CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:N/I:P/A:P
EPSS
Percentile
50.6%
According to its banner, the version of the Cisco ASA software on the remote device is affected by a vulnerability in its SSL VPN code due to improper validation of session information for the SSL VPN when a SharePoint handler is created. This allows a remote, authenticated attacker to overwrite arbitrary files present on the RAMFS file system, inject Lua scripts, or cause a denial of service condition via crafted HTTP requests.
#TRUSTED 2b2930e7ff0e61f0f791ce52c7c98838f4b1bf72ee1f031755b3489f4d8834733a79dd242333384f45b1cf5843414fb67ce196f2c4da7841df6afef88c92b6fbc5a1ff40a4a4b2baf9f7e7f9dd184052fa939e46c628f5ea577e812b1a66d394f1dbdd79052be411200b514204e0cb1779994665efdab60f73c34ceb5f1ce1a414224a10a3d4bc77d6f0e3cfcaac9cba82b6f80c9a678c35bd14ef73b7e580a28efa59f96940c700f18c2c85f775ec0a085fcfeaa8e136063989ab9aa8ca59bc9176f44edc050d376322bf465acb485635b7769a0381db1adf3900923ccefb34a6f94944d038727aa396f365cf24115ed6352faff8b8a24fc4631668d6a9699ec6b1ca00f98fe743bead9041ae6e1552abb72491b3772b6d1b8ac960fd75dba93f0ce923eec7c2c15ba9bf3822a81bf03f8edda5597dbf92edd25619f87a9afe1b97059430dd6067b17fd7c559aa0996c62e51d93de914f3f01fc920e87ade944e51327de25f0b2dda5baca3e9f08e64622bcc57a05939a34b86f27dd4bf87f84dad61b4e6a4c94654bfc5b3cb5ea716673edcedee8924334c61c2555d279f3ecf325492f57f9ba2582be45e9b46bb469bffe20a87fba6fbf65ce3db14d989354e44a7f60e9f255dc49cb9a92d7927013143fe9827efb58e89537ee7085685ae77b99991b0d842855989070acedac41a3966591ba2332416b79d16b7e6c5b9b2
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(79667);
script_version("1.6");
script_set_attribute(attribute:"plugin_modification_date", value:"2018/11/15");
script_cve_id("CVE-2014-3399");
script_bugtraq_id(70251);
script_xref(name:"CISCO-BUG-ID", value:"CSCup54208");
script_xref(name:"CISCO-BUG-ID", value:"CSCup54184");
script_name(english:"Cisco ASA Software SharePoint RAMFS Integrity and Lua Injection Vulnerabilities (CSCup54208 and CSCup54184)");
script_summary(english:"Checks the ASA version.");
script_set_attribute(attribute:"synopsis", value:"The remote device is missing a vendor-supplied security patch.");
script_set_attribute(attribute:"description", value:
"According to its banner, the version of the Cisco ASA software on the
remote device is affected by a vulnerability in its SSL VPN code due
to improper validation of session information for the SSL VPN when a
SharePoint handler is created. This allows a remote, authenticated
attacker to overwrite arbitrary files present on the RAMFS file
system, inject Lua scripts, or cause a denial of service condition via
crafted HTTP requests.");
# http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3399
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?eadb7d7e");
script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/security/center/viewAlert.x?alertId=35989");
script_set_attribute(attribute:"solution", value:"Apply the relevant patch referenced in the vendor advisory.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:adaptive_security_appliance_software");
script_set_attribute(attribute:"vuln_publication_date", value:"2014/10/06");
script_set_attribute(attribute:"patch_publication_date", value:"2014/10/06");
script_set_attribute(attribute:"plugin_publication_date", value:"2014/12/02");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.");
script_family(english:"CISCO");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/Cisco/ASA");
exit(0);
}
include("audit.inc");
include("cisco_func.inc");
include("cisco_kb_cmd_func.inc");
asa = get_kb_item_or_exit('Host/Cisco/ASA');
ver = extract_asa_version(asa);
if (isnull(ver)) audit(AUDIT_FN_FAIL, 'extract_asa_version');
fixed_ver = NULL;
# Affected version list from advisory
versions = make_list(
"8.0(1.28)",
"8.2.0.45",
"8.2.1",
"8.2.1.11",
"8.2.2",
"8.2.2.9",
"8.2.2.10",
"8.2.2.12",
"8.2.2.16",
"8.2.2.17",
"8.2.3",
"8.2.4",
"8.2.4.1",
"8.2.4.4",
"8.2.5",
"8.2.5.13",
"8.2.5.22",
"8.2.5.26",
"8.2.5.33",
"8.2.5.40",
"8.2.5.41",
"8.2.5.46",
"8.2.5.48",
"8.2.5.50",
"8.3.1",
"8.3.1.1",
"8.3.1.4",
"8.3.1.6",
"8.3.2",
"8.3.2.4",
"8.3.2.13",
"8.3.2.23",
"8.3.2.25",
"8.3.2.31",
"8.3.2.33",
"8.3.2.34",
"8.3.2.37",
"8.3.2.39",
"8.3.2.40",
"8.3.2.41",
"8.4.1",
"8.4.1.3",
"8.4.1.11",
"8.4.2",
"8.4.2.1",
"8.4.2.8",
"8.4.3",
"8.4.3.8",
"8.4.3.9",
"8.4.4",
"8.4.4.1",
"8.4.4.3",
"8.4.4.5",
"8.4.4.9",
"8.4.5",
"8.4.5.6",
"8.4.6",
"8.4.7",
"8.4.7.3",
"8.4.7.15",
"8.4.7.22",
"8.4.7.23",
"8.6(0)",
"8.6.1",
"8.6.1.1",
"8.6.1.2",
"8.6.1.5",
"8.6.1.10",
"8.6.1.12",
"8.6.1.13",
"8.6.1.14",
"8.7(1)",
"9.0.1",
"9.0.2",
"9.0.2.10",
"9.0.3",
"9.0.3.6",
"9.0.3.8",
"9.0.4",
"9.0.4.1",
"9.0.4.5",
"9.0.4.7",
"9.0.4.17",
"9.0.4.20",
"9.1.1",
"9.1.1.4",
"9.1.2",
"9.1.2.8",
"9.1.3",
"9.1.3.2",
"9.1.4",
"9.1.4.5",
"9.1.5",
"9.1.5.10",
"9.2.1",
"9.2.2",
"9.2.2.4",
"9.3.1"
);
foreach version (versions)
{
if (cisco_gen_ver_compare(a:ver, b:version) == 0)
{
if (ver =~ "^8\.") fixed_ver = "Refer to the vendor.";
else if (ver =~ "^9\.0[^0-9]" && check_asa_release(version:ver, patched:"9.0(4.21)"))
fixed_ver = "9.0(4.21)";
else if (ver =~ "^9\.1[^0-9]" && check_asa_release(version:ver, patched:"9.1(5.12)"))
fixed_ver = "9.1(5.12)";
else if (ver =~ "^9\.2[^0-9]" && check_asa_release(version:ver, patched:"9.2(2.5)"))
fixed_ver = "9.2(2.5)";
else if (ver =~ "^9\.3[^0-9]" && check_asa_release(version:ver, patched:"9.3.2"))
fixed_ver = "9.3.2";
break;
}
}
if (isnull(fixed_ver))
audit(AUDIT_INST_VER_NOT_VULN, "Cisco ASA software", ver);
flag = FALSE;
override = FALSE;
# Check if SSL VPN is configured
if (get_kb_item("Host/local_checks_enabled"))
{
buf = cisco_command_kb_item("Host/Cisco/Config/show_running-config_webvpn", "show running-config webvpn");
if (check_cisco_result(buf))
{
if (preg(multiline:TRUE, pattern:"enable", string:buf)) flag = TRUE;
}
else if (cisco_needs_enable(buf)) override = TRUE;
}
if (!flag && !override) audit(AUDIT_HOST_NOT, "affected");
if (report_verbosity > 0)
{
report =
'\n Installed version : ' + ver +
'\n Fixed version : ' + fixed_ver +
'\n';
security_warning(port:0, extra:report+cisco_caveat(override));
}
else security_warning(port:0, extra:cisco_caveat(override));