Mettler Toledo IND780 Weighing Terminal Remote Unauthenticated Directory Traversal (CVE-2021-40661)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(502352);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/08/08");

  script_cve_id("CVE-2021-40661");

  script_name(english:"Mettler Toledo IND780 Weighing Terminal Remote Unauthenticated Directory Traversal (CVE-2021-40661)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"A remote, unauthenticated, directory traversal vulnerability was
identified within the web interface used by IND780 Advanced Weighing
Terminals Build 8.0.07 March 19, 2018 (SS Label 'IND780_8.0.07'),
Version 7.2.10 June 18, 2012 (SS Label 'IND780_7.2.10'). It was
possible to traverse the folders of the affected host by providing a
traversal path to the 'webpage' parameter in AutoCE.ini This could
allow a remote unauthenticated adversary to access additional files on
the affected system. This could also allow the adversary to perform
further enumeration against the affected host to identify the versions
of the systems in use, in order to launch further attacks in future.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  # https://sidsecure.au/blog/cve-2021-40661/?_sm_pdc=1&_sm_rid=MRRqb4KBDnjBMJk24b40LMS3SKqPMqb4KVn32Kr
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8a156044");
  script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2021-40661");
  script_set_attribute(attribute:"solution", value:
"Refer to the vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-40661");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(22);

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/10/31");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/10/31");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/08/07");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:mt:ind780_firmware:7.2.10");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:mt:ind780_firmware:8.0.07");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/MettlerToledo");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/MettlerToledo');

var asset = tenable_ot::assets::get(vendor:'MettlerToledo');

var vuln_cpes = {
    "cpe:/o:mt:ind780_firmware:7.2.10" :
        {"versionEndIncluding" : "7.2.10", "versionStartIncluding" : "7.2.10", "family" : "IND780"},
    "cpe:/o:mt:ind780_firmware:8.0.07" :
        {"versionEndIncluding" : "8.0.07", "versionStartIncluding" : "8.0.07", "family" : "IND780"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_HOLE);