CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
38.7%
According to its self-reported version, Cisco TelePresence Collaboration Endpoint Software is affected by a vulnerability in the video endpoint xAPI of Cisco TelePresence CE that could allow an authenticated, remote attacker to conduct directory traversal attacks on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to the xAPI. A successful exploit could allow the attacker to read and write arbitrary files in the device and escalate privileges from admin to root. To exploit this vulnerability, an attacker would need to have an Administrator account.
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(166375);
script_version("1.6");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/05/02");
script_cve_id("CVE-2022-20811");
script_xref(name:"CISCO-BUG-ID", value:"CSCwb29733");
script_xref(name:"CISCO-SA", value:"cisco-sa-roomos-trav-beFvCcyu");
script_xref(name:"IAVA", value:"2022-A-0439-S");
script_name(english:"Cisco TelePresence CE Path Traversal (cisco-sa-roomos-trav-beFvCcyu) (CSCwb29733)");
script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco TelePresence Collaboration Endpoint Software is affected by a
vulnerability in the video endpoint xAPI of Cisco TelePresence CE that could allow an authenticated, remote attacker to
conduct directory traversal attacks on an affected device. This vulnerability is due to insufficient validation of
user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to the xAPI. A
successful exploit could allow the attacker to read and write arbitrary files in the device and escalate privileges
from admin to root. To exploit this vulnerability, an attacker would need to have an Administrator account.
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
# https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-roomos-trav-beFvCcyu
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?bacc02de");
script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb29733");
script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCwb29733");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:M/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-20811");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"vuln_publication_date", value:"2022/10/19");
script_set_attribute(attribute:"patch_publication_date", value:"2022/10/19");
script_set_attribute(attribute:"plugin_publication_date", value:"2022/10/21");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:telepresence_collaboration_endpoint");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CISCO");
script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("cisco_telepresence_mcu_detect.nasl");
script_require_keys("Cisco/TelePresence_MCU/Device", "Cisco/TelePresence_MCU/Version");
exit(0);
}
include('ccf.inc');
var app_name = 'Cisco TelePresence CE software';
var version = get_kb_item_or_exit('Cisco/TelePresence_MCU/Version');
var device = get_kb_item_or_exit('Cisco/TelePresence_MCU/Device');
device = tolower(device);
if ('telepresence' >!< device && 'room' >!< device)
audit(AUDIT_HOST_NOT, 'a vulnerable device');
var ver_list = split(version, sep:'.', keep:FALSE);
var max_ver_segs = max_index(ver_list);
var short_version;
# versions appear like ce9.13.0.990355df13a and ce10.13.1.3.dd7ec0ed589
if (max_ver_segs >= 5)
short_version = pregmatch(pattern: "^(ce)(\d+(?:\.\d+){0,3})", string:version);
else
short_version = pregmatch(pattern: "^(ce)(\d+(?:\.\d+){0,2})", string:version);
var short_num, short_type;
if (empty_or_null(short_version))
audit(AUDIT_NOT_DETECT, app_name);
else
{
short_type = short_version[1];
short_num = short_version[2];
}
if (short_type != 'ce')
audit(AUDIT_NOT_DETECT, app_name);
var product_info = {
'version' : short_num
};
var vuln_ranges = [
{'min_ver' : '9.0', 'fix_ver' : '9.15.13.0'},
{'min_ver' : '10.0', 'fix_ver' : '10.15.2.2'}
];
var reporting = make_array(
'port' , 0,
'severity' , SECURITY_HOLE,
'version' , version,
'bug_id' , 'CSCwb29733',
'disable_caveat', TRUE
);
cisco::check_and_report(
product_info :product_info,
reporting :reporting,
vuln_ranges :vuln_ranges
);
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
38.7%