Cisco IOS XE Software Command Authorization Bypass (cisco-sa-aaascp-Tyj4fEJm)

#TRUSTED 23f4a20647e42cbca821267a353d3fa199d53a11c5b77b58b989e65301f35ae6e7cae1a3a626437503d21bbbc4587fa99530e01fa5db8d726e322df5b24de3acb4145a53529166c743b7c47183f9b58393b1986cc8c3054be92e00c21ac6909aad3369b25dcea8d218730938aac28a825cfb1e2b063c1086ca474ade2d0c7a59bb0809b849a7bb8289aebea600149f795691dc09acac7eaf98b59376ade9e35cc0b9a7fd7f9b6e37733791133d7366b60b10f5fc281afbe638c0b9d4c08feb9d73ae2ac0689521fcdd657ebc8440db3ee09e05c5831f36805854306a9b6699b1ac495456cfddea9e3dc052c66bf3cfd0a5d87035581dffbabf1d2c1f731833dafc710e218632902472e1b00acb957188c968cd1a0c33f5b1a74607654bee68ea7f23f531227d94c888127a13ab594018acb676040fbaae9ea6eb9a31a13fb173f24dc499585f29c2e6959d413397672cb1726716f5c87334d1effa65ab955fff514e58694e29084e030c1f0eea693e48c94f81042906493a5327598cd1939d846f60307cfbfeacb5d4d6188d6b212146f0da71c98331f9527974bacece4e7a54ae5dc1bc0ea39dc30ea42d024a3bd44424d96151399353ff7784455ef57cef226c2f08f9ac20c5cd1b80a18fac3103ce9dd0e46118891d7b74aa4c52f683475614ec757f5fdd7218f82e3c2af2c9de65243057c2e6a62df44982eb187f626909
#TRUST-RSA-SHA256 0c9c3c2e14ecf5586487cb255634b7e195e012ddcea6f06a0466cb3797aeb36fc22203e911c397926a786fef8a6c895edae69f904eb9ab7dcff5b3eed76f7d70a1b2705478eddf7a57711bcdaa20e49c1269163afba0e0d2a256d3bf3d334fbc5c635fad2f2c6cc94f1ef65c9e3bddcf9904f979e68c519b502b244987b2d7acb4e190ffea27934d030ce100f8cb0aefe79834d6062478e6e58b43ff572428b1f854ecc813bd3685dd8c0c15a213d06383cb6a479c4a261db2fcee30a439dd938b311f32ca3c1c4a18d2c0dfb66a8a60186e4428fe95d6febd1b8120eeb2663fdca59e8371cb51d30749fc4decfdf40871b7078258a695dfd7e390dc19ae730d0148cee81559ecbf152fa1195a74d2a5e484e5c791eaeafc7a04a83107040e2788244a9c14e7cd679de5c4c09fcef892b536bfdad175c98b06ce5c10ae9375042d90809faec2168cb7619c68b29a3be6e63849ee8ec2abcf601013a6e6bf29a910a93782673cb57856937cd547cc59713634dabe7919fdbde19f8c92b8efe7439adeff4727f6b6929cc418bd74939c38cd686a09c51355a682e81fe6d5a271c1a1e0b9a4691bd9cb016a5324d3e55c60fc6469d8d72ebb7f0885ee2157937365de8ee4a302325d93ff5e568598f7fbf163aa79632441fddc13347bf0f3fb7145ef453c67948e7a9fd97cd3c36c562550cf74bd8dcd50997b9186649c557dd67e
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(192251);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/19");

  script_cve_id("CVE-2023-20186");
  script_xref(name:"CISCO-BUG-ID", value:"CSCwe55871");
  script_xref(name:"CISCO-SA", value:"cisco-sa-aaascp-Tyj4fEJm");
  script_xref(name:"IAVA", value:"2023-A-0510-S");

  script_name(english:"Cisco IOS XE Software Command Authorization Bypass (cisco-sa-aaascp-Tyj4fEJm)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco IOS-XE Software is affected by a vulnerability.

  - A vulnerability in the Authentication, Authorization, and Accounting (AAA) feature of Cisco IOS Software
    and Cisco IOS XE Software could allow an authenticated, remote attacker to bypass command authorization
    and copy files to or from the file system of an affected device using the Secure Copy Protocol (SCP). This
    vulnerability is due to incorrect processing of SCP commands in AAA command authorization checks. An
    attacker with valid credentials and level 15 privileges could exploit this vulnerability by using SCP to
    connect to an affected device from an external machine. A successful exploit could allow the attacker to
    obtain or change the configuration of the affected device and put files on or retrieve files from the
    affected device. (CVE-2023-20186)

Please see the included Cisco BIDs and Cisco Security Advisory for more information.");
  # https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-aaascp-Tyj4fEJm
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6736c09f");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwe55871");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCwe55871");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:M/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-20186");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/09/27");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/09/27");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/03/19");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_xe_version.nasl");
  script_require_keys("Host/Cisco/IOS-XE/Version");

  exit(0);
}

include('cisco_workarounds.inc');
include('ccf.inc');

var product_info = cisco::get_product_info(name:'Cisco IOS XE Software');

var version_list=make_list(
  '3.2.0SE',
  '3.2.1SE',
  '3.2.2SE',
  '3.2.3SE',
  '3.3.0SE',
  '3.3.0SG',
  '3.3.0XO',
  '3.3.1SE',
  '3.3.1SG',
  '3.3.1XO',
  '3.3.2SE',
  '3.3.2SG',
  '3.3.2XO',
  '3.3.3SE',
  '3.3.4SE',
  '3.3.5SE',
  '3.4.0SG',
  '3.4.1SG',
  '3.4.2SG',
  '3.4.3SG',
  '3.4.4SG',
  '3.4.5SG',
  '3.4.6SG',
  '3.4.7SG',
  '3.4.8SG',
  '3.5.0E',
  '3.5.1E',
  '3.5.2E',
  '3.5.3E',
  '3.6.0E',
  '3.6.0aE',
  '3.6.0bE',
  '3.6.1E',
  '3.6.2E',
  '3.6.2aE',
  '3.6.3E',
  '3.6.4E',
  '3.6.5E',
  '3.6.5aE',
  '3.6.5bE',
  '3.6.6E',
  '3.6.7E',
  '3.6.7aE',
  '3.6.7bE',
  '3.6.8E',
  '3.6.9E',
  '3.6.9aE',
  '3.6.10E',
  '3.7.0E',
  '3.7.0S',
  '3.7.0bS',
  '3.7.0xaS',
  '3.7.0xbS',
  '3.7.1E',
  '3.7.1S',
  '3.7.1aS',
  '3.7.2E',
  '3.7.2S',
  '3.7.2tS',
  '3.7.3E',
  '3.7.3S',
  '3.7.4E',
  '3.7.4S',
  '3.7.4aS',
  '3.7.5E',
  '3.7.5S',
  '3.7.6S',
  '3.7.7S',
  '3.7.8S',
  '3.8.0E',
  '3.8.0S',
  '3.8.1E',
  '3.8.1S',
  '3.8.2E',
  '3.8.2S',
  '3.8.3E',
  '3.8.4E',
  '3.8.5E',
  '3.8.5aE',
  '3.8.6E',
  '3.8.7E',
  '3.8.8E',
  '3.8.9E',
  '3.8.10E',
  '3.8.10cE',
  '3.8.10dE',
  '3.8.10eE',
  '3.9.0E',
  '3.9.0S',
  '3.9.0aS',
  '3.9.0xaS',
  '3.9.1E',
  '3.9.1S',
  '3.9.1aS',
  '3.9.2E',
  '3.9.2S',
  '3.9.2bE',
  '3.10.0E',
  '3.10.0S',
  '3.10.0cE',
  '3.10.1E',
  '3.10.1S',
  '3.10.1aE',
  '3.10.1sE',
  '3.10.1xbS',
  '3.10.1xcS',
  '3.10.2E',
  '3.10.2S',
  '3.10.2aS',
  '3.10.2tS',
  '3.10.3E',
  '3.10.3S',
  '3.10.4S',
  '3.10.5S',
  '3.10.6S',
  '3.10.7S',
  '3.10.8S',
  '3.10.8aS',
  '3.10.9S',
  '3.10.10S',
  '3.11.0E',
  '3.11.0S',
  '3.11.1E',
  '3.11.1S',
  '3.11.1aE',
  '3.11.2E',
  '3.11.2S',
  '3.11.2aE',
  '3.11.3E',
  '3.11.3S',
  '3.11.3aE',
  '3.11.4E',
  '3.11.4S',
  '3.11.5E',
  '3.11.6E',
  '3.11.7E',
  '3.11.8E',
  '3.12.0S',
  '3.12.0aS',
  '3.12.1S',
  '3.12.2S',
  '3.12.3S',
  '3.12.4S',
  '3.13.0S',
  '3.13.0aS',
  '3.13.1S',
  '3.13.2S',
  '3.13.2aS',
  '3.13.3S',
  '3.13.4S',
  '3.13.5S',
  '3.13.5aS',
  '3.13.6S',
  '3.13.6aS',
  '3.13.6bS',
  '3.13.7S',
  '3.13.7aS',
  '3.13.8S',
  '3.13.9S',
  '3.13.10S',
  '3.14.0S',
  '3.14.1S',
  '3.14.2S',
  '3.14.3S',
  '3.14.4S',
  '3.15.0S',
  '3.15.1S',
  '3.15.1cS',
  '3.15.2S',
  '3.15.3S',
  '3.15.4S',
  '3.16.0S',
  '3.16.0aS',
  '3.16.0bS',
  '3.16.0cS',
  '3.16.1S',
  '3.16.1aS',
  '3.16.2S',
  '3.16.2aS',
  '3.16.2bS',
  '3.16.3S',
  '3.16.3aS',
  '3.16.4S',
  '3.16.4aS',
  '3.16.4bS',
  '3.16.4cS',
  '3.16.4dS',
  '3.16.4eS',
  '3.16.4gS',
  '3.16.5S',
  '3.16.5aS',
  '3.16.5bS',
  '3.16.6S',
  '3.16.6bS',
  '3.16.7S',
  '3.16.7aS',
  '3.16.7bS',
  '3.16.8S',
  '3.16.9S',
  '3.16.10S',
  '3.16.10aS',
  '3.16.10bS',
  '3.16.10cS',
  '3.17.0S',
  '3.17.1S',
  '3.17.1aS',
  '3.17.2S',
  '3.17.3S',
  '3.17.4S',
  '3.18.0S',
  '3.18.0SP',
  '3.18.0aS',
  '3.18.1S',
  '3.18.1SP',
  '3.18.1aSP',
  '3.18.1bSP',
  '3.18.1cSP',
  '3.18.1gSP',
  '3.18.1hSP',
  '3.18.1iSP',
  '3.18.2S',
  '3.18.2SP',
  '3.18.2aSP',
  '3.18.3S',
  '3.18.3SP',
  '3.18.3aSP',
  '3.18.3bSP',
  '3.18.4S',
  '3.18.4SP',
  '3.18.5SP',
  '3.18.6SP',
  '3.18.7SP',
  '3.18.8aSP',
  '3.18.9SP',
  '16.1.1',
  '16.1.2',
  '16.1.3',
  '16.2.1',
  '16.2.2',
  '16.3.1',
  '16.3.1a',
  '16.3.2',
  '16.3.3',
  '16.3.4',
  '16.3.5',
  '16.3.5b',
  '16.3.6',
  '16.3.7',
  '16.3.8',
  '16.3.9',
  '16.3.10',
  '16.3.11',
  '16.4.1',
  '16.4.2',
  '16.4.3',
  '16.5.1',
  '16.5.1a',
  '16.5.1b',
  '16.5.2',
  '16.5.3',
  '16.6.1',
  '16.6.2',
  '16.6.3',
  '16.6.4',
  '16.6.4a',
  '16.6.4s',
  '16.6.5',
  '16.6.5a',
  '16.6.5b',
  '16.6.6',
  '16.6.7',
  '16.6.7a',
  '16.6.8',
  '16.6.9',
  '16.6.10',
  '16.7.1',
  '16.7.1a',
  '16.7.1b',
  '16.7.2',
  '16.7.3',
  '16.7.4',
  '16.8.1',
  '16.8.1a',
  '16.8.1b',
  '16.8.1c',
  '16.8.1d',
  '16.8.1e',
  '16.8.1s',
  '16.8.2',
  '16.8.3',
  '16.9.1',
  '16.9.1a',
  '16.9.1b',
  '16.9.1c',
  '16.9.1d',
  '16.9.1s',
  '16.9.2',
  '16.9.2a',
  '16.9.2s',
  '16.9.3',
  '16.9.3a',
  '16.9.3h',
  '16.9.3s',
  '16.9.4',
  '16.9.4c',
  '16.9.5',
  '16.9.5f',
  '16.9.6',
  '16.9.7',
  '16.9.8',
  '16.9.8a',
  '16.9.8b',
  '16.9.8c',
  '16.10.1',
  '16.10.1a',
  '16.10.1b',
  '16.10.1c',
  '16.10.1d',
  '16.10.1e',
  '16.10.1f',
  '16.10.1g',
  '16.10.1s',
  '16.10.2',
  '16.10.3',
  '16.11.1',
  '16.11.1a',
  '16.11.1b',
  '16.11.1c',
  '16.11.1s',
  '16.11.2',
  '16.12.1',
  '16.12.1a',
  '16.12.1c',
  '16.12.1s',
  '16.12.1t',
  '16.12.1w',
  '16.12.1x',
  '16.12.1y',
  '16.12.1z',
  '16.12.1z1',
  '16.12.1z2',
  '16.12.2',
  '16.12.2a',
  '16.12.2s',
  '16.12.2t',
  '16.12.3',
  '16.12.3a',
  '16.12.3s',
  '16.12.4',
  '16.12.4a',
  '16.12.5',
  '16.12.5a',
  '16.12.5b',
  '16.12.6',
  '16.12.6a',
  '16.12.7',
  '16.12.8',
  '16.12.9',
  '17.1.1',
  '17.1.1a',
  '17.1.1s',
  '17.1.1t',
  '17.1.2',
  '17.1.3',
  '17.2.1',
  '17.2.1a',
  '17.2.1r',
  '17.2.1v',
  '17.2.2',
  '17.2.3',
  '17.3.1',
  '17.3.1a',
  '17.3.1w',
  '17.3.1x',
  '17.3.1z',
  '17.3.2',
  '17.3.2a',
  '17.3.3',
  '17.3.3a',
  '17.3.4',
  '17.3.4a',
  '17.3.4b',
  '17.3.4c',
  '17.3.5',
  '17.3.5a',
  '17.3.5b',
  '17.3.6',
  '17.3.7',
  '17.4.1',
  '17.4.1a',
  '17.4.1b',
  '17.4.1c',
  '17.4.2',
  '17.4.2a',
  '17.5.1',
  '17.5.1a',
  '17.6.1',
  '17.6.1a',
  '17.6.1w',
  '17.6.1x',
  '17.6.1y',
  '17.6.1z',
  '17.6.1z1',
  '17.6.2',
  '17.6.3',
  '17.6.3a',
  '17.6.4',
  '17.6.5',
  '17.7.1',
  '17.7.1a',
  '17.7.1b',
  '17.7.2',
  '17.8.1',
  '17.8.1a',
  '17.9.1',
  '17.9.1a',
  '17.9.1w',
  '17.9.1x',
  '17.9.1x1',
  '17.9.2',
  '17.9.2a',
  '17.9.2b',
  '17.9.3',
  '17.9.3a',
  '17.10.1',
  '17.10.1a',
  '17.10.1b',
  '17.11.1',
  '17.11.1a',
  '17.11.99SW'
);

var workarounds = make_list(CISCO_WORKAROUNDS['generic_workaround']);
var workaround_params = [
  WORKAROUND_CONFIG['scp_server'],
  WORKAROUND_CONFIG['aaa_authorization_commands'],
  {'require_all_generic_workarounds': TRUE}
];

var reporting = make_array(
  'port'    , product_info['port'],
  'severity', SECURITY_HOLE,
  'version' , product_info['version'],
  'bug_id'  , 'CSCwe55871',
  'cmds'    , make_list('show running-config'),
  'fix'     , 'See vendor advisory'
);

cisco::check_and_report(
  product_info:product_info,
  workarounds:workarounds,
  workaround_params:workaround_params,
  reporting:reporting,
  vuln_versions:version_list
);