EMC RSA Archer 6.0 < 6.9 SP3 P4 / 6.10 < 6.10 P2 Remote Code Execution

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(169673);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/01/09");

  script_cve_id("CVE-2021-33615");

  script_name(english:"EMC RSA Archer 6.0 < 6.9 SP3 P4 / 6.10 < 6.10 P2 Remote Code Execution");

  script_set_attribute(attribute:"synopsis", value:
"An application running on the remote host is affected by a remote code execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of EMC RSA Archer running on the remote web server is 6.x prior to 6.9.3.4 (6.9 SP3 P4), 6.10.x 
prior to 6.10.0.2 (6.10 P2). It is, therefore, affected by a remote code execution vulnerability due to
unrestricted upload of a file with a dangerous type. A remote, authenticated malicious user could potentially 
uplaod an ASP web shell to either of two endpoints IconUploadHandler.ashx and GraphicUploadHandler.ashx, 
allowing them to execute arbitrary code on the affected host.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://www.archerirm.community/t5/security-advisories/archer-update-for-multiple-vulnerabilities/ta-p/677341#:~:text=%E2%80%A2%20Remote%20Code%20Execution%20Vulnerability%20CVE%2D2021%2D33615&text=Code%20Execution%20Vulnerability.-,A%20remote%20authenticated%20malicious%20user%20could%20potentially%20exploit%20this%20vulnerability,3.4)%20are%20also%20fixed%20releases.
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ea206367");
  # https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2022/MNDT-2022-0027/MNDT-2022-0027.md
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?dd5e4584");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2021-33615");
  script_set_attribute(attribute:"solution", value:
"Update to 6.9 SP3 P4, 6.10 P2, 6.11 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-33615");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_cwe_id(434);

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/05/16");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/05/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/01/06");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:emc:rsa_archer_egrc");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("emc_rsa_archer_detect.nbin");
  script_require_ports("Services/www", 80, 443);

  exit(0);
}

include('http.inc');
include('vcf.inc');

var app_name = 'EMC RSA Archer';
var port = get_http_port(default:80);

var app_info = vcf::get_app_info(app:app_name, webapp:TRUE, port:port);

var constraints = [
  {'min_version' : '6.0', 'fixed_version' : '6.9.3.4', 'fixed_display' : '6.9 SP3 P4 (6.9.3.4)'},
  {'min_version' : '6.10', 'fixed_version' : '6.10.0.2', 'fixed_display' : '6.10 P2 (6.10.0.2)'}
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);