Cisco ASA WebVPN XSS

2013-07-30T00:00:00
ID CISCO_ASA_CSCUG83080.NASL
Type nessus
Reporter Tenable
Modified 2018-07-06T00:00:00

Description

According to its self-reported version, the remote Cisco ASA is missing a security patch and is affected by a cross-site scripting vulnerability in the WebVPN portal login page. An attacker could exploit this by tricking a user into requesting a specially crafted URL, resulting in arbitrary script code execution.

                                        
                                            #TRUSTED 2c4226f4388301d5e5c7cb7d906ae7e49538128a037cb4a0982a5eaa55322f5bc6c2ef5d281a7b6ab8c5db08bd64a14012d0d518eb3ba115e3acb96f8c49a11fb8e5b62824fb10c267bb180d89b9c3eee4222b454a62b30f887e4a59c89b3b62c162880baa14a727112865a65ad1b19d95de6fdaca12a26ddbc7085731d5d94b9e4a1b55e19ffda75dac3f9eb28d20c7f702b586f08b5322149d2580ea62c2bbdee3a79798269b6ab7d26746a323be4e6ec8fc90edf5b5448f0752cb6d98f6968d85c0d09401d5135cd4f20c99d1983d01a4f769d0df20713a23a4f98ab5593ece8c9a27d365f3938767f8aec07223fda462243122cd6dbc04f37fe0f1cbf989f1950e1c41ad0498de2c9fa25e1aebac32f2076f1fff2c16e102b1f4108622396f70532e9caf26567ee19b7d4eec24578812d0fd99e0fe37c99550d56d22f34885e70a05762fd36e4959adc5cd9d408b855541e97362f02358f52ff006e20d045675eb70fcb3008a4bc2cd26610721e91bf245ed852636fa0ae47a93eda5159e5f8e79c4c9ee690ca44aa7dbad929e36f52423b36cae921bac51c412bf09bef01b7fc05b6ac9be6444cff8123956f3e2d7964478d410c8c8d1c073dbbd5e0313a462210c5716873cf30dc03dafe44a24d648d19c51ed39c1ce403dce0ce62ea74817cd1152c5ec0250290c7df9ea1b29dacf8d8cb30fa7e26f6cd2c1ecfc91a8
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(69138);
  script_version("1.8");
  script_set_attribute(attribute:"plugin_modification_date", value:"2018/07/06");

  script_cve_id("CVE-2013-3414");
  script_bugtraq_id(61451);
  script_xref(name:"CISCO-BUG-ID", value:"CSCug83080");

  script_name(english:"Cisco ASA WebVPN XSS");
  script_summary(english:"Checks ASA version");

  script_set_attribute(
    attribute:"synopsis",
    value:
"The remote security device is missing a vendor-supplied security
patch."
  );
  script_set_attribute(
    attribute:"description",
    value:
"According to its self-reported version, the remote Cisco ASA is missing
a security patch and is affected by a cross-site scripting vulnerability
in the WebVPN portal login page.  An attacker could exploit this by
tricking a user into requesting a specially crafted URL, resulting in
arbitrary script code execution."
  );
  # http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-3414
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2b7e295d");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/security/center/viewAlert.x?alertId=30214");
  script_set_attribute(
    attribute:"solution",
    value:
"According to the Cisco Security Notice for CVE-2013-3414, fixes can be
obtained by contacting normal support channels."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

  script_set_attribute(attribute:"vuln_publication_date", value:"2013/07/25");
  script_set_attribute(attribute:"patch_publication_date", value:"2013/07/25");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/30");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:adaptive_security_appliance_software");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/Cisco/ASA");

  exit(0);
}
include("cisco_func.inc");
include("cisco_kb_cmd_func.inc");
include("audit.inc");

asa = get_kb_item_or_exit('Host/Cisco/ASA');
ver = extract_asa_version(asa);
if (isnull(ver))
  audit(AUDIT_FN_FAIL, 'extract_asa_version');

else if (ver == '7.0(1)')
  vuln = TRUE;
else if (ver == '7.0(1)4')
  vuln = TRUE;
else if (ver == '7.0(2)')
  vuln = TRUE;
else if (ver == '7.0(3)')
  vuln = TRUE;
else if (ver == '7.0(4)')
  vuln = TRUE;
else if (ver == '7.0(4)2')
  vuln = TRUE;
else if (ver == '7.0(5)')
  vuln = TRUE;
else if (ver == '7.0(5)12')
  vuln = TRUE;
else if (ver == '7.0(6)')
  vuln = TRUE;
else if (ver == '7.0(6)18')
  vuln = TRUE;
else if (ver == '7.0(6)22')
  vuln = TRUE;
else if (ver == '7.0(6)26')
  vuln = TRUE;
else if (ver == '7.0(6)29')
  vuln = TRUE;
else if (ver == '7.0(6)32')
  vuln = TRUE;
else if (ver == '7.0(6)4')
  vuln = TRUE;
else if (ver == '7.0(6)8')
  vuln = TRUE;
else if (ver == '7.0(7)')
  vuln = TRUE;
else if (ver == '7.0(7)1')
  vuln = TRUE;
else if (ver == '7.0(7)12')
  vuln = TRUE;
else if (ver == '7.0(7)4')
  vuln = TRUE;
else if (ver == '7.0(7)9')
  vuln = TRUE;
else if (ver == '7.0(8)')
  vuln = TRUE;
else if (ver == '7.0(8)12')
  vuln = TRUE;
else if (ver == '7.0(8)13')
  vuln = TRUE;
else if (ver == '7.0(8)2')
  vuln = TRUE;
else if (ver == '7.0(8)8')
  vuln = TRUE;
else if (ver == '7.1(2)')
  vuln = TRUE;
else if (ver == '7.1(2)16')
  vuln = TRUE;
else if (ver == '7.1(2)20')
  vuln = TRUE;
else if (ver == '7.1(2)24')
  vuln = TRUE;
else if (ver == '7.1(2)28')
  vuln = TRUE;
else if (ver == '7.1(2)38')
  vuln = TRUE;
else if (ver == '7.1(2)42')
  vuln = TRUE;
else if (ver == '7.1(2)46')
  vuln = TRUE;
else if (ver == '7.1(2)49')
  vuln = TRUE;
else if (ver == '7.1(2)53')
  vuln = TRUE;
else if (ver == '7.1(2)61')
  vuln = TRUE;
else if (ver == '7.1(2)64')
  vuln = TRUE;
else if (ver == '7.1(2)72')
  vuln = TRUE;
else if (ver == '7.1(2)81 ')
  vuln = TRUE;
else if (ver == '7.2(1)')
  vuln = TRUE;
else if (ver == '7.2(1)13')
  vuln = TRUE;
else if (ver == '7.2(1)19')
  vuln = TRUE;
else if (ver == '7.2(1)24')
  vuln = TRUE;
else if (ver == '7.2(1)9')
  vuln = TRUE;
else if (ver == '7.2(2)')
  vuln = TRUE;
else if (ver == '7.2(2)10')
  vuln = TRUE;
else if (ver == '7.2(2)14')
  vuln = TRUE;
else if (ver == '7.2(2)18')
  vuln = TRUE;
else if (ver == '7.2(2)19')
  vuln = TRUE;
else if (ver == '7.2(2)22')
  vuln = TRUE;
else if (ver == '7.2(2)34')
  vuln = TRUE;
else if (ver == '7.2(2)6')
  vuln = TRUE;
else if (ver == '7.2(3)')
  vuln = TRUE;
else if (ver == '7.2(3)1')
  vuln = TRUE;
else if (ver == '7.2(3)12')
  vuln = TRUE;
else if (ver == '7.2(3)16')
  vuln = TRUE;
else if (ver == '7.2(4)')
  vuln = TRUE;
else if (ver == '7.2(4)18')
  vuln = TRUE;
else if (ver == '7.2(4)25')
  vuln = TRUE;
else if (ver == '7.2(4)27')
  vuln = TRUE;
else if (ver == '7.2(4)30')
  vuln = TRUE;
else if (ver == '7.2(4)33')
  vuln = TRUE;
else if (ver == '7.2(4)6')
  vuln = TRUE;
else if (ver == '7.2(4)9')
  vuln = TRUE;
else if (ver == '7.2(5)')
  vuln = TRUE;
else if (ver == '7.2(5)10')
  vuln = TRUE;
else if (ver == '7.2(5)2')
  vuln = TRUE;
else if (ver == '7.2(5)4')
  vuln = TRUE;
else if (ver == '7.2(5)7')
  vuln = TRUE;
else if (ver == '7.2(5)8 ')
  vuln = TRUE;
else if (ver == '8.0(1)2')
  vuln = TRUE;
else if (ver == '8.0(2)')
  vuln = TRUE;
else if (ver == '8.0(2)11')
  vuln = TRUE;
else if (ver == '8.0(2)15')
  vuln = TRUE;
else if (ver == '8.0(3)')
  vuln = TRUE;
else if (ver == '8.0(3)12')
  vuln = TRUE;
else if (ver == '8.0(3)19')
  vuln = TRUE;
else if (ver == '8.0(3)6')
  vuln = TRUE;
else if (ver == '8.0(4)')
  vuln = TRUE;
else if (ver == '8.0(4)16')
  vuln = TRUE;
else if (ver == '8.0(4)23')
  vuln = TRUE;
else if (ver == '8.0(4)25')
  vuln = TRUE;
else if (ver == '8.0(4)28')
  vuln = TRUE;
else if (ver == '8.0(4)3')
  vuln = TRUE;
else if (ver == '8.0(4)31')
  vuln = TRUE;
else if (ver == '8.0(4)32')
  vuln = TRUE;
else if (ver == '8.0(4)33')
  vuln = TRUE;
else if (ver == '8.0(4)9')
  vuln = TRUE;
else if (ver == '8.0(5)')
  vuln = TRUE;
else if (ver == '8.0(5)20')
  vuln = TRUE;
else if (ver == '8.0(5)23')
  vuln = TRUE;
else if (ver == '8.0(5)25')
  vuln = TRUE;
else if (ver == '8.0(5)27')
  vuln = TRUE;
else if (ver == '8.0(5)28')
  vuln = TRUE;
else if (ver == '8.0(5)31 ')
  vuln = TRUE;
else if (ver == '8.1(1)')
  vuln = TRUE;
else if (ver == '8.1(1)6')
  vuln = TRUE;
else if (ver == '8.1(2)')
  vuln = TRUE;
else if (ver == '8.1(2)13')
  vuln = TRUE;
else if (ver == '8.1(2)15')
  vuln = TRUE;
else if (ver == '8.1(2)16')
  vuln = TRUE;
else if (ver == '8.1(2)19')
  vuln = TRUE;
else if (ver == '8.1(2)23')
  vuln = TRUE;
else if (ver == '8.1(2)24')
  vuln = TRUE;
else if (ver == '8.1(2)49')
  vuln = TRUE;
else if (ver == '8.1(2)50')
  vuln = TRUE;
else if (ver == '8.1(2)55')
  vuln = TRUE;
else if (ver == '8.1(2)56')
  vuln = TRUE;
else if (ver == '8.2(0)45')
  vuln = TRUE;
else if (ver == '8.2(1)')
  vuln = TRUE;
else if (ver == '8.2(1)11')
  vuln = TRUE;
else if (ver == '8.2(2)')
  vuln = TRUE;
else if (ver == '8.2(2)10')
  vuln = TRUE;
else if (ver == '8.2(2)12')
  vuln = TRUE;
else if (ver == '8.2(2)16')
  vuln = TRUE;
else if (ver == '8.2(2)17')
  vuln = TRUE;
else if (ver == '8.2(2)9')
  vuln = TRUE;
else if (ver == '8.2(3)')
  vuln = TRUE;
else if (ver == '8.2(4)')
  vuln = TRUE;
else if (ver == '8.2(4)1')
  vuln = TRUE;
else if (ver == '8.2(4)4')
  vuln = TRUE;
else if (ver == '8.2(5)')
  vuln = TRUE;
else if (ver == '8.2(5)13')
  vuln = TRUE;
else if (ver == '8.2(5)22')
  vuln = TRUE;
else if (ver == '8.2(5)26')
  vuln = TRUE;
else if (ver == '8.2(5)33')
  vuln = TRUE;
else if (ver == '8.2(5)40')
  vuln = TRUE;
else if (ver == '8.2(5)41 ')
  vuln = TRUE;
else if (ver == '8.3(1)')
  vuln = TRUE;
else if (ver == '8.3(1)4')
  vuln = TRUE;
else if (ver == '8.3(1)6')
  vuln = TRUE;
else if (ver == '8.3(2)')
  vuln = TRUE;
else if (ver == '8.3(2)13')
  vuln = TRUE;
else if (ver == '8.3(2)23')
  vuln = TRUE;
else if (ver == '8.3(2)25')
  vuln = TRUE;
else if (ver == '8.3(2)31')
  vuln = TRUE;
else if (ver == '8.3(2)33')
  vuln = TRUE;
else if (ver == '8.3(2)34')
  vuln = TRUE;
else if (ver == '8.3(2)37')
  vuln = TRUE;
else if (ver == '8.3(2)4')
  vuln = TRUE;
else if (ver == '8.4(1)')
  vuln = TRUE;
else if (ver == '8.4(1)11')
  vuln = TRUE;
else if (ver == '8.4(1)3')
  vuln = TRUE;
else if (ver == '8.4(2)')
  vuln = TRUE;
else if (ver == '8.4(2)1')
  vuln = TRUE;
else if (ver == '8.4(2)8')
  vuln = TRUE;
else if (ver == '8.4(3)')
  vuln = TRUE;
else if (ver == '8.4(3)8')
  vuln = TRUE;
else if (ver == '8.4(3)9')
  vuln = TRUE;
else if (ver == '8.4(4)')
  vuln = TRUE;
else if (ver == '8.4(4)1')
  vuln = TRUE;
else if (ver == '8.4(4)3')
  vuln = TRUE;
else if (ver == '8.4(4)5')
  vuln = TRUE;
else if (ver == '8.4(4)9')
  vuln = TRUE;
else if (ver == '8.4(5)')
  vuln = TRUE;
else if (ver == '8.4(5)6')
  vuln = TRUE;
else if (ver == '8.4(6)')
  vuln = TRUE;
else if (ver == '8.5(1)')
  vuln = TRUE;
else if (ver == '8.5(1)1')
  vuln = TRUE;
else if (ver == '8.5(1)14')
  vuln = TRUE;
else if (ver == '8.5(1)17')
  vuln = TRUE;
else if (ver == '8.5(1)6')
  vuln = TRUE;
else if (ver == '8.5(1)7')
  vuln = TRUE;
else if (ver == '8.6(1)')
  vuln = TRUE;
else if (ver == '8.6(1)1')
  vuln = TRUE;
else if (ver == '8.6(1)10')
  vuln = TRUE;
else if (ver == '8.6(1)2')
  vuln = TRUE;
else if (ver == '8.6(1)5')
  vuln = TRUE;
else if (ver == '8.7(1)')
  vuln = TRUE;
else if (ver == '8.7(1)1')
  vuln = TRUE;
else if (ver == '8.7(1)3')
  vuln = TRUE;
else if (ver == '8.7(1)4 ')
  vuln = TRUE;
else if (ver == '9.0(1)')
  vuln = TRUE;
else if (ver == '9.0(2)')
  vuln = TRUE;
else if (ver == '9.1(1)')
  vuln = TRUE;
else if (ver == '9.1(1)4')
  vuln = TRUE;
else if (ver == '9.1(2)')
  vuln = TRUE;
else
  vuln = FALSE;

override = FALSE;
if (get_kb_item("Host/local_checks_enabled") && vuln)
{
  vuln = FALSE;
  # Check that webvpn is enabled on at least one interface
  buf = cisco_command_kb_item("Host/Cisco/Config/show running-config webvpn", "show running-config webvpn");

  if (check_cisco_result(buf))
  {
    if (preg(multiline:TRUE, pattern:".*enable outside", string:buf))
    {
      # Check that the ssl-clientless option is configured
      buf2 = cisco_command_kb_item("Host/Cisco/Config/show running-config group-policy | include vpn-tunnel-protocol", "show running-config group-policy | include vpn-tunnel-protocol");
      if (check_cisco_result(buf2))
      {
        if (preg(multiline:TRUE, pattern:"vpn-tunnel-protocol.*ssl-clientless", string:buf2))
          vuln = TRUE;
      }
    }
  }
  else if (cisco_needs_enable(buf)) override = TRUE;

  if (!vuln && !override) audit(AUDIT_HOST_NOT, "affected because the Clientless SSL VPN portal is not enabled");
}

if (vuln || override)
{
  security_report_cisco(
    port     : 0,
    severity : SECURITY_WARNING,
    override : override,
    version  : ver,
    cmds     : make_list("show running-config webvpn", "show running-config group-policy | include vpn-tunnel-protocol"),
    xss      : TRUE
  );
}
else audit(AUDIT_INST_VER_NOT_VULN, "Cisco ASA software", ver);