CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS
Percentile
51.9%
According to its self-reported version, the Cisco Finesse Software is affected by an information disclosure vulnerability. This could allow an unauthenticated, remote attacker to retrieve information from agents using the Finesse Desktop. The vulnerability is due to the existence of a user account that has an undocumented, hard-coded password. An attacker could exploit this vulnerability by using the hard-coded credentials to subscribe to the Finesse Notification Service, which would allow the attacker to receive notifications when an agent signs in or out of the Finesse Desktop, when information about an agent changes, or when an agent’s state changes.
Please see the included Cisco BIDs and Cisco Security Advisory for more information
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(130093);
script_version("1.2");
script_cvs_date("Date: 2019/10/30 13:24:46");
script_cve_id("CVE-2017-6626");
script_xref(name:"CISCO-BUG-ID", value:"CSCvc08314");
script_xref(name:"CISCO-SA", value:"cisco-sa-20170503-finesse-ucce");
script_name(english:"Cisco Finesse Information Disclosure (cisco-sa-20170503-finesse-ucce)");
script_summary(english:"Checks the Cisco Finesse version.");
script_set_attribute(attribute:"synopsis", value:
"The remote host is missing a vendor-supplied security patch.");
script_set_attribute(attribute:"description", value:
"According to its self-reported version, the Cisco Finesse Software is affected by an information disclosure
vulnerability. This could allow an unauthenticated, remote attacker to retrieve information from agents using the
Finesse Desktop. The vulnerability is due to the existence of a user account that has an undocumented, hard-coded
password. An attacker could exploit this vulnerability by using the hard-coded credentials to subscribe to the Finesse
Notification Service, which would allow the attacker to receive notifications when an agent signs in or out of the
Finesse Desktop, when information about an agent changes, or when an agent's state changes.
Please see the included Cisco BIDs and Cisco Security Advisory for more information");
# https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170503-finesse-ucce
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5bfe00b0");
script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvc08314");
script_set_attribute(attribute:"solution", value:
"Apply the patch or upgrade to the version recommended in Cisco bug ID CSCvc08314");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-6626");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/03");
script_set_attribute(attribute:"patch_publication_date", value:"2017/05/03");
script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/21");
script_set_attribute(attribute:"potential_vulnerability", value:"true");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:finesse");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CISCO");
script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("cisco_voss_finesse_installed.nbin");
script_require_keys("installed_sw/Cisco VOSS Finesse", "Settings/ParanoidReport");
exit(0);
}
include('vcf.inc');
include('vcf_extras.inc');
app_info = vcf::cisco_finesse::get_app_info(app:'Cisco VOSS Finesse');
if (report_paranoia < 2) audit(AUDIT_PARANOID);
constraints = [
{ 'min_version':'11.5.1', 'fixed_version':'11.5.2', 'fixed_display':'11.5(1)ES3, Bug ID: CSCvc08314', 'es_version':'3' },
{ 'min_version':'11.6.1', 'fixed_version':'11.6.2', 'fixed_display':'Refer to Bug ID: CSCvc08314' }
];
vcf::cisco_finesse::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS
Percentile
51.9%