CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
5.1%
According to its self-reported version, Cisco IOS XE Software is affected by a consent token bypass vulnerability. An authenticated, local attacker can exploit this via gaining shell access on an affected device and executing commands on the underlying operating system (OS) with root privileges. Please see the included Cisco BIDs and Cisco Security Advisory for more information.
#TRUSTED 5608314d4987efb10f9bb926e4898af3250b99145dab7c88c461def8bb939dc700dcd32731c487c183527101c96a216018c024dd474c469e9087c130223f408317944a3696c44f00cf30e52b673de6eda4c85c4a7b9bb943b52a12979c44221339b3760ad4c8e86213e1d12ca94215f180584e0ffefb31f3c11dff48afab55f9a951f88e27a7063ad05d822c818298b4e4c070c15fcd8ef2bd46609862dab8ccfe747029c2b8ae04543c3d1c954bc0b159c7e33c8b5b9bc1e708139cd2de1f71f215f2b4f75fdb6e08254092f20cf893d6b614f42e04c24cbc4aa9ffa038af6524c9019e936753b3d5f0d58f94dbeb8180db64438fc9d443feb1342eebc26c9b994d7912eacca42043751bf2d23f8364425d4c809293e4462c76f4631f1caae1382bc365549d3efedd60bdaa3d36be2d4f9da7b3aed1afc5ac665fef5855b3cd71ba445f4011d1883b56e5a7218018ff066d8e04c17d68e952fa0943042162109a4065acbe3fbe7cd6d9a979746221c3011efb4a39e36a029224294ec347a4874de30973d88124226073abdd985699343af4dcdc2fcd469cec6e69d54b4aca065f762cb329d8a93f89b44680097aa28a9f34283ab016e628787dc5f8b002f8b9c0afb47eb87ac267b40bee19299b1b43199f4ab45a15537e05693b8ce92cf33a1ceb7329b987eeaf9385bfc2ac2b17b437bfdc3021010d189ee42202bdf29af7
#TRUST-RSA-SHA256 4204f3292f038cb68ae9c5d9f78ca5434991548b97c49abee7473ad328ac924de9a196a64a613cf8ada6058999ce6a0c473f40013b429378fcaf5a38cde75704eaac143a7b59c2a6e7f6df798d960b6a4abd5ef831c1c4cdc0652977f1795b3dfd393cbf1144c8b2a84bd619f2f7bd71496d2953d703f700b41835008235d1712d95182bc689e3b2941d5f021f9646607a7fc316301aa4426fbec71f38e8f230d84c597fc37aca77db68a59f7ddcf09e95619594abfe72a41163040dd09000ef5d78dc870a7f39b8e15115dc1df38cdb6c655d3f37302dc16e09b9ac41b2dbecaf57bbedbbd37bcebab19f195a55687a3eba1378d43674f60243d8555527822b97fb7dee830cf04676e7116e2bca4463a131fe0242193eb9fd1db82a165be6c5c0993149481a8fc268dc704e09a7efea42c689c4b9a02cbd6e661c339c68444781e6f7d20bbe594507f41198f40fded15579dc0d83b5eb57ddec54aa4bd80172de0c6adf27af29c4ea024f490e64599361134603eab8e406ef13798d6f8d37f2e4079a7def9c431036c22cda2e18078e8483dfcac59bc4958399d1212136659bb2831dbbd2df0366fe9c83372d80afc4c6dd2c58f59c97e4142a2737dc94a46bd5d674248dd042b70c021b01e8781c32e21fa708dd90c30c3f683268943ec6110ff5e46358332c33acca0e76f6dd5e27f6ceb370456d244b230c505f40df7ce5
##
# (C) Tenable Network Security, Inc.
##
include('compat.inc');
if (description)
{
script_id(142053);
script_version("1.6");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/09/28");
script_cve_id("CVE-2020-3404");
script_xref(name:"CISCO-BUG-ID", value:"CSCvq91055");
script_xref(name:"CISCO-SA", value:"cisco-sa-iosxe-ctbypass-7QHAfHkK");
script_xref(name:"IAVA", value:"2020-A-0439-S");
script_name(english:"Cisco IOS XE Software Consent Token Bypass (cisco-sa-iosxe-ctbypass-7QHAfHkK)");
script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco IOS XE Software is affected by a consent token bypass vulnerability.
An authenticated, local attacker can exploit this via gaining shell access on an affected device and executing commands
on the underlying operating system (OS) with root privileges. Please see the included Cisco BIDs and Cisco Security
Advisory for more information.");
# https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-ctbypass-7QHAfHkK
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?988a1f23");
script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq91055");
script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvq91055");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-3404");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_cwe_id(863);
script_set_attribute(attribute:"vuln_publication_date", value:"2020/09/24");
script_set_attribute(attribute:"patch_publication_date", value:"2020/09/24");
script_set_attribute(attribute:"plugin_publication_date", value:"2020/10/29");
script_set_attribute(attribute:"plugin_type", value:"combined");
script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CISCO");
script_copyright(english:"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("cisco_ios_xe_version.nasl");
script_require_keys("Host/Cisco/IOS-XE/Version");
exit(0);
}
include('ccf.inc');
include('cisco_workarounds.inc');
product_info = cisco::get_product_info(name:'Cisco IOS XE Software');
version_list = make_list
(
'16.11.1',
'16.11.1a',
'16.11.1b',
'16.11.1c',
'16.11.1s',
'16.11.2',
'16.12.1',
'16.12.1a',
'16.12.1c',
'16.12.1s',
'16.12.1t',
'16.12.1w',
'16.12.1x',
'16.12.1y'
);
workarounds = make_list(CISCO_WORKAROUNDS['show_running-config']);
workaround_params = {'pat' : "transport type persistent (telnet|ssh) input"};
reporting = make_array(
'port' , product_info['port'],
'severity' , SECURITY_HOLE,
'version' , product_info['version'],
'bug_id' , 'CSCvq91055',
'cmds' , make_list('show running-config')
);
cisco::check_and_report(
product_info:product_info,
reporting:reporting,
vuln_versions:version_list,
workarounds:workarounds,
workaround_params:workaround_params
);
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
5.1%