Cisco Nexus 9000 Series Fabric Switches Application Centric Infrastructure Mode Symbolic Link Path Traversal (CVE-2019-1836)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(501300);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/07/26");

  script_cve_id("CVE-2019-1836");

  script_name(english:"Cisco Nexus 9000 Series Fabric Switches Application Centric Infrastructure Mode Symbolic Link Path Traversal (CVE-2019-1836)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"A vulnerability in the system shell for Cisco Nexus 9000 Series Fabric
Switches in Application Centric Infrastructure (ACI) mode could allow
an authenticated, local attacker to use symbolic links to overwrite
system files. These system files may be sensitive and should not be
overwritable by non-root users. The attacker would need valid device
credentials. The vulnerability is due to incorrect symbolic link
verification of directory paths when they are used in the system
shell. An attacker could exploit this vulnerability by authenticating
to the device and providing crafted user input to specific symbolic
link CLI commands. Successful exploitation could allow the attacker to
overwrite system files that should be restricted. This vulnerability
has been fixed in software version 14.1(1i).

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/bid/108150");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-fabric-traversal
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b8edbc36");
  script_set_attribute(attribute:"solution", value:
"Refer to the vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1836");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_cwe_id(59);

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/05/03");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/05/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/07/25");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:nx-os:14.0%283d%29");
  script_set_attribute(attribute:"generated_plugin", value:"former");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Cisco");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Cisco');

var asset = tenable_ot::assets::get(vendor:'Cisco');

var vuln_cpes = {
    "cpe:/o:cisco:nx-os:14.0%283d%29" :
        {"versionEndIncluding" : "14.0%283d%29", "versionStartIncluding" : "14.0%283d%29", "family" : "NXOS"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);