Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2020-2024 and is owned by Tenable, Inc. or an Affiliate thereof.CISCO-SA-UCS-API-RCE-UXWPEDHD.NASL
HistoryNov 20, 2020 - 12:00 a.m.

Cisco Integrated Management Controller RCE (cisco-sa-ucs-api-rce-UXwpeDHd)

2020-11-2000:00:00
This script is Copyright (C) 2020-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
26
cisco unified computing system
rce vulnerabilities
api subsystem
improper boundary checks
crafted http request
arbitrary code execution
root privileges
cisco bids
cisco security advisory
scanner

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

10

Confidence

High

EPSS

0.002

Percentile

58.3%

JSON

According to its self-reported version, Cisco Unified Computing System E-Series Software (UCSE) is affected by multiple remote code execution (RCE) vulnerabilities in the API subsystem due to improper boundary checks for certain user-supplied input. An unauthenticated, remote attacker can exploit these, by sending a crafted HTTP request to the API subsystem of an affected system, to execute arbitrary code with root privileges on the underlying operating system.

Please see the included Cisco BIDs and Cisco Security Advisory for more information.

#TRUSTED 1449211ffdf03ec8c27260bddefa8a59d06d99b1e7314feab94b22ef374b33050c536a3c8c5d059caaa001a442b598ae568efc754c296eaf4e76b6eeac46a4bf3e1da3847fedc45f4737c790995b5653ff046602db5c7d6383fb9510d5ffaf69089baf6f76ec4f4c18189a0871eae1c00f82765585ab21e0928e3873587d791108e0f9742372084d31775e5ec19973441327be7c3b43b1b99cf8956b9344b3b6f163d1c8b3192c00db9ffcbea7dd6590cff02d08565c3ac658e7188cb3bb96fc021381d0d834f70ddd859a71d2be47b28e385786932bd179c076ef3eb4e8f625a8ab9c47467840f786f01135cdfb076175358a2e10e92cd80739195ba80ce5865cc1f28e387937d6e1be61dfb6f62e92b968cb1531f7ca42e5a94ff18dde301465280d16a21b001203fbc57a5956eb8a884e75dc1bec15bda7a8eb5795980cfe937ad5982f73e633110369047041994d1ded814ddd789bea648fff112dca61ee2dd3542913aede138f2a216fbd9f661e17720485523b3137d7578cad727cb2ddc7df9251c97815f264ce6e6404062f1a5e2b820d870fa8e48c2e5c22761184121f3804dccc5567c7be7e85970cac3912ef42bc3b924f74c08d14f83f8d594cd3119e6455035fbe2d86e3121b0d0f5f0d426aac122278f0b1bf14fba884854229db7b2ced4cea6f8a0c28954300daaf14d7ea8e1ed410b77085c7769d7078e019
#TRUST-RSA-SHA256 66d1d74dbb273429fbf95a2c851554a55922df08ce4a5162af11970ebc21c8dd39bd7b8a26a553330dea3b45f570c0979fec78e945eda3f675538bc563c11f509e77d96baf77e2e6b4a8e2fbd00c55c27f1e6593845d495e4319dea9108ae6c82c04d4f53f65d964dca446e51c28ee0829e680258c147663388a9ed03108e2cc394e01c9768735c9fb95782ba5b0ab8df67e35a45c679d6c06c55e7b0270ec87097a3043ea1566e734ee2b70e8315762a57c5cc91b43d9d4e3776b8b24c5ad700f75be4634f340cd82d635b412f9d202e262f0f7ce484e3e7c99e2bed3352b55d7fefd3c8c991d26cc2f4362b97c97e7be6afa807ccba7ceda58412ee7300c95becf88889ee54210ba75e7c18199d614e9c0347d160e3441c197322104fd98d4341bc9a7c799cb6c03c9e387583dd8c0a873c6f3452b1c9ac85b03b00b8c6556d95a17d26f5b0017bd12c315ca440ea8170f78392cc11d1f79cc8abb60ad596ac1b325f2da2691d46a1adaaaebb318f58e37cec0233bd547dc519a74deed163d4cd0b683974aa4fbd3acde7ad3c5e25c0650f75794d8ee9fad52aa1d4e97c544cc5a07ee3df1f664b82044e6b8bcdf65d712fb54e30da8e591344e64cb6ce4d72f4a7bae55b9a260fb801bda40039e23a632f04a4bea31d865e61324c83c56d757919eddecb7c41398052f07f905e988ea24234e0ff18f54675e05b4628795aa
##
# (C) Tenable Network Security, Inc.
##

include('compat.inc');

if (description)
{
  script_id(143150);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/19");

  script_cve_id("CVE-2020-3470");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvu21215");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvu21222");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvu22429");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvu80203");
  script_xref(name:"CISCO-SA", value:"cisco-sa-ucs-api-rce-UXwpeDHd");
  script_xref(name:"IAVA", value:"2020-A-0543-S");

  script_name(english:"Cisco Integrated Management Controller RCE (cisco-sa-ucs-api-rce-UXwpeDHd)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco Unified Computing System E-Series Software (UCSE) is affected by multiple
remote code execution (RCE) vulnerabilities in the API subsystem due to improper boundary checks for certain
user-supplied input. An unauthenticated, remote attacker can exploit these, by sending a crafted HTTP request to the API
subsystem of an affected system, to execute arbitrary code with root privileges on the underlying operating system.

Please see the included Cisco BIDs and Cisco Security Advisory for more information.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucs-api-rce-UXwpeDHd
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e999cbf5");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu21215");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu21222");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu22429");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu80203");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug IDs CSCvu21215, CSCvu21222, CSCvu22429, and CSCvu80203.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-3470");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_cwe_id(119);

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/11/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/11/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/11/20");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:integrated_management_controller");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2020-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_imc_detect.nbin");
  script_require_keys("Host/Cisco/CIMC/version", "Settings/ParanoidReport");

  exit(0);
}

include('ccf.inc');

product_info = cisco::get_product_info(name:"Cisco Unified Computing System (Management Software)");

# Cannot distinguish between [CES]-Series
if (report_paranoia < 2) audit(AUDIT_PARANOID);

vuln_ranges = [
  { 'min_ver' : '3.0(1c)', 'fix_ver' : '3.0(4r)'  },
  # All 3.1 vulnerable
  { 'min_ver' : '3.1',     'fix_ver' : '3.2.11.3' },
  # 4.0(2n) is fixed for C-Series M4, but 4.0(4m) is fixed for others
  { 'min_ver' : '4.0(1a)', 'fix_ver' : '4.0(4m)'  },
  { 'min_ver' : '4.1(1c)', 'fix_ver' : '4.1(1g)'  }
];  

reporting = make_array(
  'port'     , 0,
  'severity' , SECURITY_HOLE,
  'version'  , product_info['version'],
  'bug_id'   , 'CSCvu21215, CSCvu21222, CSCvu22429, CSCvu80203',
  'fix'      , 'See vendor advisory',
  'disable_caveat', TRUE
);

cisco::check_and_report(
  product_info:product_info,
  reporting:reporting,
  vuln_ranges:vuln_ranges
);

Related

cvelist 1
ptsecurity 1
cve 1
prion 1
cisco 1
nvd 1
cvelist
cvelist
CVE-2020-3470 Cisco Integrated Management Controller Multiple Remote Code Execution Vulnerabilities
2020-11-18 17:41:18
ptsecurity
ptsecurity
PT-2020-30: Multiple code execution in Cisco Integrated Management Controller (CIMC)
2020-11-04 00:00:00
cve
cve
CVE-2020-3470
2020-11-18 19:15:12
prion
prion
Buffer overflow
2020-11-18 19:15:00
cisco
cisco
Cisco Integrated Management Controller Multiple Remote Code Execution Vulnerabilities
2020-11-18 16:00:00
nvd
nvd
CVE-2020-3470
2020-11-18 19:15:12

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

10

Confidence

High

EPSS

0.002

Percentile

58.3%

JSON
Related for CISCO-SA-UCS-API-RCE-UXWPEDHD.NASL
cvelist1ptsecurity1cve1prion1cisco1nvd1