Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers Management Interface Remote Command Execution (cisco-sa-rv-rce-AQKREqp)

2020-08-18T00:00:00
ID CISCO-SA-RV-RCE-AQKREQP.NASL
Type nessus
Reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2020-08-18T00:00:00

Description

According to its self-reported version, Cisco Small Business RV Series Router Firmware is affected by default remote command execution vulnerability. The vulnerability is due to improper validation of user-supplied input in the web- based management interface. A remote, unauthenticated attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system of the affected device.

Please see the included Cisco BIDs and Cisco Security Advisory for more information.

                                        
                                            #TRUSTED 9419feff39a12d6b49c4d8a364ed5d1a32ad70f8433ccb18f2bb5f597050138105a886145d3a3a1e34b869ccddd2aa80ec12e278a6f3d3aa0cb92bc48d16f9eb87c427a4c19f44bb70b6807ad5f7d09687a8401a8c37f2737f26e0cfd71965774a5277e424983c301e177414335449a46a4547fb4410ed8acd40475582fe2bc12abf315b080ab7a09448eabe183d16903fd647462ef506e5ad253ca96ac7e0de36e9231d19c5c4f53eb238406214e3ee6f8429722a08d53a0eb3945ed9679de2e9dbf021daf8e044b41713c825f9b8a6f4e31dc0392b8879dbe2f19567f7f2307a4c96af66314109b65c1d4625efb66827c94b861445ba89f632f272421cb87d84da5e3978dccbe67bd14b1edd96a7260dd151f9769a20599fce55aa1fb0fe9bee2b3807dfb9c1f9d09d1fc27f7dc409f3fdf185f73540b442cb4b7b75b7e324801d359713b9432fb6afb7f377754ee79dafc5be2fd2a0f2cfbee6d66f6d79ef52a13c47862f6821286571e6463096664820c90a48ca83e0e037d6ff88748c9c01490cd6c98f271e4f28d1b3e502504c7912bebefd753ab221b06323437e911b71041076fc4e1ee66c1013758e40e5a7c2bbc3bbe6c73a3bf1d7aeec64412c12de77e98f3fa7d13f2944020f1222f010216e72ee0572f7096f4915b8149b4e2bb86c8ca822c7bea03999baebd88a7ad5c15228599b5092ae8acad4f62fc8bdfb
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(139664);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/09/17");

  script_cve_id("CVE-2020-3323");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvr97864");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvr97884");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvr97889");
  script_xref(name:"CISCO-SA", value:"cisco-sa-rv-rce-AQKREqp");
  script_xref(name:"IAVA", value:"2020-A-0331");

  script_name(english:"Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers Management Interface Remote Command Execution (cisco-sa-rv-rce-AQKREqp)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco Small Business RV Series Router Firmware is affected by default remote
command execution vulnerability. The vulnerability is due to improper validation of user-supplied input in the web-
based management interface. A remote, unauthenticated attacker could exploit this vulnerability by sending crafted HTTP
requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code as the root user
on the underlying operating system of the affected device.

Please see the included Cisco BIDs and Cisco Security Advisory for more information.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-rce-AQKREqp
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?aefecfc3");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr97864");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr97884");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr97889");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug IDs CSCvr97864, CSCvr97884, CSCvr97889");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-3323");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_cwe_id(119);

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/07/15");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/07/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/08/18");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:small_business_rv_series_router_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:cisco:small_business_router");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_small_business_detect.nasl", "cisco_rv_webui_detect.nbin");
  script_require_keys("Cisco/Small_Business_Router/Version", "Cisco/Small_Business_Router/Device");

  exit(0);
}

include('ccf.inc');
include('cisco_workarounds.inc');

product_info = cisco::get_product_info(name:'Cisco Small Business Series Router Firmware');

model = product_info['model'];

if ('RV110W' >< model)
 vuln_ranges = [ {'min_ver':'0.0', 'fix_ver':'1.2.2.8'} ];
else if ('RV130' >< model)
 vuln_ranges = [ {'min_ver':'0.0', 'fix_ver':'1.0.3.54'} ];
else if ('RV215W' >< model)
 vuln_ranges = [ {'min_ver':'0.0', 'fix_ver':'1.3.1.7'} ];
else if (empty_or_null(model))
  exit(1, 'The model of the device could not be determined');
else
  audit(AUDIT_HOST_NOT, 'an affected Cisco Small Business RV Series router');


reporting = make_array(
  'port'     , 0,
  'severity' , SECURITY_HOLE,
  'version'  , product_info['version'],
  'bug_id'   , 'CSCvr97864, CSCvr97884, CSCvr97889'
);

cisco::check_and_report(
  product_info:product_info,
  reporting:reporting,
  vuln_ranges:vuln_ranges
);