Automated Logic WebCTRL URL Redirection to Untrusted Site (CVE-2022-1019)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(500965);
  script_version("1.8");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/11");

  script_cve_id("CVE-2022-1019");

  script_name(english:"Automated Logic WebCTRL URL Redirection to Untrusted Site (CVE-2022-1019)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"Automated Logic's WebCtrl Server Version 6.1 'Help' index pages are
vulnerable to open redirection. The vulnerability allows an attacker
to send a maliciously crafted URL which could result in redirecting
the user to a malicious webpage or downloading a malicious file.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  # https://www.corporate.carrier.com/Images/CARR-PSA-ALC-WebCTRL-001-1121_tcm558-149395.pdf
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5b5b2471");
  script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-22-109-02");
  script_set_attribute(attribute:"solution", value:
'The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.

Carrier recommends users contact an Automated Logic dealer for instructions to download the latest version of WebCTRL.

Carrier also recommends the following manual workaround:

- An administrator can add the CSP header/meta tag to each “index.htm” file in each of the directories under
“<install_dir>/webroot/_common/lvl5/help/*”
- Example would read: <meta http-equiv="Content-Security-Policy" content="default-src \'self\'; img-src \'self\' data:;
font-src \'self\' data:; script-src \'self\' \'unsafe-inline\' \'unsafe-eval\'; style-src \'self\' \'unsafe-inline\'">

Please see Carrier product security advisory CARR-PSA-001-1121 for more information.');
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-1019");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_cwe_id(601);

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/04/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/04/19");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/04/06");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:automatedlogic:webctrl_server");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/AutomatedLogicCorporation");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/AutomatedLogicCorporation');

var asset = tenable_ot::assets::get(vendor:'AutomatedLogicCorporation');

var vuln_cpes = {
    "cpe:/a:automatedlogic:webctrl_server" :
        {"versionStartIncluding" : "6.1", "versionEndIncluding" : "6.1", "family" : "WebCTRL"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);