Cisco Adaptive Security Appliance Software Web Services Path Traversal (cisco-sa-asaftd-path-JE3azWw43)

2020-05-27T00:00:00
ID CISCO-SA-ASAFTD-PATH-JE3AZWW43-ASA.NASL
Type nessus
Reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2020-05-27T00:00:00

Description

A vulnerability exists in the web services interface of Cisco Adaptive Security Appliance (ASA) Software due to a lack of proper input validation of the HTTP URL. An unauthenticated, remote attacker can exploit this, by sending a crafted HTTP request containing directory traversal character sequences, in order to view or delete arbitrary files on the targeted system within the web services file system.

Please see the included Cisco BIDs and Cisco Security Advisory for more information.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

                                        
                                            #TRUSTED 184a02b092062229c09e34227b4ff5057a90b93edb3de3a5c422d851ff72d490d5ac7e2c5eafafb00925fa78d6eb2e5ec494922c3d417d5f4a4fa33bfbbf97a2972439673ffc23ed7f25ae1d474cd504dc8e9e1767ca87a2c5a8c5c4bcd20d86b40857c043c33390d0048c20b571309b38faf989acdbb937ad1eb38a3f30cd39b58e6d0e2f185fb7869d4c4c7ea94d6399003caa987a4d96ca4943c6c86f80720b4262dae8eb6bdc97e98082d73417bf451baa83d69996f4c3454e89ef2e4d4054b1791024206b4090abbf466b1d59788fa61ad39143c603cf97db87f230db00e40b03574dd0ee082c38dc5a786bdfa42744f5f07e0690094d59a4397cdeec45565f3d3f8273f0939290cd8696b7f89267caa890b570d1e39c5b16473665d564678258ea6058e48cd80dfb394081aab0f42a757abdb131089a50cdcf48a2c46ea1ae969b6d5c129a075a3937c705dee3deb7bc753df62f81d160150c813791b227fc7b578884d3647f39d9b464a663dff830221521c7e091c10790376575e17d45f7e7359eeb2c4963168a0a0e4a10bb09c4800857f20903a3464beb6f3e67af2d6167988ee6105b80e0058138b361778e61d46d921d0851df9c7cbc471549eaa96180737aafeda2d32fae04cb26a81bb8c549fda01b31f56db70759f7614e889f5f16d6cf663b3ce08e8e84175f92b71467fce5001d7c757ffda49b446efdbf
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(136914);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/08/14");

  script_cve_id("CVE-2020-3187");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvr55825");
  script_xref(name:"CISCO-SA", value:"cisco-sa-asaftd-path-JE3azWw43");
  script_xref(name:"IAVA", value:"2020-A-0205");

  script_name(english:"Cisco Adaptive Security Appliance Software Web Services Path Traversal (cisco-sa-asaftd-path-JE3azWw43)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
  script_set_attribute(attribute:"description", value:
"A vulnerability exists in the web services interface of Cisco Adaptive Security Appliance (ASA) Software due to a lack
of proper input validation of the HTTP URL. An unauthenticated, remote attacker can exploit this, by sending a crafted
HTTP request containing directory traversal character sequences, in order to view or delete arbitrary files on the
targeted system within the web services file system.

Please see the included Cisco BIDs and Cisco Security Advisory for more information.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-path-JE3azWw43
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7e0745c0");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr55825");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in the Cisco Security Advisory");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-3187");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/05/06");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/05/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/27");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:adaptive_security_appliance_software");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "os_fingerprint.nasl");
  script_require_keys("Host/Cisco/ASA");

  exit(0);
}

include('cisco_workarounds.inc');
include('ccf.inc');

product_info = cisco::get_product_info(name:'Cisco Adaptive Security Appliance (ASA) Software');

vuln_ranges = [
  {'min_ver' : '0.0',  'fix_ver': '9.6.4.40'},
  {'min_ver' : '9.7',  'fix_ver': '9.8.4.15'},
  {'min_ver' : '9.9',  'fix_ver': '9.9.2.66'},
  {'min_ver' : '9.10',  'fix_ver': '9.10.1.37'},
  {'min_ver' : '9.11',  'fix_ver': '9.12.3.2'},
  {'min_ver' : '9.13',  'fix_ver': '9.13.1.7'}
];

workarounds = make_list(CISCO_WORKAROUNDS['anyconnect_client_services'], CISCO_WORKAROUNDS['ssl_vpn']);
workaround_params = make_list();

reporting = make_array(
  'port'     , 0,
  'severity' , SECURITY_HOLE,
  'version'  , product_info['version'],
  'bug_id'   , 'CSCvr55825',
  'cmds'     , make_list('show running-config')
);

cisco::check_and_report(
  product_info:product_info,
  workarounds:workarounds,
  workaround_params:workaround_params,
  reporting:reporting,
  vuln_ranges:vuln_ranges
);