47b800add348001869d78b0a88e0e6451a155cc0a9804d12b9bd190db10624c84bd97c9c20bb512efec183cdcf7a36da29c193fe0c45d32acfc2635dc4aecde2c2f17f7a49958a6a4a1970b086fb104a3f8ef64f7856b60e585c2f58e7f87dd72ddf3f89c6e914567aa0133e10adf34b1c78e5b51a793fde7b2dc2aeda5f54e37c6e755b176b3ad381e7022b350a9504059751b9c41760644f759b36b335d0c63793d81900765677dc50b9cdacebfd8da5e7e9f11ff8fa032f22bff6a599c73c9324e47d994ce26429f53b03c86742daef5dc8b3bbeb432008031b6e17207cf0ef2acbe059f1ff9ae227b1502010545c4b3fa0b303db250d5010b798c54e594414cdb6e0f5d27914a9c5b8a09ef79422600234b137854488fc7a721c347f3e4cfccd7798aa077dc2d0ecf38b6ecbf22b57ab8399267678473149927e18e66aa60b6020467f488a2ea9
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(133958);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/27");

  script_cve_id("CVE-2019-1672");
  script_bugtraq_id(106904);
  script_xref(name:"CISCO-BUG-ID", value:"CSCvm91630");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20190206-wsa-bypass");
  script_xref(name:"IAVA", value:"2019-A-0219");

  script_name(english:"Cisco Web Security Appliance Decryption Policy Bypass Vulnerability (cisco-sa-20190206-wsa-bypass)");
  script_summary(english:"Checks the version of Cisco Web Security Appliance (WSA)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco Web Security Appliance (WSA) is 
affected by a decryption policy bypass vulnerability. An unauthenticated,
remote attacker can bypass a configured drop policy and allow unauthorized traffic 
onto the network. Please see the included Cisco BIDs and Cisco Security 
Advisory for more information");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190206-wsa-bypass
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?07bd84fe");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvm91630");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvm91630");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1672");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_cwe_id(400);

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/02/06");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/02/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/25");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:web_security_appliance_(wsa)");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_wsa_version.nasl");
  script_require_keys("Host/AsyncOS/Cisco Web Security Appliance/DisplayVersion", "Host/AsyncOS/Cisco Web Security Appliance/Version", "Settings/ParanoidReport");

  exit(0);
}

include('audit.inc');
include('cisco_workarounds.inc');
include('ccf.inc');

if (report_paranoia < 2)
  audit(AUDIT_PARANOID);

product_info = cisco::get_product_info(name:'Cisco Web Security Appliance (WSA)');

vuln_ranges = [
  { 'min_ver' : '10.1', 'fix_ver' : '10.5.5.005'}, 
  { 'min_ver' : '11.5', 'fix_ver' : '11.5.2.020'},
  { 'min_ver' : '11.7', 'fix_ver' : '11.7.0.406'}, 
  { 'min_ver' : '11.8', 'fix_ver' : '11.8.0.410'} 
];

workarounds = make_list(CISCO_WORKAROUNDS['no_workaround']);
workaround_params = make_list();

reporting = make_array(
  'port'     , 0,
  'severity' , SECURITY_WARNING,
  'version'  , product_info['version'],
  'bug_id'   , 'CSCvm91630',
  'disable_caveat', TRUE
);

cisco::check_and_report(
  product_info:product_info, 
  workarounds:workarounds, 
  workaround_params:workaround_params, 
  reporting:reporting, 
  vuln_ranges:vuln_ranges
);