CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS
Percentile
5.1%
A vulnerability in the CLI of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system as the root user. The attacker must be authenticated on the affected device as a low-privileged user to exploit this vulnerability. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by injecting arbitrary commands to a file as a lower-privileged user. The commands are then executed on the device by the root user. A successful exploit could allow the attacker to execute arbitrary commands as the root user.
Please see the included Cisco BIDs and Cisco Security Advisory for more information.
#TRUSTED 715fb62e949f05ec82064ef6ef5fb36f685390158aee15ab780e34eca8d9846c189591819b5d5a20e5c277a36efd88997ebaf3b95a03afd31b34bc76fd86407b5d952e1cac0862a17b528eaaa417ded58c2fe560591294a6819389e414f9667ae5a72a1eb57ff36aaaac8f739ca23196b22a9e7792fdff607a0eb4b37c8c04af5c43c9299e9744abd6ee6104b2a2cc0477b324e0360ed89b5cc23e227c48085d5b3651a598f6dfe28f170b0de36e674876e7ee48e4d142ea5f8201677dd51e5b5d611827a56beb4df620a667ca2b22149cf7bd60061fa6884c5de9d8b3f5b16ca2d574dac968e114c7d7defe8ebf9fc442070cb3ac16517b962ffbba004456df66babbf2cb914f9f02f9d3eb7bb6ea8429d1ec78c65e57d3c1c0f28e2779b10d9a6d73fe2ce473b07ee46859e9efc032cc6241a9b9149c2ddc03b2df0d9d7b40eaa31b522df69c559a321ae2f2592deabab788e7b3e9d977d79e00d7038fb7b530b0e9234554bb7f3d033f2b9442d9bab64a27e408661f9e333cc9d62a37151ba098cb8232e025811712b2aae4724f6e0c950713a9fa3a3a57e5f29c308e54bb27a4a7cdebaea701d9c80cf4250ad30b40c40ad42e47f9134c87feaddb934fdcbf7f8b93d78cc5fbdb78f6af683f5f2d5e3d49214b2818538d58ab8e59bbf713a927cd3422314194cd00a08baac44a5773ee505b8a8eb268883a04a96014ce32
#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
##
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(151374);
script_version("1.7");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/09/24");
script_cve_id("CVE-2021-1432");
script_xref(name:"CISCO-BUG-ID", value:"CSCvu50633");
script_xref(name:"CISCO-SA", value:"cisco-sa-iosxe-sdwarbcmdexec-sspOMUr3");
script_xref(name:"IAVA", value:"2021-A-0141-S");
script_name(english:"Cisco IOS XE Software SD WAN Arbitrary Command Execution (cisco-sa-iosxe-sdwarbcmdexec-sspOMUr3)");
script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
script_set_attribute(attribute:"description", value:
"A vulnerability in the CLI of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker to execute
arbitrary commands on the underlying operating system as the root user. The attacker must be authenticated on the
affected device as a low-privileged user to exploit this vulnerability. This vulnerability is due to insufficient
validation of user-supplied input. An attacker could exploit this vulnerability by injecting arbitrary commands to
a file as a lower-privileged user. The commands are then executed on the device by the root user. A successful exploit
could allow the attacker to execute arbitrary commands as the root user.
Please see the included Cisco BIDs and Cisco Security Advisory for more information.");
# https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-sdwarbcmdexec-sspOMUr3
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0ab9978e");
script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu50633");
script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvu50633");
script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-1432");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(20);
script_set_attribute(attribute:"vuln_publication_date", value:"2021/03/24");
script_set_attribute(attribute:"patch_publication_date", value:"2021/03/24");
script_set_attribute(attribute:"plugin_publication_date", value:"2021/07/06");
script_set_attribute(attribute:"plugin_type", value:"combined");
script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CISCO");
script_copyright(english:"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("cisco_ios_xe_version.nasl");
script_require_keys("Host/Cisco/IOS-XE/Version", "Host/Cisco/IOS-XE/Model", "Host/Cisco/SDWAN");
exit(0);
}
include('ccf.inc');
get_kb_item_or_exit('Host/Cisco/SDWAN');
var product_info = cisco::get_product_info(name:'Cisco IOS XE Software');
# Affects Cisco ISR1000, ISR4000, ASR1000, CSR1000V
var model = toupper(product_info['model']);
if(!pgrep(pattern:"ISR[14]0{3}|ASR10{3}|CSR10{3}V", string:model))
audit(AUDIT_HOST_NOT, 'an affected model');
var version_list=make_list(
'3.15.1xbS',
'3.15.2xbS',
'16.12.1',
'16.12.1a',
'16.12.1c',
'16.12.1s',
'16.12.1t',
'16.12.1w',
'16.12.1x',
'16.12.1y',
'16.12.1z',
'16.12.1za',
'16.12.2',
'16.12.2a',
'16.12.2s',
'16.12.2t',
'16.12.3',
'16.12.3a',
'16.12.3s',
'16.12.4',
'16.12.4a',
'17.2.1',
'17.2.1a',
'17.2.1r',
'17.2.1v'
);
var reporting = make_array(
'port' , product_info['port'],
'severity' , SECURITY_WARNING,
'bug_id' , 'CSCvu50633',
'version' , product_info['version'],
'disable_caveat', TRUE
);
cisco::check_and_report(
product_info:product_info,
reporting:reporting,
vuln_versions:version_list
);
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS
Percentile
5.1%