CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
5.1%
According to its self-reported version, IOS-XE for Cisco ASR 900 Series Aggregation Services Routers is affected by multiple vulnerabilities due to incorrect validations by boot scripts when specific ROM monitor (ROMMON) variables are set.
An authenticated, local attacker with high privileges to execute persistent code at bootup could exploit this by copying a specific file to the local file system of an affected device and defining specific ROMMON variables. A successful exploit could allow the attacker to run arbitrary code on the underlying operating system (OS) with root privileges. To exploit these vulnerabilities, an attacker would need to have access to the root shell on the device or have physical access to the device.
Please see the included Cisco BIDs and Cisco Security Advisory for more information.
#TRUSTED 9e573861811465b858af97ff3de7cf36a86a2ec1cfa810b87769850d779154a5a30f622e13cfa8b3d25ae69b2d37ca9632e439df2601b15cfd6ba45c028d7648a73ad0d20b736c32e61f114ef8d958dc5506fb955cdae8fbf514a3cd2577027ef56b37d91374f0a8efff28ff681f4dac16a4fd925b308b73ce2c3a84ee3ac41b51b9bb5abf7562b4aa4d0834a22a6e8bd7c30b2c868fde58a936bde10b3f8560deb0a836cc7964731927abfbca1cbc4d54000e2fa7379240a0b6ece2adceb72364d838e1870d5a94199d125d7cc529cd860df47cae752da15fa3e4307be59c13d0cb04ff38fb5719a75e094a53bfc2c8ca063041431cb763fbedf0cf1f979b385722af89d458ba884c8e7dc1a9be156210afecd517b1f3ac9e938990b2aa2e0a82f776c72b29c1b5ba5494ac70e610a56aca49fa5dfdb24bdbe8b0294596c51ed973358b85db96bbd4b02bad5876f02fe540069446faaabb207f767e8aaa0a8f36702745fb8a8bfa6c9277dc8b1101887acc7d2963625795ef4b71372b72d227499b864e185feb7ee4d370e0820c9e828c22f1cd6dd3ab7c77e084bef95d480a914d9833bdbcd2ae97e8c418b8dbb88a3e4e46ae5e622a6566c78b3df90d408ad55767a18c80c7205c215dd3bd6efe932c4f1eb0d52908ef3d39e0880177854dd3c2ad6e37faaa273ba0abd4bcefe326a39785adbd670997a28ea0fa9c258d81
#TRUST-RSA-SHA256 ab306dcc5911b370a2e10d7865a31159ff318a6f0aa0f23707ee9fbf550d1f2be0183112faea10db687255633744ea72f47d145682640433b0e0e09a0fdd74841f4e891585b1e5b611299effff0d94e6bb428c13cdf375cc6b91150e06bb9a4e9d3ef448449d37d8ab65a7ed1d1f25372c6521e4c0b74330fb8db8cf82fe90fef9bf3ce93f36220a558eb04faf5d32a6eb8eb6c6aeb5dfac83e582fc7b9432f8895bd283185270cf9c4655c68b491b0138e8ef2f68faf2894b1e3cb8e305ff4abc8059a05a0d5875979b1d75e2e27856083079a2a4d6e97452de8885174ec841a54fdd9a02edadf85db465743548b7db7375cf171b18c6ec8b2bea38a3448b0acf0521e35f553c9fb2d7856550c7e3ca7af48e2f9316f98c0fa6901cb826cd2ddc90b5808fe41f89481d69c49d977d13a9300e7bd02f193ac4b1989f499bedb742f995dfb3f40f60effef267df10b995f1c3b008d4243929991164cbc9af585623ac5ccc98eb681922bbfb9e69ab0774bbe2a411dc7d7f351e5a96383e53edcddf2a826605386de19ecc483e9236ce7872331433f791475d3615d46437d231f39052785ac435c23e167eb5a6a1c6fb4537544a3908a0c7704bb9ca6ca17f76cdd2e8adff725c9fb5386512f23bed212c434cae03088b6db9bc906767ff1998004a17f02cae13f8cf93c79151d82eb1b4ac1c11a93f6e45761ccb5081dca2a9ef
##
# (C) Tenable Network Security, Inc.
##
include('compat.inc');
if (description)
{
script_id(141371);
script_version("1.12");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/03");
script_cve_id("CVE-2020-3416", "CVE-2020-3513");
script_xref(name:"CISCO-BUG-ID", value:"CSCvr69196");
script_xref(name:"CISCO-BUG-ID", value:"CSCvs62410");
script_xref(name:"CISCO-SA", value:"cisco-sa-iosxe-rsp3-rce-jVHg8Z7c");
script_xref(name:"IAVA", value:"2020-A-0439-S");
script_name(english:"Cisco IOS XE Software for ASR 900 Series Route Switch Processor 3 Arbitrary Code Execution (cisco-sa-iosxe-rsp3-rce-jVHg8Z7c)");
script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
script_set_attribute(attribute:"description", value:
"According to its self-reported version, IOS-XE for Cisco ASR 900 Series Aggregation Services Routers is affected by
multiple vulnerabilities due to incorrect validations by boot scripts when specific ROM monitor (ROMMON) variables
are set.
An authenticated, local attacker with high privileges to execute persistent code at bootup could exploit this by
copying a specific file to the local file system of an affected device and defining specific ROMMON variables. A
successful exploit could allow the attacker to run arbitrary code on the underlying operating system (OS) with root
privileges. To exploit these vulnerabilities, an attacker would need to have access to the root shell on the device
or have physical access to the device.
Please see the included Cisco BIDs and Cisco Security Advisory for more information.");
# https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-rsp3-rce-jVHg8Z7c
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7666b559");
script_set_attribute(attribute:"see_also", value:"http://tools.cisco.com/security/center/viewErp.x?alertId=ERP-74268");
script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr69196");
script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs62410");
script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug IDs CSCvr69196, CSCvs62410");
script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-3513");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(749);
script_set_attribute(attribute:"vuln_publication_date", value:"2020/09/24");
script_set_attribute(attribute:"patch_publication_date", value:"2020/09/24");
script_set_attribute(attribute:"plugin_publication_date", value:"2020/10/12");
script_set_attribute(attribute:"plugin_type", value:"combined");
script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CISCO");
script_copyright(english:"This script is Copyright (C) 2020-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("cisco_ios_xe_version.nasl");
script_require_keys("Host/Cisco/IOS-XE/Version", "Host/Cisco/IOS-XE/Model");
exit(0);
}
include('ccf.inc');
product_info = cisco::get_product_info(name:'Cisco IOS XE Software');
model = toupper(product_info['model']);
if (model !~ 'ASR90[0-9]([^0-9]|$)')
audit(AUDIT_HOST_NOT, 'an affected model');
vuln_versions = make_list(
'16.10.1',
'16.11.1',
'16.11.1a',
'16.11.2',
'16.12.1',
'16.12.2',
'16.12.2a',
'16.12.3',
'16.12.3s',
'16.2.1',
'16.2.2',
'16.3.1',
'16.3.10',
'16.3.1a',
'16.3.2',
'16.3.3',
'16.3.4',
'16.3.5',
'16.3.5b',
'16.3.6',
'16.3.7',
'16.3.8',
'16.3.9',
'16.4.1',
'16.4.2',
'16.4.3',
'16.5.1',
'16.5.1a',
'16.5.1b',
'16.5.2',
'16.5.3',
'16.6.1',
'16.6.2',
'16.6.3',
'16.6.4',
'16.6.5',
'16.6.5a',
'16.6.6',
'16.6.7',
'16.6.8',
'16.7.1',
'16.7.2',
'16.7.3',
'16.8.1',
'16.8.1b',
'16.8.1c',
'16.9.1',
'16.9.1a',
'16.9.1b',
'16.9.2',
'16.9.3',
'16.9.3h',
'16.9.4',
'16.9.5',
'16.9.5f',
'17.1.1',
'17.1.1a',
'3.16.0S',
'3.16.0aS',
'3.16.0bS',
'3.16.0cS',
'3.16.10S',
'3.16.1S',
'3.16.1aS',
'3.16.2aS',
'3.16.2bS',
'3.16.3S',
'3.16.3aS',
'3.16.4S',
'3.16.4aS',
'3.16.4bS',
'3.16.4cS',
'3.16.4dS',
'3.16.4eS',
'3.16.4gS',
'3.16.5S',
'3.16.5aS',
'3.16.5bS',
'3.16.6S',
'3.16.6bS',
'3.16.7S',
'3.16.7aS',
'3.16.7bS',
'3.16.8S',
'3.16.9S',
'3.17.0S',
'3.17.1S',
'3.17.1aS',
'3.17.2S',
'3.17.3S',
'3.17.4S',
'3.18.0S',
'3.18.0SP',
'3.18.0aS',
'3.18.1S',
'3.18.1SP',
'3.18.1bSP',
'3.18.1gSP',
'3.18.1hSP',
'3.18.1iSP',
'3.18.2S',
'3.18.2SP',
'3.18.3S',
'3.18.3SP',
'3.18.4S',
'3.18.4SP',
'3.18.5SP',
'3.18.6SP',
'3.18.7SP',
'3.18.8SP',
'3.18.8aSP'
);
reporting = make_array(
'port' , product_info['port'],
'severity' , SECURITY_WARNING,
'version' , product_info['version'],
'bug_id' , 'CSCvr69196, CSCvs62410',
'disable_caveat', TRUE
);
cisco::check_and_report(
product_info:product_info,
reporting:reporting,
vuln_versions:vuln_versions
);
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
5.1%