Lucene search

HistoryJul 25, 2023 - 12:00 a.m.

Cisco NX-OS Software CLI Arbitrary Command Injection (CVE-2018-0307)

2023-07-2500:00:00

www.tenable.com

cisco

nx-os

command injection

vulnerability

authentication

local attacker

input validation

privileged user

root privileges

vdc

nexus series

cisco bug ids

tenable.ot

scanner

7.2 High

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.0004 Low

EPSS

Percentile

5.2%

JSON

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to perform a command-injection attack on an affected device. The vulnerability is due to insufficient input validation of command arguments. An attacker could exploit this vulnerability by injecting malicious command arguments into a vulnerable CLI command. A successful exploit could allow the attacker, authenticated as a privileged user, to execute arbitrary commands with root privileges. Note: On products that support multiple virtual device contexts (VDC), this vulnerability could allow an attacker to access files from any VDC. This vulnerability affects Nexus 2000 Series Fabric Extenders, Nexus 3000 Series Switches, Nexus 3500 Platform Switches, Nexus 3600 Platform Switches, Nexus 5500 Platform Switches, Nexus 5600 Platform Switches, Nexus 6000 Series Switches, Nexus 7000 Series Switches, Nexus 7700 Series Switches, Nexus 9000 Series Switches in standalone NX-OS mode, Nexus 9500 R-Series Line Cards and Fabric Modules. Cisco Bug IDs: CSCve51704, CSCve91749, CSCve91768.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(501277);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/07/26");

  script_cve_id("CVE-2018-0307");

  script_name(english:"Cisco NX-OS Software CLI Arbitrary Command Injection (CVE-2018-0307)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"A vulnerability in the CLI of Cisco NX-OS Software could allow an
authenticated, local attacker to perform a command-injection attack on
an affected device. The vulnerability is due to insufficient input
validation of command arguments. An attacker could exploit this
vulnerability by injecting malicious command arguments into a
vulnerable CLI command. A successful exploit could allow the attacker,
authenticated as a privileged user, to execute arbitrary commands with
root privileges. Note: On products that support multiple virtual
device contexts (VDC), this vulnerability could allow an attacker to
access files from any VDC. This vulnerability affects Nexus 2000
Series Fabric Extenders, Nexus 3000 Series Switches, Nexus 3500
Platform Switches, Nexus 3600 Platform Switches, Nexus 5500 Platform
Switches, Nexus 5600 Platform Switches, Nexus 6000 Series Switches,
Nexus 7000 Series Switches, Nexus 7700 Series Switches, Nexus 9000
Series Switches in standalone NX-OS mode, Nexus 9500 R-Series Line
Cards and Fabric Modules. Cisco Bug IDs: CSCve51704, CSCve91749,
CSCve91768.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"http://www.securitytracker.com/id/1041169");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nx-os-cli-injection
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?38e5ac5c");
  script_set_attribute(attribute:"solution", value:
"Refer to the vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-0307");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_cwe_id(78);

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/06/20");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/06/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/07/25");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:nx-os:7");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:nx-os:7.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:nx-os:8");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:nx-os:8.2");
  script_set_attribute(attribute:"generated_plugin", value:"former");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Cisco");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Cisco');

var asset = tenable_ot::assets::get(vendor:'Cisco');

var vuln_cpes = {
    "cpe:/o:cisco:nx-os:7.3%283%29n1%281%29" :
        {"versionEndExcluding" : "7.3%283%29n1%281%29", "versionStartIncluding" : "6.0", "family" : "NXOS"},
    "cpe:/o:cisco:nx-os:8.1%282%29" :
        {"versionEndExcluding" : "8.1%282%29", "versionStartIncluding" : "6.2", "family" : "NXOS"},
    "cpe:/o:cisco:nx-os:8.2" :
        {"versionEndIncluding" : "8.2", "versionStartIncluding" : "8.2", "family" : "NXOS"},
    "cpe:/o:cisco:nx-os:7.0%283%29i3" :
        {"versionEndExcluding" : "7.0%283%29i3", "family" : "NXOS"},
    "cpe:/o:cisco:nx-os:7.0%283%29i7%281%29" :
        {"versionEndExcluding" : "7.0%283%29i7%281%29", "versionStartIncluding" : "7.0%283%29i4", "family" : "NXOS"},
    "cpe:/o:cisco:nx-os:7.0" :
        {"versionEndIncluding" : "7.0", "versionStartIncluding" : "7.0", "family" : "NXOS"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_HOLE);

VendorProductVersionCPE
cisconx-os7cpe:/o:cisco:nx-os:7
cisconx-os7.0cpe:/o:cisco:nx-os:7.0
cisconx-os8cpe:/o:cisco:nx-os:8
cisconx-os8.2cpe:/o:cisco:nx-os:8.2

Vendor	Product	Version	CPE
cisco	nx-os	7	cpe:/o:cisco:nx-os:7
cisco	nx-os	7.0	cpe:/o:cisco:nx-os:7.0
cisco	nx-os	8	cpe:/o:cisco:nx-os:8
cisco	nx-os	8.2	cpe:/o:cisco:nx-os:8.2

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0307

www.nessus.org/u?38e5ac5c

www.securitytracker.com/id/1041169

7.2 High

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.0004 Low

EPSS

Percentile

5.2%

JSON

Related for TENABLE_OT_CISCO_CVE-2018-0307.NASL