Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nmapPatrik Karlsson <[email protected]>NMAP:HTTP-VULN-CVE2014-2128.NSE
HistoryMay 26, 2014 - 1:28 a.m.

http-vuln-cve2014-2128 NSE Script

2014-05-2601:28:38
Patrik Karlsson <[email protected]>
nmap.org
179

0.973 High

EPSS

Percentile

99.9%

JSON

Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SSL VPN Authentication Bypass Vulnerability (CVE-2014-2128).

See also:

Script Arguments

tls.servername

See the documentation for the tls library.

vulns.short, vulns.showall

See the documentation for the vulns library.

mssql.domain, mssql.instance-all, mssql.instance-name, mssql.instance-port, mssql.password, mssql.protocol, mssql.scanned-ports-only, mssql.timeout, mssql.username

See the documentation for the mssql library.

anyconnect.group, anyconnect.mac, anyconnect.ua, anyconnect.version

See the documentation for the anyconnect library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

slaxml.debug

See the documentation for the slaxml library.

smtp.domain

See the documentation for the smtp library.

randomseed, smbbasic, smbport, smbsign

See the documentation for the smb library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

Example Usage

nmap -p 443 --script http-vuln-cve2014-2128 &lt;target&gt;

Script Output

PORT    STATE SERVICE
443/tcp open  https
| http-vuln-cve2014-2128:
|   VULNERABLE:
|   Cisco ASA SSL VPN Authentication Bypass Vulnerability
|     State: VULNERABLE
|     Risk factor: Medium  CVSSv2: 5.0 (MEDIUM) (AV:N/AC:L/AU:N/C:P/I:N/A:N)
|     Description:
|       The SSL VPN implementation in Cisco Adaptive Security Appliance (ASA) Software 8.2 before 8.2(5.47, 8.3 before 8.3(2.40), 8.4 before 8.4(7.3), 8.6 before 8.6(1.13), 9.0 before 9.0(3.8), and 9.1 before 9.1(3.2) allows remote attackers to bypass authentication via (1) a crafted cookie value within modified HTTP POST data or (2) a crafted URL, aka Bug ID CSCua85555.
|
|     References:
|       http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa
|_      http://cvedetails.com/cve/2014-2128/

Requires

local anyconnect = require('anyconnect')
local shortport = require('shortport')
local vulns = require('vulns')
local sslcert = require('sslcert')
local stdnse = require "stdnse"

description = [[
Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SSL VPN
Authentication Bypass Vulnerability (CVE-2014-2128).
]]

---
-- @see http-vuln-cve2014-2126.nse
-- @see http-vuln-cve2014-2127.nse
-- @see http-vuln-cve2014-2129.nse
--
-- @usage
-- nmap -p 443 --script http-vuln-cve2014-2128 <target>
--
-- @output
-- PORT    STATE SERVICE
-- 443/tcp open  https
-- | http-vuln-cve2014-2128:
-- |   VULNERABLE:
-- |   Cisco ASA SSL VPN Authentication Bypass Vulnerability
-- |     State: VULNERABLE
-- |     Risk factor: Medium  CVSSv2: 5.0 (MEDIUM) (AV:N/AC:L/AU:N/C:P/I:N/A:N)
-- |     Description:
-- |       The SSL VPN implementation in Cisco Adaptive Security Appliance (ASA) Software 8.2 before 8.2(5.47, 8.3 before 8.3(2.40), 8.4 before 8.4(7.3), 8.6 before 8.6(1.13), 9.0 before 9.0(3.8), and 9.1 before 9.1(3.2) allows remote attackers to bypass authentication via (1) a crafted cookie value within modified HTTP POST data or (2) a crafted URL, aka Bug ID CSCua85555.
-- |
-- |     References:
-- |       http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa
-- |_      http://cvedetails.com/cve/2014-2128/

author = "Patrik Karlsson <[email protected]>"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"vuln", "safe"}

portrule = function(host, port)
  return shortport.ssl(host, port) or sslcert.isPortSupported(port)
end

action = function(host, port)
  local vuln_table = {
    title = "Cisco ASA SSL VPN Authentication Bypass Vulnerability",
    state = vulns.STATE.NOT_VULN,
    risk_factor = "Medium",
    scores = {
      CVSSv2 = "5.0 (MEDIUM) (AV:N/AC:L/AU:N/C:P/I:N/A:N)",
    },
    description = [[
The SSL VPN implementation in Cisco Adaptive Security Appliance (ASA) Software 8.2 before 8.2(5.47, 8.3 before 8.3(2.40), 8.4 before 8.4(7.3), 8.6 before 8.6(1.13), 9.0 before 9.0(3.8), and 9.1 before 9.1(3.2) allows remote attackers to bypass authentication via (1) a crafted cookie value within modified HTTP POST data or (2) a crafted URL, aka Bug ID CSCua85555.
    ]],

    references = {
      'http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa',
      'http://cvedetails.com/cve/2014-2128/'
    }
  }

  local vuln_versions = {
    ['8'] = {
      ['2'] = 5.47,
      ['3'] = 2.40,
      ['4'] = 7.3,
      ['6'] = 1.13,
      ['7'] = 1.11,
    },
    ['9'] = {
      ['0'] = 3.8,
      ['1'] = 3.2,
    },
  }

  local report = vulns.Report:new(SCRIPT_NAME, host, port)
  local ac = anyconnect.Cisco.AnyConnect:new(host, port)
  local status, err = ac:connect()
  if not status then
    return stdnse.format_output(false, err)
  else
    local ver = ac:get_version()
    if vuln_versions[ver['major']] and vuln_versions[ver['major']][ver['minor']] then
      if vuln_versions[ver['major']][ver['minor']] > tonumber(ver['rev']) then
        vuln_table.state = vulns.STATE.VULN
      end
    end
  end
  return report:make_output(vuln_table)
end

Related

nmap 199
nmap
nmap
mysql-brute NSE Script
2010-01-26 09:40:38
snmp-ios-config NSE Script
2011-02-22 09:13:03
imap-capabilities NSE Script
2009-06-08 23:21:56

0.973 High

EPSS

Percentile

99.9%

JSON
Related for NMAP:HTTP-VULN-CVE2014-2128.NSE
nmap199