Cisco Unified Communications Manager Path Traversal (cisco-sa-cucm-taps-path-trav-pfsFO93r)

2020-04-21T00:00:00
ID CISCO-SA-CUCM-TAPS-PATH-TRAV-PFSFO93R.NASL
Type nessus
Reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2020-04-21T00:00:00

Description

According to its self-reported version, Cisco Unified Communications Manager is affected by a path traversal vulnerability in the Tool for Auto-Registered Phones Support (TAPS) due to insufficient validation of user-supplied input to the TAPS interface of the affected device. An unauthenticated, remote attacker can exploit this, by sending a crafted request to the TAPS interface, in order to read arbitrary files in the system.

Please see the included Cisco BIDs and Cisco Security Advisory for more information.

                                        
                                            #TRUSTED 589d1e8c468dc5bdd18035133040c33a871f0c70e89e33e6ac3d58937bacecb56db3d81243e0bf97f8cbe0e7696127566577d77d1f30d86a2ee7658e9951e0eeaff6e09addabb576153d1622e8eb504644409ef2156dcbee7836520b812ede8082190c93323da5cac038cf712891b2ff10fa2476d7f6062940c4e2b1472c57f76455466c6917f66d775478363e116d7a2d2b70ad184eb690b58a7f619b752be6950d69a622a40b916280394eab34c5001b0467d20bce0f99e89bdc833bac762539a1bcff70bfd7091f9979079bde295ce4e482d9dec8a192fdf1b4150fd4ae42d4c824dd45561927229758e167a8db866111474961da765bae864b011a792b55fe5bc85f484ca996ce67264e0a90a573fd6d679b11423584247d84c218cb9a4d465c81cad3c72ed4e987676dac287a9452c8d536d6a570143f31fa8ad6ef4cc866c48e6c0862b77a0da390c684175d4a1e6a9f5a43037143d4d772e83ff315dc0ceb0e9dc5ab7267646932a0ebc1ce51ae53a5186ce13fdd0e26bd198754679a7daf0a3bb1d4cc1b79a6ed41851bb6ae8f451f6bb17dda416ccc910b980d9c31f9d2f40406d0cc0903b771f153b1f1ba8bbb1e81d580f6b34bcf9a5e051bdab0cafa9450fa4629dce9013647e526af8d60afb59a01f54eced1a4f43a8f1e6baf9dea3549d68435340e478fb9cb3ddda17b6d8a1dd1891b774a62b58d471aed87
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(135859);
  script_version("1.10");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/08/25");

  script_cve_id("CVE-2020-3177");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvq58268");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvt33058");
  script_xref(name:"CISCO-SA", value:"cisco-sa-cucm-taps-path-trav-pfsFO93r");
  script_xref(name:"IAVA", value:"2020-A-0172");

  script_name(english:"Cisco Unified Communications Manager Path Traversal (cisco-sa-cucm-taps-path-trav-pfsFO93r)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco Unified Communications Manager is affected by a path traversal
vulnerability in the Tool for Auto-Registered Phones Support (TAPS) due to insufficient validation of user-supplied
input to the TAPS interface of the affected device. An unauthenticated, remote attacker can exploit this, by sending a
crafted request to the TAPS interface, in order to read arbitrary files in the system.

Please see the included Cisco BIDs and Cisco Security Advisory for more information.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-taps-path-trav-pfsFO93r
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?68b8a524");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq58268");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt33058");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug IDs CSCvq58268, CSCvt33058");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-3177");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_cwe_id(22);

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/15");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/04/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/21");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:unified_communications_manager");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ucm_detect.nbin");
  script_require_keys("Host/Cisco/CUCM/Version", "Settings/ParanoidReport");

  exit(0);
}

include('cisco_workarounds.inc');
include('ccf.inc');

if (report_paranoia < 2) audit(AUDIT_PARANOID);

product_info = cisco::get_product_info(name:'Cisco Unified Communications Manager');

vuln_ranges = [
  {'min_ver' : '0.0', 'fix_ver' : '10.5.2.21900.13'},
  {'min_ver' : '11.0', 'fix_ver' : '11.5.1.17900.52'},
  {'min_ver' : '12.0', 'fix_ver' : '12.5.1.12900.115'}
];

reporting = make_array(
'port'     , 0,
'severity' , SECURITY_WARNING,
'version'  , product_info['version'],
'bug_id'   , 'CSCvq58268, CSCvt33058'
);

cisco::check_and_report(
  product_info:product_info,
  reporting:reporting,
  vuln_ranges:vuln_ranges
);