Cisco IOS XE Software Digital Signature Verification Bypass Vulnerability

2020-03-13T00:00:00
ID CISCO-SA-20190925-IOSXE-DIGSIG-BYPASS.NASL
Type nessus
Reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2020-03-13T00:00:00

Description

According to its self-reported version, Cisco IOS XE Software is affected by a vulnerability that could result in the loading of unsigned firmware on boot. An authenticated attacker could exploit this flaw to load malicious firmware onto the device. (cisco-sa-20190925-iosxe-digsig-bypass)

                                        
                                            #TRUSTED 1623ef487a70e9ba323df182cb32c591bc6ecd5979c894cd5dccb92e8764f29b615313f069565f8fa3b23ec3e5b30e31bea768a1624f2795ae3ac06197d8d5b31c10db6cb20955a4609e1456e768b4d6d8aab5af9ede7528b97b080622ca7c13ca9d5f99e63bc531b47314919a57508bc632a7b1ea12cd056ad1b3e69b5fc9f2a2a1aef35ed130aeff3a703e786703913f02c99d787802bf593d1881921cafcdc8670f355c778aae07a9fde5c312de08d57e11de87d240660b93a6d191a5e9ea108c319c9b92d6012258338d4013259702955e5de111d5f3c88a4448fd69a752124e8098d4395fc751d9d0cf10cc9f70cecdd306e58eeb559bfd19f53467ce3c02c54dc7d3a3f5b4df3a18c73fd337c30e4d0be8520f3aa3c6964e765fe6ff3f20589014624b905932026866a246a0ecfa5f2d4cdd601be33e957c856bd15acde94973cceb917296865f71c43cc356b5361242006d0408d18d18279760d6c67014bf8227f2a4eb2edea04a8f14519f927a460f19d967ff6c36ab3edaf9ad6a0348fe1df1d41adaa89fef162ea6a006c96b37e44584f8d4a366de6c6d690d3ff95e03e1e4bbe7831b7f12647a36cf508c54c7c45a1f9b9325861479e9256470c1be9257a9c468f15a5a8de231f2e9807e2374c0cfd864de7202df8531a5a273a78d5c00752b1eb7e386d0e9c9d68518c2f9edd0affd7179804454eeb170aa4044
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(134562);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/16");

  script_cve_id("CVE-2019-12649");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvj87117");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvk12460");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20190925-iosxe-digsig-bypass");

  script_name(english:"Cisco IOS XE Software Digital Signature Verification Bypass Vulnerability");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco IOS XE Software is affected by a vulnerability that could result in the
loading of unsigned firmware on boot. An authenticated attacker could exploit this flaw to load malicious firmware
onto the device. (cisco-sa-20190925-iosxe-digsig-bypass)");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-iosxe-digsig-bypass
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?cb9bf05a");
  script_set_attribute(attribute:"see_also", value:"http://tools.cisco.com/security/center/viewErp.x?alertId=ERP-72547");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvj87117");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvk12460");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug IDs CSCvj87117, CSCvk12460");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-12649");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_cwe_id(347);

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/25");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/09/25");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/03/13");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_xe_version.nasl");
  script_require_keys("Host/Cisco/IOS-XE/Version", "Host/Cisco/IOS-XE/Model", "Host/local_checks_enabled");

  exit(0);
}
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

include('cisco_workarounds.inc');
include('ccf.inc');

product_info = cisco::get_product_info(name:'Cisco IOS XE Software');
model = product_info['model'];

if( 'catalyst' >!< tolower(model) || (model !~ '3850' && model !~ '9300')) audit(AUDIT_HOST_NOT, "affected");


version_list=make_list(
  '3.2.11aSG',
  '3.2.0JA',
  '16.8.1s',
  '16.8.1e',
  '16.8.1d',
  '16.8.1c',
  '16.8.1b',
  '16.8.1a',
  '16.8.1',
  '16.7.4',
  '16.7.3',
  '16.7.2',
  '16.7.1b',
  '16.7.1a',
  '16.7.1',
  '16.6.4s',
  '16.6.4',
  '16.6.3',
  '16.6.2',
  '16.6.1',
  '16.5.3',
  '16.5.2',
  '16.5.1b',
  '16.5.1a',
  '16.5.1'
);
workarounds = make_list(CISCO_WORKAROUNDS['no workarounds']);
workaround_params = make_list();

reporting = make_array(
  'port'     , 0,
  'severity' , SECURITY_HOLE,
  'version'  , product_info['version'],
  'bug_id'   , 'CSCvj87117, CSCvk12460'
);

cisco::check_and_report(
  product_info:product_info,
  workarounds:workarounds,
  workaround_params:workaround_params,
  reporting:reporting,
  vuln_versions:version_list
);