Cisco IOS XE Software Web UI Command Injection Vulnerability

2019-05-14T00:00:00
ID CISCO-SA-20190513-WEBUI.NASL
Type nessus
Reporter This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2019-05-14T00:00:00

Description

According to its self-reported version, Cisco IOS XE Software is affected by a vulnerability in the web-based user interface (Web UI) of Cisco IOS XE Software could allow an authenticated, remote attacker to execute commands on the underlying Linux shell of an affected device with root privileges. The vulnerability occurs because the affected software improperly sanitizes user-supplied input. An attacker who has valid administrator access to an affected device could exploit this vulnerability by supplying a crafted input parameter on a form in the Web UI and then submitting that form. A successful exploit could allow the attacker to run arbitrary commands on the device with root privileges, which may lead to complete system compromise.

Please see the included Cisco BIDs and Cisco Security Advisory for more information

                                        
                                            #TRUSTED 02d21014a4f53a16a1da61d1ed6e38a4b6834bbe9c92f154d2bc7345f8629d8b9a66529e3eac93eee5f4c2bae02b1f2b8f79e183c64a4c5359d8b570ac9f1a626c80b8c852a29298089a52e1cde5b1e5e17d851c74877039891887534b402fd77d2681d1d366879c0f19a68e207c491fe6068a23803d65f4e43e0cedb0b85c87f5cc657be58d218c54422b639e334b77257173f80a33322c6f4f31a036e48315bd22bc0c67630d04bcabacd4f64887c8aeb1167f75fdc0968443260b3f0ffa097201af9974feb0b1814b3c97cbe6ba486f5a261cf5cba4608ec6a2120bbe6e1301e1fd2e03e20f47cbd77620819e9d2c3857af063b1fd89fd06fdcf4e544c178ed48eeb345e9db688a4cc73aaa30a1062c95f06c13ab4897476f81b91183fb12ba3c521804ee15a358a30a103ebccf04bd8d83fcf90fc268afd5f1010cbecad239045af0f8746921ea69c8bd73633de92b296d6fa82bc850bdb1e9126564cff91ed521fffc90d6829db2cc378d3838c89daca677982680d4af42fa197cc0a46f2c32cb2a1be67282ea66dba7441b9ef61c573dc05bac90a1c4526094915b32b3ff2861f4c1c738599d3fcef5d6c0cb19b63f9159315eb2d029740675ee60e134534e264e9c93b29b0473f54b7a155ebf69b256dbefc7ec4e8ea3faae2fab1a2964d28cb13d3d3b58e0a51ddd0449b622b8b03c442bd6af77c5b1552da7968d19
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(125032);
  script_version("1.11");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/08");

  script_cve_id("CVE-2019-1862");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvn20358");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20190513-webui");
  script_xref(name:"IAVA", value:"2019-A-0158-S");

  script_name(english:"Cisco IOS XE Software Web UI Command Injection Vulnerability");
  script_summary(english:"Checks the version of Cisco IOS XE Software");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco IOS XE Software is affected by a vulnerability in the web-based user
interface (Web UI) of Cisco IOS XE Software could allow an authenticated, remote attacker to execute commands on the
underlying Linux shell of an affected device with root privileges. The vulnerability occurs because the affected software
improperly sanitizes user-supplied input. An attacker who has valid administrator access to an affected device could
exploit this vulnerability by supplying a crafted input parameter on a form in the Web UI and then submitting that form.
A successful exploit could allow the attacker to run arbitrary commands on the device with root privileges, which may
lead to complete system compromise.

Please see the included Cisco BIDs and Cisco Security Advisory for more information");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-webui
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?220946d4");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvn20358");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvn20358");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1862");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_cwe_id(20);

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/05/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/05/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/14");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_xe_version.nasl");
  script_require_keys("Host/Cisco/IOS-XE/Version");

  exit(0);
}

include('audit.inc');
include('cisco_workarounds.inc');
include('ccf.inc');

product_info = cisco::get_product_info(name:'Cisco IOS XE Software');

version_list=make_list(
  '3.2.0JA',
  '16.9.2s',
  '16.9.2a',
  '16.9.2',
  '16.9.1s',
  '16.9.1d',
  '16.9.1c',
  '16.9.1b',
  '16.9.1a',
  '16.9.1',
  '16.8.2',
  '16.7.3',
  '16.7.2',
  '16.6.4s',
  '16.6.4a',
  '16.6.4'
);

workarounds = make_list(CISCO_WORKAROUNDS['HTTP_Server_iosxe']);
workaround_params = make_list();

reporting = make_array(
'port'     , product_info['port'], 
'severity' , SECURITY_HOLE,
'version'  , product_info['version'],
'bug_id'   , 'CSCvn20358'
);

cisco::check_and_report(product_info:product_info, workarounds:workarounds, workaround_params:workaround_params, reporting:reporting, vuln_versions:version_list);