Dell iDRAC9 Directory Traversal (DSA-2020-128)

2020-07-31T00:00:00
ID DRAC_DSA-2020-128.NASL
Type nessus
Reporter This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2020-07-31T00:00:00

Description

The remote host is running iDRAC9 with a firmware version prior to 4.20.20.20. It is, therefore, affected by a directory traversal vulnerability due to insufficient validation of user input. An authenticated, remote attacker can exploit this, by sending a URI that contains directory traversal characters, to disclose the contents of files located outside of the server's restricted path.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(139206);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/07");

  script_cve_id("CVE-2020-5366");
  script_xref(name:"IAVA", value:"2020-A-0343-S");

  script_name(english:"Dell iDRAC9 Directory Traversal (DSA-2020-128)");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by a directory traversal vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote host is running iDRAC9 with a firmware version prior to 4.20.20.20. It is, therefore, affected by a 
directory traversal vulnerability due to insufficient validation of user input. An authenticated, remote attacker can 
exploit this, by sending a URI that contains directory traversal characters, to disclose the contents of files located 
outside of the server's restricted path. 

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://www.dell.com/support/article/en-ie/sln322125/dsa-2020-128-idrac-local-file-inclusion-vulnerability?lang=en
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?dbd53980");
  script_set_attribute(attribute:"solution", value:
"Update the remote host to iDRAC9 firmware 4.20.20.20 or higher.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-5366");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/07/07");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/07/07");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/07/31");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:dell:idrac9");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("drac_detect.nasl");
  script_require_keys("installed_sw/iDRAC");
  script_require_ports("Services/www", 443);

  exit(0);
}

include('vcf.inc');
include('vcf_extras.inc');
include('http.inc');

port = get_http_port(default:443, embedded:TRUE);

app_info = vcf::idrac::get_app_info(port:port);

constraints = [{'idrac':'9', 'min_version':'1.0', 'fixed_version':'4.20.20.20'}];

vcf::idrac::check_version_and_report(
  app_info:app_info,
  constraints:constraints,
  severity:SECURITY_WARNING
);