Cisco IOS XE Software Web UI Command Injection Vulnerability

2019-05-14T00:00:00
ID CISCO-SA-20190513-WEBUI.NASL
Type nessus
Reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2020-04-02T00:00:00

Description

According to its self-reported version, Cisco IOS XE Software is affected by a vulnerability in the web-based user interface (Web UI) of Cisco IOS XE Software could allow an authenticated, remote attacker to execute commands on the underlying Linux shell of an affected device with root privileges. The vulnerability occurs because the affected software improperly sanitizes user-supplied input. An attacker who has valid administrator access to an affected device could exploit this vulnerability by supplying a crafted input parameter on a form in the Web UI and then submitting that form. A successful exploit could allow the attacker to run arbitrary commands on the device with root privileges, which may lead to complete system compromise.

Please see the included Cisco BIDs and Cisco Security Advisory for more information

                                        
                                            #TRUSTED 3332baa611c7dea8561a911301b5f79e68883684b9bd94d7d39d47a421553ccd803fb50b8dd6d4b36f4a30f316c6c24b4d2c7c11245d7f0ebcd12341a9562882fa4d882e7cdeb77a45adfcbe54e256c474becca21dad6c3db631d3f27182299989fa719a2e4b5ed0a7d391125273c0014e6eff8f41a0b51b1f798c60da178910006a92ad342545b336ac60ff1a0efe6f37a0e8694da76394e61f620a66d544343d62a06363bfe2fae74ee12ac83e164d4dea9c8f4560e1c0145f30c760f25f7b00f1b24fc7ae51cae0bc4ebc862e586e43966f1fea5f32d874978b216ed10b2cb1908b5c8e0ffd32b594ff6b21add654db2643bcd90d55fcd50e307028c78a1b1fb6b5154825f996dc3284992daf6fdf4f7c1e79bbf0e52c51d3e3cf247fb13a58025a9e2dbc3292353637f388ccc0265488552e949dc8ad1d77eaff1ec88ec2d17e43a95bc9f5700a94a8ed83196237cf3b2199bb7b3a3fd894f949ee3d564c53b68940f4f1c5dcae92ce3fa99b4b06ee40138963990904f2ecdd4090492167f44feeab1f339508e646b599e553af3a9f216aab366fb5a5be9188aa52d7fee8547f3f27dd2e04b38776dd5bf5c57306e7aa885ee495b0ec090306eebb0631f3e83ba9a93367b085890a1412ba4cbd80532047ec3e2cef87b5684d593da6bf86f6dd4608d516c3c186126634a8b1c93d3c592bf101d57fff6d2ea311990efe0e
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(125032);
  script_version("1.5");
  script_cvs_date("Date: 2019/12/20");

  script_cve_id("CVE-2019-1862");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvn20358");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20190513-webui");
  script_xref(name:"IAVA", value:"2019-A-0158");

  script_name(english:"Cisco IOS XE Software Web UI Command Injection Vulnerability");
  script_summary(english:"Checks the version of Cisco IOS XE Software");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco IOS XE Software is affected by a vulnerability in the web-based user
interface (Web UI) of Cisco IOS XE Software could allow an authenticated, remote attacker to execute commands on the
underlying Linux shell of an affected device with root privileges. The vulnerability occurs because the affected software
improperly sanitizes user-supplied input. An attacker who has valid administrator access to an affected device could
exploit this vulnerability by supplying a crafted input parameter on a form in the Web UI and then submitting that form.
A successful exploit could allow the attacker to run arbitrary commands on the device with root privileges, which may
lead to complete system compromise.

Please see the included Cisco BIDs and Cisco Security Advisory for more information");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-webui
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?220946d4");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvn20358");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvn20358");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1862");
  script_set_attribute(attribute:"cvss_score_rationale", value:"Based on vendor advisory");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_cwe_id(20);

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/05/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/05/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/14");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_xe_version.nasl");
  script_require_keys("Host/Cisco/IOS-XE/Version");

  exit(0);
}

include('audit.inc');
include('cisco_workarounds.inc');
include('ccf.inc');

product_info = cisco::get_product_info(name:'Cisco IOS XE Software');

version_list=make_list(
  '3.2.0JA',
  '16.9.2s',
  '16.9.2a',
  '16.9.2',
  '16.9.1s',
  '16.9.1d',
  '16.9.1c',
  '16.9.1b',
  '16.9.1a',
  '16.9.1',
  '16.8.2',
  '16.7.3',
  '16.7.2',
  '16.6.4s',
  '16.6.4a',
  '16.6.4'
);

workarounds = make_list(CISCO_WORKAROUNDS['HTTP_Server_iosxe']);
workaround_params = make_list();

reporting = make_array(
'port'     , 0,
'severity' , SECURITY_HOLE,
'version'  , product_info['version'],
'bug_id'   , 'CSCvn20358'
);

cisco::check_and_report(product_info:product_info, workarounds:workarounds, workaround_params:workaround_params, reporting:reporting, vuln_versions:version_list);