Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.CISCO-SA-CIMC-CMD-INJ-BLUPCB.NASL
HistoryMay 15, 2024 - 12:00 a.m.

Cisco Integrated Management Controller Web-Based Management Interface Command Injection (cisco-sa-cimc-cmd-inj-bLuPcb)

2024-05-1500:00:00
This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
9
cisco
cimc
command injection
vulnerability
scanner
web-based management interface
file data

8.7 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

7.9 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.5%

JSON

According to its self-reported version, the Cisco Integrated Management Controller Web-Based Management Interface is affected by a command injection vulnerability. Due to insufficient user input validation, an authenticated, remote attacker with Administrator-level privileges could perform command injection attacks on an affected system and elevate their privileges to root.

Please see the included Cisco BIDs and Cisco Security Advisory for more information.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(197063);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/16");

  script_cve_id("CVE-2024-20356");
  script_xref(name:"CISCO-BUG-ID", value:"CSCwi42996");
  script_xref(name:"CISCO-BUG-ID", value:"CSCwi43001");
  script_xref(name:"CISCO-BUG-ID", value:"CSCwi43005");
  script_xref(name:"CISCO-BUG-ID", value:"CSCwj41082");
  script_xref(name:"CISCO-SA", value:"cisco-sa-cimc-cmd-inj-bLuPcb");
  script_xref(name:"IAVA", value:"2024-A-0250");

  script_name(english:"Cisco Integrated Management Controller Web-Based Management Interface Command Injection (cisco-sa-cimc-cmd-inj-bLuPcb)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, the Cisco Integrated Management Controller Web-Based Management Interface is
affected by a command injection vulnerability. Due to insufficient user input validation, an authenticated, remote 
attacker with Administrator-level privileges could perform command injection attacks on an affected system and elevate 
their privileges to root.

Please see the included Cisco BIDs and Cisco Security Advisory for more information.");
  # https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-cmd-inj-bLuPcb
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7799f84a");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwi42996");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwi43001");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwi43005");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwj41082");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug IDs CSCwi42996, CSCwi43001, CSCwi43005, CSCwj41082");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:M/C:C/I:C/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-20356");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(78);

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/04/17");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/04/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/15");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:integrated_management_controller");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_imc_detect.nbin");
  script_require_keys("Host/Cisco/CIMC/version", "Host/Cisco/CIMC/model");

  exit(0);
}

include('ccf.inc');

var product_info = cisco::get_product_info(name:'Cisco Unified Computing System (Management Software)');

var model = toupper(product_info.model);

if (empty_or_null(model) ||
 (model !~ "ENCS5\d+" && model !~ "C83\d+[\s-]UCPE" && model !~ "E\d+[SD]" && model !~ "C\d+[\s-]?M[567]" && model !~ "S3260")) 
    audit(AUDIT_HOST_NOT, 'an affected model');

var vuln_ranges = [];

# 5000 Series ENCS
# Catalyst 8300 Series Edge uCPE
if (model =~ "ENCS5\d+" || model =~ "C83\d+[\s-]UCPE")
  vuln_ranges = [
    {'min_ver': '0.0', 'fix_ver': '4.14.1'}
  ];

# C-Series M5, M6, M7
if (model =~ "C\d+[\s-]?M[4567]")
{
  if ("M5" >< model)
    vuln_ranges = [
      {'min_ver': '0.0', 'fix_ver': '4.1(3n)'},
      {'min_ver': '4.2', 'fix_ver': '4.2(3j)'},
      {'min_ver': '4.3', 'fix_ver': '4.3(2.240009)'}
    ];
  else if ("M6" >< model)
    vuln_ranges = [
      {'min_ver': '4.2', 'fix_ver': '4.2(3j)'},
      {'min_ver': '4.3', 'fix_ver': '4.3(3.240009)'}
    ];
  else if ("M7" >< model)
    vuln_ranges = [
      {'min_ver': '4.3', 'fix_ver': '4.3(3.240022)'}
    ];
}

# E-Series M2, M3, M6
if (model =~ "E\d+[SD]")
{
  if (model =~ "M[23]|E140S|E160D|E180D|E160S|E1120D")
    vuln_ranges = [
      {'min_ver': '0.0', 'fix_ver': '3.2.15.3'}
    ];
  else if (model =~ "M6|E1100D")
    vuln_ranges = [
      {'min_ver': '4.12', 'fix_ver': '4.12.2'}
    ];
}

# only available S-Series seems to be UCS S3260
if (model =~ "S3260")
  vuln_ranges = [
    {'min_ver': '4.0', 'fix_ver': '4.1(3n)'},
    {'min_ver': '4.2', 'fix_ver': '4.2(3k)'},
    {'min_ver': '4.3', 'fix_ver': '4.3(2.240009)'}
  ];


var reporting = make_array(
  'port'          , 0,
  'severity'      , SECURITY_HOLE,
  'version'       , product_info['version'],
  'bug_id'        , 'CSCwi42996, CSCwi43001, CSCwi43005, CSCwj41082',
  'disable_caveat', TRUE
);

cisco::check_and_report(
  product_info:product_info,
  reporting:reporting,
  vuln_ranges:vuln_ranges
);
VendorProductVersionCPE
ciscointegrated_management_controllercpe:/a:cisco:integrated_management_controller

Related

cve 1
githubexploit 1
cisco 1
nvd 1
cvelist 1
cve
cve
CVE-2024-20356
2024-04-24 20:15:07
githubexploit
githubexploit
Exploit for CVE-2024-20356
2024-04-12 15:07:42
cisco
cisco
Cisco Integrated Management Controller Web-Based Management Interface Command Injection Vulnerability
2024-04-17 16:00:00
nvd
nvd
CVE-2024-20356
2024-04-24 20:15:07
cvelist
cvelist
CVE-2024-20356
2024-04-24 19:40:33

8.7 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

7.9 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.5%

JSON
Related for CISCO-SA-CIMC-CMD-INJ-BLUPCB.NASL
cve1githubexploit1cisco1nvd1cvelist1