An exploitable code execution vulnerability exists in the processing of multi-part/form-data requests within the base GoAhead web server application in versions v5.0.1, v.4.1.1 and v3.6.5. A specially crafted HTTP request can lead to a use-after-free condition during the processing of this request that can be used to corrupt heap structures that could lead to full code execution. The request can be unauthenticated in the form of GET or POST requests, and does not require the requested resource to exist on the server.
Rockwell Automation is aware of multiple products that utilize the GoAhead web server application and are affected by CVE 2019-5096.
This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(500904);
script_version("1.6");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/04");
script_cve_id("CVE-2019-5096");
script_name(english:"Rockwell Automation products using GoAhead Web Server Use After Free (CVE-2019-5096)");
script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
script_set_attribute(attribute:"description", value:
"An exploitable code execution vulnerability exists in the processing
of multi-part/form-data requests within the base GoAhead web server
application in versions v5.0.1, v.4.1.1 and v3.6.5. A specially
crafted HTTP request can lead to a use-after-free condition during the
processing of this request that can be used to corrupt heap structures
that could lead to full code execution. The request can be
unauthenticated in the form of GET or POST requests, and does not
require the requested resource to exist on the server.
Rockwell Automation is aware of multiple products that utilize the
GoAhead web server application and are affected by CVE 2019-5096.
This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
script_set_attribute(attribute:"see_also", value:"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0888");
script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-23-026-06");
# https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1138154/~/cve-2019-5096-and-cve-2019-5097-vulnerabilities-impact-multiple-products-
script_set_attribute(attribute:"see_also", value:"https://www.nessus.org/u?f79a2acd");
# https://www.rockwellautomation.com/en-us/support/advisory.PN1616.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d2ade436");
script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.
Rockwell Automation recommends users apply the latest version of firmware when possible:");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-5096");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_cwe_id(416);
script_set_attribute(attribute:"vuln_publication_date", value:"2019/12/03");
script_set_attribute(attribute:"patch_publication_date", value:"2019/12/03");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/03/28");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/h:rockwellautomation:1747-aentr");
script_set_attribute(attribute:"cpe", value:"cpe:/h:rockwellautomation:1769-aentr");
script_set_attribute(attribute:"cpe", value:"cpe:/h:rockwellautomation:5069-aen2tr");
script_set_attribute(attribute:"cpe", value:"cpe:/h:rockwellautomation:1756-en2tr_series_c");
script_set_attribute(attribute:"cpe", value:"cpe:/h:rockwellautomation:1756-en2t_series_d");
script_set_attribute(attribute:"cpe", value:"cpe:/h:rockwellautomation:1756-en2tsc_series_a");
script_set_attribute(attribute:"cpe", value:"cpe:/h:rockwellautomation:1756-en2tsc_series_b");
script_set_attribute(attribute:"cpe", value:"cpe:/h:rockwellautomation:1756-hist1g_series_a");
script_set_attribute(attribute:"cpe", value:"cpe:/h:rockwellautomation:1756-hist2g_series_a");
script_set_attribute(attribute:"cpe", value:"cpe:/h:rockwellautomation:1756-hist2g_series_b");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Tenable.ot");
script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("tenable_ot_api_integration.nasl");
script_require_keys("Tenable.ot/Rockwell");
exit(0);
}
include('tenable_ot_cve_funcs.inc');
get_kb_item_or_exit('Tenable.ot/Rockwell');
var asset = tenable_ot::assets::get(vendor:'Rockwell');
var vuln_cpes = {
"cpe:/h:rockwellautomation:1747-aentr" :
{"versionEndIncluding" : "2.002", "versionStartIncluding" : "2.002", "family" : "SLC5"},
"cpe:/h:rockwellautomation:1769-aentr" :
{"versionEndIncluding" : "1.001", "versionStartIncluding" : "1.001", "family" : "CompactLogix"},
"cpe:/h:rockwellautomation:5069-aen2tr" :
{"versionEndIncluding" : "3.011", "versionStartIncluding" : "3.011", "family" : "CompactLogix"},
"cpe:/h:rockwellautomation:1756-en2t_series_d" :
{"versionEndIncluding" : "11.001", "family" : "ControlLogix"},
"cpe:/h:rockwellautomation:1756-en2tr_series_c" :
{"versionEndIncluding" : "11.001", "family" : "ControlLogix"},
"cpe:/h:rockwellautomation:1756-en2tsc_series_a" :
{"versionEndIncluding" : "11.001", "versionStartIncluding" : "11.001", "family" : "ControlLogix"},
"cpe:/h:rockwellautomation:1756-en2tsc_series_b" :
{"versionEndIncluding" : "11.001", "versionStartIncluding" : "11.001", "family" : "ControlLogix"},
"cpe:/h:rockwellautomation:1756-hist1g_series_a" :
{"versionEndIncluding" : "3.054", "family" : "ControlLogix"},
"cpe:/h:rockwellautomation:1756-hist2g_series_a" :
{"versionEndIncluding" : "3.054", "family" : "ControlLogix"},
"cpe:/h:rockwellautomation:1756-hist2g_series_b" :
{"versionEndIncluding" : "5.103", "family" : "ControlLogix"}
};
tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_HOLE);
Vendor | Product | Version | CPE |
---|---|---|---|
rockwellautomation | 1747-aentr | cpe:/h:rockwellautomation:1747-aentr | |
rockwellautomation | 1769-aentr | cpe:/h:rockwellautomation:1769-aentr | |
rockwellautomation | 5069-aen2tr | cpe:/h:rockwellautomation:5069-aen2tr | |
rockwellautomation | 1756-en2tr_series_c | cpe:/h:rockwellautomation:1756-en2tr_series_c | |
rockwellautomation | 1756-en2t_series_d | cpe:/h:rockwellautomation:1756-en2t_series_d | |
rockwellautomation | 1756-en2tsc_series_a | cpe:/h:rockwellautomation:1756-en2tsc_series_a | |
rockwellautomation | 1756-en2tsc_series_b | cpe:/h:rockwellautomation:1756-en2tsc_series_b | |
rockwellautomation | 1756-hist1g_series_a | cpe:/h:rockwellautomation:1756-hist1g_series_a | |
rockwellautomation | 1756-hist2g_series_a | cpe:/h:rockwellautomation:1756-hist2g_series_a | |
rockwellautomation | 1756-hist2g_series_b | cpe:/h:rockwellautomation:1756-hist2g_series_b |