Cisco IOS XE Software Command Injection (cisco-sa-ngwc-cmdinj-KEwWVWR)

2020-06-08T00:00:00
ID CISCO-SA-NGWC-CMDINJ-KEWWVWR-IOSXE.NASL
Type nessus
Reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2020-06-08T00:00:00

Description

According to its self-reported version, Cisco IOS XE Software is affected by a command injection vulnerability due to insufficient input validation of boot options. An authenticated, local attacker (with root privileges) can exploit this, by modifying device boot options, to execute arbitrary commands on an affected device.

Please see the included Cisco BIDs and Cisco Security Advisory for more information.

Note that Nessus has not tested for this issue but has instead relied only on the application

                                        
                                            #TRUSTED 87b5e28f6fb4889a4e2221e635e90403767f626f4fc5f36d13cfa0f05483481d84f651300886dbd313da5c3f721bfbdec5d0683bdcd2b4c5880624a8b1133a3e68dd4e3af9a3380d11e59d05e7a63c8a85ef27be5c45bb52f6333b81501116aecf514b64e07edfe34860bf0979da1c6427f7809f3c5954e094ae69907bd990b17bd2dc47185206aece5a8fc543fc159c3dedae36155fdc77f3e6b438cbd14015febd1b562011d02defd67a38faff187b2cb2f29509e150d509705a041e4a5fdcbaf52522e678ca5b11fa337b0dee43c2f6d103eeedd8695eb3f58b5025bd9b51b34ddd96567886f2889d3d8875176553554ded0532c76940cb6f8761dec21757ba5ecdac6c9b7c8e72a68fcbe350806d452e5f4ed4fa7dcc61d6ea864af6c607058868ab8ec7038e0d4e5d05130dc4fd9a2e846d3cb0d8c9468eba03cb3d192310112841a6f8caa6b51195e691179a561e36d0ab1581e8097436db85768d3207998f49101cb7b6c1e6ab90a85b1ecba5490d36c8c6e027a65558511db41808096e8796cdf66099ae7011431fa099a9921bf3d3ada94e5938bb2f0c8c47a6764d73e555ca7e846731e17560e0426c3227cc32363477b4ff537cf29b071d082b1f1c262a674979cab448a7a84c0b95513b937b22ffdc5fbf60904211cb99c1c1bbb5212330441522e360306826b53bf74d5cd306926c5e20a1574c3c833fe56149
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(137203);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/10");

  script_cve_id("CVE-2020-3207");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvq90824");
  script_xref(name:"CISCO-SA", value:"cisco-sa-ngwc-cmdinj-KEwWVWR");
  script_xref(name:"IAVA", value:"2020-A-0239");

  script_name(english:"Cisco IOS XE Software Command Injection (cisco-sa-ngwc-cmdinj-KEwWVWR)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco IOS XE Software is affected by a command injection vulnerability due 
  to insufficient input validation of boot options. An authenticated, local attacker (with root privileges) can exploit 
  this, by modifying device boot options, to execute arbitrary commands on an affected device. 
  
  Please see the included Cisco BIDs and Cisco Security Advisory for more information.
  
  Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported 
  version");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ngwc-cmdinj-KEwWVWR
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?851db65e");
  script_set_attribute(attribute:"see_also", value:"http://tools.cisco.com/security/center/viewErp.x?alertId=ERP-73388");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq90824");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvq90824");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-3207");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_cwe_id(77);

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/06/03");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/06/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/06/08");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_xe_version.nasl");
  script_require_keys("Host/Cisco/IOS-XE/Version");

  exit(0);
}

include('ccf.inc');
include('cisco_workarounds.inc');

product_info = cisco::get_product_info(name:'Cisco IOS XE Software');
model = product_info['model'];
device_model = get_kb_item('Host/Cisco/device_model');

if (('catalyst' >!< tolower(model) && 'cat' >!< device_model) || model !~ "3[68]5[0-9]|9[235][0-9]{2}")
  audit(AUDIT_HOST_NOT, 'an affected model');

version_list = make_list(
  '16.9.2',
  '16.9.3',
  '16.9.2a',
  '16.9.2s',
  '16.9.3h',
  '16.9.4',
  '16.9.3s',
  '16.9.3a',
  '16.10.1',
  '16.10.1s',
  '16.10.1e',
  '16.11.1',
  '16.11.1a',
  '16.11.1b',
  '16.11.1s',
  '16.11.1c',
  '16.12.1',
  '16.12.1s',
  '16.12.1c'
);

reporting = make_array(
  'port'     , 0,
  'severity' , SECURITY_HOLE,
  'version'  , product_info['version'],
  'bug_id'   , 'CSCvq90824'
);

cisco::check_and_report(
  product_info:product_info,
  reporting:reporting,
  vuln_versions:version_list
);