CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
5.2%
According to its self-reported version, Cisco IOS XE Software is affected by a arbitrary code execution vulnerability, due to incorrect validations by boot scripts when specific ROM monitor (ROMMON) variables are set. An authenticated, local attacker could exploit this vulnerability by installing code to a specific directory in the underlying operating system (OS) and setting a specific ROMMON variable. A successful exploit could allow the attacker to execute persistent code on the underlying OS. To exploit this vulnerability, the attacker would need access to the root shell on the device or have physical access to the device.
Please see the included Cisco BIDs and Cisco Security Advisory for more information.
#TRUSTED 7cb03cb4bfe6f3094a18df9469feff0354d594b4bb52aba4c9079ef21ec5a07c6b5828a90b8bbf31dd2cec17811a011b8f6822cc8e596106bf15b738ccf973da634176f0cffaa9959dba26ed43c1a1aeb3921886a073286599d99948ecca70d6d4067a2cf7d7be177663df3cbde5e4dbea53879b07c3f2ee27cd8899803d61571efef4910f1a244a0e5f2066a59138d4592fd61535e3aacfeb9fbf969912d0b7878dec8853d9bc7115149d4ad4834245bdd4e968db029e7d3719cf20de968b659ed1f932291019a419270aff9263ca4b42ebee76a64991cb607f61d8090422969baef23778ad24ae16337b1c85dbd839ed14c826be21eba022ba91f492e21d19e7142da0c3586923be3d3e8ca8942821ca0c4f96fa294b28d8c8d62efd12df24a27389b1eca46a1f50fc4109c101355ea682f1a918eef313341d03b61fc8fb9ce594b2c32191cf7b78cbb6d118717b8169a3f1c106268586acf47f848dd76449aa8c1e547754e960c0e3fd8096468b6f49b4f09163b347e802bf42c1ccb94d9f9ba9e0197799c1e8efe8c969e750cbd3eb5c80d110fc28c87344e2f6cbef1a3ae3193de8b7e6b71feac74502dce9ec5cf1f654398fd2ad38dbd2d5f1c2f79bf58711504de7f35ac7306773640377b380fadacdc4186a92ef3bc4cc6210ff9d45af359eb0d29169f9e4a3c1a34d2bc94968eea7c182d8cd85c34225c320fc876d
#TRUST-RSA-SHA256 a18d09631b8a68292d3e0fcff1b35a145f5cdf7fc2592f11c4c128e23304c042eefecd058082b67730295fe9040460d88c2faa5ccd7e3358a7ac446727e57f140259828471b34a0d08d02b92dd5e67f282e13e1aa1aa2c4f5bc3bf214a86b337593da4a9c22fa8c7ab3c8f7f94374b8aea9304425f891ebfdc02a8d7d690cfda1221fd12a8c2679acdb59f3e5b3e1ba80a1e39597fc383585b3a9aca05221232fd14484194229b7411cc9b0adf1b9b688c52cc8587498aae67d8d8e8e03babd9c2c7c73ec2d43e947edde2a9e7c2a4141421d98bba619956df71a8175c8455449c0ffd38a2cda46659a6a2beb6e77ebd2d6f4b6fe489fa976319154a4ecbc70e45f6ec90e7ebe8aef5af8629b38bdb9f4d2428fa67291ba32dd3f14f0f53d9c619d9d44010682c18ea31287b64c056f5293d6781cdf5083b10104c206b73743edc838aaa962cbe48a5b78f7223c06a546065d0cbc4feabc6999f374fca6a3fd111b54d08e470678888a7a81577e4492d868983ee2f494ef31a66e9c305d0d9c33193b5e88c7a5df3b9eb24ebac8489dd63ab1c01915753e567bd2dfbc7b0e63cb3441bb5c62ab0b8288224b7d0d2e4e2780e05a54048029f5608fb5388f251f5baec65e7993a4885d20a10f17ea0891266cc6efcaaaca303d37d37a6f2815d944edf9bd964ce37ac2e6a120606c8439a52519043e4385072cfbc875b115e555f
##
# (C) Tenable Network Security, Inc.
##
include('compat.inc');
if (description)
{
script_id(141119);
script_version("1.10");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/03");
script_cve_id("CVE-2020-3417");
script_xref(name:"CISCO-BUG-ID", value:"CSCvs58715");
script_xref(name:"CISCO-SA", value:"cisco-sa-xbace-OnCEbyS");
script_xref(name:"IAVA", value:"2020-A-0439-S");
script_name(english:"Cisco IOS XE Software Arbitrary Code Execution Vulnerability (cisco-sa-xbace-OnCEbyS)");
script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco IOS XE Software is affected by a arbitrary code execution vulnerability,
due to incorrect validations by boot scripts when specific ROM monitor (ROMMON) variables are set. An authenticated,
local attacker could exploit this vulnerability by installing code to a specific directory in the underlying operating
system (OS) and setting a specific ROMMON variable. A successful exploit could allow the attacker to execute persistent
code on the underlying OS. To exploit this vulnerability, the attacker would need access to the root shell on the
device or have physical access to the device.
Please see the included Cisco BIDs and Cisco Security Advisory for more information.");
# https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xbace-OnCEbyS
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?217cd5d2");
script_set_attribute(attribute:"see_also", value:"http://tools.cisco.com/security/center/viewErp.x?alertId=ERP-74268");
script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs58715");
script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvs58715");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-3417");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_cwe_id(78);
script_set_attribute(attribute:"vuln_publication_date", value:"2020/09/24");
script_set_attribute(attribute:"patch_publication_date", value:"2020/09/24");
script_set_attribute(attribute:"plugin_publication_date", value:"2020/10/02");
script_set_attribute(attribute:"plugin_type", value:"combined");
script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CISCO");
script_copyright(english:"This script is Copyright (C) 2020-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("cisco_ios_xe_version.nasl");
script_require_keys("Host/Cisco/IOS-XE/Version");
exit(0);
}
include('ccf.inc');
product_info = cisco::get_product_info(name:'Cisco IOS XE Software');
version_list=make_list(
'16.10.1',
'16.10.1a',
'16.10.1b',
'16.10.1c',
'16.10.1d',
'16.10.1e',
'16.10.1f',
'16.10.1g',
'16.10.1s',
'16.10.2',
'16.10.3',
'16.11.1',
'16.11.1a',
'16.11.1b',
'16.11.1c',
'16.11.1s',
'16.11.2',
'16.12.1',
'16.12.1a',
'16.12.1c',
'16.12.1s',
'16.12.1t',
'16.12.1w',
'16.12.1x',
'16.12.1y',
'16.12.2',
'16.12.2a',
'16.12.2s',
'16.12.2t',
'16.12.3',
'16.12.3a',
'16.6.1',
'16.6.2',
'16.6.3',
'16.6.4',
'16.6.4a',
'16.6.4s',
'16.6.5',
'16.6.5a',
'16.6.5b',
'16.6.6',
'16.6.7',
'16.6.7a',
'16.7.1',
'16.7.1a',
'16.7.1b',
'16.7.2',
'16.7.3',
'16.7.4',
'16.8.1',
'16.8.1a',
'16.8.1b',
'16.8.1c',
'16.8.1d',
'16.8.1e',
'16.8.1s',
'16.8.2',
'16.8.3',
'16.9.1',
'16.9.1a',
'16.9.1b',
'16.9.1c',
'16.9.1d',
'16.9.1s',
'16.9.2',
'16.9.2a',
'16.9.2s',
'16.9.3',
'16.9.3a',
'16.9.3h',
'16.9.3s',
'16.9.4',
'16.9.4c',
'16.9.5',
'16.9.5f',
'17.1.1',
'17.1.1a',
'17.1.1s',
'17.1.1t',
'3.18.0SP',
'3.18.1SP',
'3.18.1aSP',
'3.18.1bSP',
'3.18.1cSP',
'3.18.1gSP',
'3.18.1hSP',
'3.18.1iSP',
'3.18.2SP',
'3.18.2aSP',
'3.18.3SP',
'3.18.3aSP',
'3.18.3bSP',
'3.18.4SP',
'3.18.5SP',
'3.18.6SP',
'3.18.7SP',
'3.18.8SP',
'3.18.8aSP'
);
reporting = make_array(
'port' , product_info['port'],
'severity' , SECURITY_HOLE,
'version' , product_info['version'],
'bug_id' , 'CSCvs58715',
'disable_caveat', TRUE
);
cisco::check_and_report(
product_info:product_info,
reporting:reporting,
vuln_versions:version_list
);
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
5.2%