CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
5.1%
According to its self-reported version, Cisco IOS XE Software is affected by the following vulnerability:
#TRUSTED 6e698e58ea3f3ae5d340db7ecc1a057fe1b40c03289eaadca4308fa3a32e8616d95f8d5270b6a0e628f0dccc59dd7e045e36dc808e8490f4291f059e8ad0f0f94f617f9bf37d61a5872ed2c2c449c084769e48c47cb67db876f2b8c19382f64c8923ea328f6e1ec21e3c243087a7522f60cf09ae045a47fd886d5833fd716eb6263f2281605b1196cfe97e78bfeaf3a1e45413456b332bfbf10c64922913ac3d26d68c274822f9ffa148507c726add1afee0393318d6031432aea0bab70e0ed7e1995ecc288b81963e6105aab9de796b6f6f7522000d3ffbf0a5c8dc639fcee79b703ff17822e4a50b4d3be1ed2ea58590a6ba609ff0438920af09482cf76edffd3198cc9bd6efaba8165d42d9c1077280df1da601e829eca6d1964df6f301a99b9801ca7305138573d4d5ef8f24cfd4259889e1f17f77662edc31f130f9ea39c47940ca8243ce9a4c5f50a8a0f036caab18bc57ddb3ffb9da59001dedd3e2cac518c76d9f1c50180535b6dfd11c83f0fe4f448c47d46432bcd72dfeb2435f237f6d28acea6d9fb875c203aa0064acfe68e4a4eb8dfe2f8565488badbe61d59f714ed22ebf37237d9affe029dd54e0eee909030b0f63a3b18f6807cc16c7a51a879fa53d3ded20272910a103c51de080526accc1429c03d218d3e8175a7663cb903199bfe86bd8081544959788d0a3e071093bbb91bdd0bf6e30933132cf38cc
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(123788);
script_version("1.12");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/06/28");
script_cve_id("CVE-2018-15371");
script_xref(name:"CISCO-BUG-ID", value:"CSCvb79289");
script_xref(name:"CISCO-SA", value:"cisco-sa-20180926-shell-access");
script_xref(name:"IAVA", value:"2019-A-0097-S");
script_name(english:"Cisco IOS XE Software Shell Access Authentication Bypass (cisco-sa-20180926-shell-access)");
script_summary(english:"Checks the IOS XE version.");
script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco IOS XE Software is affected
by the following vulnerability:
- An Authentication bypass in the shell access request
mechanism. An authenticated attacker could exploit this
in order to bypass authentication and gain root access
to the system. (CVE-2018-15371)");
# https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-shell-access
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c0b2b2c9");
script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb79289");
script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID(s)
CSCvb79289.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-15371");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"vuln_publication_date", value:"2018/09/26");
script_set_attribute(attribute:"patch_publication_date", value:"2018/09/26");
script_set_attribute(attribute:"plugin_publication_date", value:"2019/04/05");
script_set_attribute(attribute:"plugin_type", value:"combined");
script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CISCO");
script_copyright(english:"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("cisco_ios_xe_version.nasl");
script_require_keys("Host/Cisco/IOS-XE/Version");
exit(0);
}
include("audit.inc");
include("cisco_workarounds.inc");
include("ccf.inc");
product_info = cisco::get_product_info(name:"Cisco IOS XE Software");
# Checking models with regex, since ccf only does explicit ver list
#
# 4000 Series Integrated Services Routers
# ASR 900 Series Aggregation Services Routers
# ASR 1000 Series Aggregation Services Routers
# Cloud Services Router 1000V Series
# Integrated Services Virtual Router
#
model = get_kb_item_or_exit("Host/Cisco/IOS-XE/Model");
if(
model !~ "^ASR9\d{2}([^0-9]|$)" &&
model !~ "^ASR1k" &&
model !~ "^ASR10\d{2}([^0-9]|$)" &&
model !~ "^ASR9\d{3}([^0-9]|$)" &&
model !~ "^ISR4\d{3}([^0-9]|$)" &&
model !~ "^CSR10\d{2}([^0-9]|$)"
)
audit(AUDIT_DEVICE_NOT_VULN, model);
version_list = make_list(
"3.17.0S",
"3.17.1aS",
"3.17.1S",
"3.17.2S ",
"3.17.3S",
"3.17.4S",
"3.18.0aS",
"3.18.0S",
"3.18.0SP",
"3.18.1aSP",
"3.18.1bSP",
"3.18.1cSP",
"3.18.1gSP",
"3.18.1hSP",
"3.18.1iSP",
"3.18.1S",
"3.18.1SP",
"3.18.2aSP",
"3.18.2S",
"3.18.2SP",
"3.18.3aSP",
"3.18.3bSP",
"3.18.3S",
"3.18.3SP",
"3.18.4S",
"3.18.4SP",
"3.2.0JA",
"16.2.1",
"16.2.2",
"16.3.1",
"16.3.1a",
"16.9.1b"
);
workarounds = make_list(CISCO_WORKAROUNDS['generic_workaround']);
workaround_params = WORKAROUND_CONFIG['smart_license'];
reporting = make_array(
'port' , product_info['port'],
'severity' , SECURITY_HOLE,
'version' , product_info['version'],
'bug_id' , "CSCvb79289",
'cmds' , make_list("show running-config")
);
cisco::check_and_report(
product_info:product_info,
workarounds:workarounds,
workaround_params:workaround_params,
reporting:reporting,
vuln_versions:version_list
);
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
5.1%