Cisco IOS XE Software Arbitrary Code Execution Vulnerability (cisco-sa-xbace-OnCEbyS)

#TRUSTED 52651ac2c5912ac7c269b1e298556936bed6acd4b14db7b5bf68aac6a66226820eb151853ec3eee1b8c0cb3c6cd503866f575643c85bf2bc0d8b1db0ac690ca650f4056fe17a95eb62d4e0b3639b730c33adc6ca5383282a206e30018f0f651a2907f910fee40a34ac9a5a6d784d39666336ea3315192534a20988db8dcdc8cf6eb51ced2bbbf4947e72fa707c38274c8f54d28929599a9ba9b3235b6d73fded70ac369cc957c49b2b73dfce600725e6f4a153620da00a6a3dac313992476dcf9ac072c0f619a773983a86a8a363ee85a90df56c5c347bf6823a4d08b9e828bd0bfc55f61800743c7b8224338e7a7a648b9e4046b48a4b93364675ea84a46594b79f02b3f0a6b190fac4b0deaf4ac6a9edbf5cac0331f065859c4352491414654a6ea9a9bdb15a818515852a79c0312c4cf63269c789685d3327ad3a41c0124a08e5a7983f33d3c7645a9280b4f2f12f6fea8c921d55d3baafe508de3a59319acb808cb488cd314c46f2072d3393410e30393205c499536bdf8125883ce627d0d512bbaa02323160806dca5f24d32c00943452ee4bf46bb8b00fdb0aebf83c38102d91518fc980963eaaf29c110c73cdcca07862e2542ccd04ba88f18950eb12a3eb2e17383c4e078b4d5bed741f7ee668e3bec6448f6d00e75881740d67562f06b2767ea69a2793e83157c64e7447bbacb3391060cbb37f11ce75178ebedc3c
#TRUST-RSA-SHA256 5ba6c7b53a029d9dd1b1d208a00f8f6d8ffa156b198137140291b0f906990c2132eab67ada31408e8b863e4e7ea3c7d99d7cf588f6ce87f6e6ad7d5135ddea6d39bd6e882821c8c890d11dcd36e7f8aa4c59854c01decdc41a0d16964be1d3478b8c75be1e384a174e773ce46b8e1f12bae8fab5cd662cae306e350bc36b3bc2c26642499ee59aeccc5698c1c02f249659010037e93f8cf20387ec5b9eff86d1fd51ac67467c965f25f1191046a0556c51ad3c42abb37eda13f5328993c2ffcb8ad60e5fe33790869114beb8dc37502215b7e3a23279287e05e4eb0343279a170ec950e56b669ac450499c8c24e204683bf5b3db67e6644c90a17dcd98874c3e99ea891eb7c7d55ab5327044a6bbbec7598e2e5d903d5c9b66e473b2069596357e12c1118f2dc3b739adadf3d71ffe9b97160b6e2c9cad94e8fe6d4d781aa36cdf9961d33da5ea2b4134fdee6fa54d66ac130b9ebd8b24478ec6770ff422015a3675a91424658d2e7a39e48b3e8251de6aaaae38c657d4057cd5b4c2990e74c5c6c01b5caf1f38c64a4f9c88c9b1f4ba687a84f6cdfb5975d229b6f752d912f1ae19784f70dfb7d6bd05430e27cc2f4e9f2d935b2de866a122bf1aa04462a006cfc5b137ab200d6a1644fe2330b922433158accb16f1eabf173ff6ea10a9aaed85e9db752c0979ea3d2f17a7fb98f843d96b0fde905ffa26f770c884b72f4c1d
##
# (C) Tenable Network Security, Inc.
##

include('compat.inc');

if (description)
{
  script_id(141119);
  script_version("1.9");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/09/28");

  script_cve_id("CVE-2020-3417");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvs58715");
  script_xref(name:"CISCO-SA", value:"cisco-sa-xbace-OnCEbyS");
  script_xref(name:"IAVA", value:"2020-A-0439-S");

  script_name(english:"Cisco IOS XE Software Arbitrary Code Execution Vulnerability (cisco-sa-xbace-OnCEbyS)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco IOS XE Software is affected by a arbitrary code execution vulnerability,
due to incorrect validations by boot scripts when specific ROM monitor (ROMMON) variables are set. An authenticated,
local attacker could exploit this vulnerability by installing code to a specific directory in the underlying operating
system (OS) and setting a specific ROMMON variable. A successful exploit could allow the attacker to execute persistent
code on the underlying OS. To exploit this vulnerability, the attacker would need access to the root shell on the
device or have physical access to the device.

Please see the included Cisco BIDs and Cisco Security Advisory for more information.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xbace-OnCEbyS
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?217cd5d2");
  script_set_attribute(attribute:"see_also", value:"http://tools.cisco.com/security/center/viewErp.x?alertId=ERP-74268");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs58715");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvs58715");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-3417");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_cwe_id(78);

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/09/24");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/09/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/10/02");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_xe_version.nasl");
  script_require_keys("Host/Cisco/IOS-XE/Version");

  exit(0);
}

include('ccf.inc');

product_info = cisco::get_product_info(name:'Cisco IOS XE Software');

version_list=make_list(
  '16.10.1',
  '16.10.1a',
  '16.10.1b',
  '16.10.1c',
  '16.10.1d',
  '16.10.1e',
  '16.10.1f',
  '16.10.1g',
  '16.10.1s',
  '16.10.2',
  '16.10.3',
  '16.11.1',
  '16.11.1a',
  '16.11.1b',
  '16.11.1c',
  '16.11.1s',
  '16.11.2',
  '16.12.1',
  '16.12.1a',
  '16.12.1c',
  '16.12.1s',
  '16.12.1t',
  '16.12.1w',
  '16.12.1x',
  '16.12.1y',
  '16.12.2',
  '16.12.2a',
  '16.12.2s',
  '16.12.2t',
  '16.12.3',
  '16.12.3a',
  '16.6.1',
  '16.6.2',
  '16.6.3',
  '16.6.4',
  '16.6.4a',
  '16.6.4s',
  '16.6.5',
  '16.6.5a',
  '16.6.5b',
  '16.6.6',
  '16.6.7',
  '16.6.7a',
  '16.7.1',
  '16.7.1a',
  '16.7.1b',
  '16.7.2',
  '16.7.3',
  '16.7.4',
  '16.8.1',
  '16.8.1a',
  '16.8.1b',
  '16.8.1c',
  '16.8.1d',
  '16.8.1e',
  '16.8.1s',
  '16.8.2',
  '16.8.3',
  '16.9.1',
  '16.9.1a',
  '16.9.1b',
  '16.9.1c',
  '16.9.1d',
  '16.9.1s',
  '16.9.2',
  '16.9.2a',
  '16.9.2s',
  '16.9.3',
  '16.9.3a',
  '16.9.3h',
  '16.9.3s',
  '16.9.4',
  '16.9.4c',
  '16.9.5',
  '16.9.5f',
  '17.1.1',
  '17.1.1a',
  '17.1.1s',
  '17.1.1t',
  '3.18.0SP',
  '3.18.1SP',
  '3.18.1aSP',
  '3.18.1bSP',
  '3.18.1cSP',
  '3.18.1gSP',
  '3.18.1hSP',
  '3.18.1iSP',
  '3.18.2SP',
  '3.18.2aSP',
  '3.18.3SP',
  '3.18.3aSP',
  '3.18.3bSP',
  '3.18.4SP',
  '3.18.5SP',
  '3.18.6SP',
  '3.18.7SP',
  '3.18.8SP',
  '3.18.8aSP'
);

reporting = make_array(
  'port'     , product_info['port'], 
  'severity' , SECURITY_HOLE,
  'version'  , product_info['version'],
  'bug_id'   , 'CSCvs58715',
  'disable_caveat', TRUE
);

cisco::check_and_report(
  product_info:product_info,
  reporting:reporting,
  vuln_versions:version_list
);