7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.9 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
9.0%
According to its self-reported version, Cisco IOS XR is affected by a vulnerability.
Please see the included Cisco BIDs and Cisco Security Advisory for more information.
#TRUSTED 5d26164f61a1a7b4d3f56358f273a5419fac4793ecf3b4d89614fc805467daf9a294d593ed228658da6865859be7ed900f3794469b994e3a42b1e63056351f5b552e32744bc04e86951c8a5f97a41e16d695bd75505ac9784dc7b5aab05dd72ec4dcfe1781c389e4433b568b08d92a05461d3085eb4051a2f7551dda30b66af7461cda1e01ddda813ea79806af68367239aba7c1e3f8385979965cc303e341b5e291fd57c25f8bfade56ea61fe5a71d4a9b2eee3f6c859778070ba181b38acd7531274acbdcb5a1d791a1b6df721df35484fa891fa6b49f805c7d862a398417aa4ad999b96bd5dedd381971ca76d516e2873ddd676ba3709d37bdbdd6f4ad1edd47d7376096d459ee2efb09c12846b6f04ce3220c7425c80e7d5228eaa0c72162b428433f8b38fefdc800f6e40291aa2f9b225cd831460f8566e7e288e65cbe2a2b0e9c1c63be7e0b4d1b73f767dad9822647df4b864b6c00c530befe46df0220b28d5fb5786b49140c4667b8aada9363dd68a4a5341b54537da44b79af3bdec18a4b74b41d59d700a6497276d6012f60718df11bef9cfb6735bb4b93b9195569e72632074e788b4825e173a771834bdf1532e38ef7ddb6c772618c6e4f31f209fa3df60b6ef868f1ed9227cde85821c674e0db68dd9be947bc09fbb03297a9a087e4ebec5d44e64918b3640399097f039976689e9f94c478f734280c34b40ac
#TRUST-RSA-SHA256 98a031cc020311dd99a1543077b08c8b34d0b62e51474b7a736bfda290df1cc1842c09cf72144da8a8e82f7e3ec4604c4eb2f81619965a07edd629b0a3fd2a6fea1685272266cab3cbb3af00de24e4552ae5ef3f5a3494d0ba7bd55d89ec07e8e8eafebdd9adc0a82e35604992086f2f8f29154d1501e28da7165eb194ed5f84079df2f16fac983e79d04f40f4388a7c43620bb710f40b55b638106f3ef615a64d61428a7c9cefaadea29f642ecd568aea261399fe2df669535c98e638e4a5ee316f107d461ca5cadc64c2e69941cfa63a1718d48e39ab88ac8528afc77d6cbc7f81cabe48c47c9b2c674b214a0e186399156bf8867531f5ac19ebfff75af4738c77972f74e4a6927773d70a373939fee6cb57cd1f0b31e3da72224c66163c29c0df0249194a69567f7fb533eebbb622b5ce3039b1616068890463a17102b16383ca73c15fa19c547ac2d6eb861d8d5082871d550555e7e82341420f3200b2c76148c7618749b9bc802798af83edf06760862c50ad13d7e3cab7abf8f68db68deeac12421a43c2f916464405a088f79a816949847479abddac5459fccefc60034fdea5de41d2e61cdf120736d38e4214dd694eb896ef111f4ee4adbf1b9b60e284074ab251a0c89b84834aa4ac324e34c3925a0f236e73e1045bb67bea9bb908912b51bf3f42353fb93f65ad398b5c7d183c8e8409719e12a178d96f6e7b5d67
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(192465);
script_version("1.0");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/22");
script_cve_id("CVE-2024-20320");
script_xref(name:"IAVA", value:"2024-A-0169");
script_xref(name:"CISCO-BUG-ID", value:"CSCwh52374");
script_xref(name:"CISCO-SA", value:"cisco-sa-iosxr-ssh-privesc-eWDMKew3");
script_name(english:"Cisco IOS XR Software SSH Privilege Escalation (cisco-sa-iosxr-ssh-privesc-eWDMKew3)");
script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco IOS XR is affected by a vulnerability.
- A vulnerability in the SSH client feature of Cisco IOS XR Software for Cisco 8000 Series Routers and Cisco
Network Convergence System (NCS) 540 Series and 5700 Series Routers could allow an authenticated, local
attacker to elevate privileges on an affected device. This vulnerability is due to insufficient validation
of arguments that are included with the SSH client CLI command. An attacker with low-privileged access to
an affected device could exploit this vulnerability by issuing a crafted SSH client command to the CLI. A
successful exploit could allow the attacker to elevate privileges to root on the affected device.
(CVE-2024-20320)
Please see the included Cisco BIDs and Cisco Security Advisory for more information.");
# https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-ssh-privesc-eWDMKew3
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3022657f");
# https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-75299
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3206828a");
script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwh52374");
script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCwh52374");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-20320");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(266);
script_set_attribute(attribute:"vuln_publication_date", value:"2024/03/13");
script_set_attribute(attribute:"patch_publication_date", value:"2024/03/13");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/03/22");
script_set_attribute(attribute:"plugin_type", value:"combined");
script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xr");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CISCO");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("cisco_ios_xr_version.nasl");
script_require_keys("Host/Cisco/IOS-XR/Version");
exit(0);
}
include('cisco_workarounds.inc');
include('ccf.inc');
var product_info = cisco::get_product_info(name:'Cisco IOS XR');
var model = toupper(product_info.model);
# 8000 Series, NCS 540, NCS 5700
if (model !~ "8[0-9]{3}" && model !~ "(?:N|NCS)[\s-]?540" && model !~ "(?:N|NCS)[\s-]?5700")
audit(AUDIT_HOST_NOT, 'an affected model');
var vuln_ranges = [
{'min_ver': '7.3.2', 'fix_ver': '7.10.2'}
];
var workarounds = make_list(CISCO_WORKAROUNDS['show_version']);
var workaround_params = {'pat' : 'LNT'};
var reporting = make_array(
'port' , product_info['port'],
'severity', SECURITY_WARNING,
'version' , product_info['version'],
'bug_id' , 'CSCwh52374'
);
cisco::check_and_report(
product_info:product_info,
workarounds:workarounds,
workaround_params:workaround_params,
reporting:reporting,
vuln_ranges:vuln_ranges
);
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.9 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
9.0%