Rockwell Automation MicroLogix 1400 and CompactLogix 5370 Controllers URL Redirection to Untrusted Site (CVE-2019-10955)

#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(500281);
  script_version("1.8");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/11");

  script_cve_id("CVE-2019-10955");

  script_name(english:"Rockwell Automation MicroLogix 1400 and CompactLogix 5370 Controllers URL Redirection to Untrusted Site (CVE-2019-10955)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"In Rockwell Automation MicroLogix 1400 Controllers Series A, All Versions Series B, v15.002 and earlier, MicroLogix 1100
Controllers v14.00 and earlier, CompactLogix 5370 L1 controllers v30.014 and earlier, CompactLogix 5370 L2 controllers
v30.014 and earlier, CompactLogix 5370 L3 controllers (includes CompactLogix GuardLogix controllers) v30.014 and
earlier, an open redirect vulnerability could allow a remote unauthenticated attacker to input a malicious link to
redirect users to a malicious site that could run or download arbitrary malware on the user's machine.  

This plugin
only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/bid/108049");
  script_set_attribute(attribute:"see_also", value:"https://ics-cert.us-cert.gov/advisories/ICSA-19-113-01");
  # https://www.rockwellautomation.com/en-us/support/advisory.PN1068.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ee4ba456");
  script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.

Rockwell Automation has released a security advisory with mitigation steps that can be found at:

https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1086288 (Login required)

Rockwell Automation recommends users take defensive measures to minimize the risk of exploitation of this vulnerability.
Specifically, users should:

- Update to the latest available firmware revision that addresses the associated risk.
- Use trusted software, software patches, anti-virus/anti-malware programs, and interact only with trusted websites and
attachments.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from
the Internet.
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods such as virtual private networks (VPNs), recognizing that VPNs may
have vulnerabilities and should be updated to the most current version available. VPN is only as secure as the connected
devices.
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering
attack.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-10955");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(601);

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/04/25");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/04/25");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/02/07");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:micrologix_1400_b_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:micrologix_1400_a_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:micrologix_1100_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:compactlogix_5370_l1_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:compactlogix_5370_l2_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:rockwellautomation:compactlogix_5370_l3_firmware");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Rockwell");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Rockwell');

var asset = tenable_ot::assets::get(vendor:'Rockwell');

var vuln_cpes = {
    "cpe:/o:rockwellautomation:micrologix_1400_b_firmware" :
        {"versionEndIncluding" : "15.002", "family" : "MicroLogix1400"},
    "cpe:/o:rockwellautomation:micrologix_1400_a_firmware" :
        {"family" : "MicroLogix1400"},
    "cpe:/o:rockwellautomation:micrologix_1100_firmware" :
        {"versionEndIncluding" : "14.00", "family" : "MicroLogix1100"},
    "cpe:/o:rockwellautomation:compactlogix_5370_l1_firmware" :
        {"versionEndIncluding" : "30.014", "family" : "CompactLogix5370"},
    "cpe:/o:rockwellautomation:compactlogix_5370_l2_firmware" :
        {"versionEndIncluding" : "30.014", "family" : "CompactLogix5370"},
    "cpe:/o:rockwellautomation:compactlogix_5370_l3_firmware" :
        {"versionEndIncluding" : "30.014", "family" : "CompactLogix5370"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);