CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
73.2%
The Cisco Prime Data Center Network Manager (DCNM) running on the remote host is affected by a remote code execution vulnerability due to improper input validation of the parameters in an HTTP request processed by the XmpFileUploadServlet servlet. An unauthenticated, remote attacker can exploit this issue, via a specially crafted HTTP request, to upload a Java Server Pages (JSP) file to a specific folder using path traversal techniques and then execute that file remotely. An exploit could allow the attacker to execute arbitrary commands on the affected device with the privileges of the SYSTEM user
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(110518);
script_version("1.2");
script_cvs_date("Date: 2019/11/04");
script_cve_id("CVE-2018-0258");
script_bugtraq_id(104074);
script_xref(name:"CISCO-BUG-ID", value:"CSCvf32411");
script_xref(name:"CISCO-SA", value:"cisco-sa-20180502-prime-upload");
script_xref(name:"TRA", value:"TRA-2018-11");
script_name(english:"Cisco Prime Data Center Network Manager File Upload RCE (cisco-sa-20180502-prime-upload)");
script_summary(english:"Checks server response.");
script_set_attribute(attribute:"synopsis", value:
"A network management system running on the remote host is affected by
a remote code execution vulnerability.");
script_set_attribute(attribute:"description", value:
"The Cisco Prime Data Center Network Manager (DCNM) running on the
remote host is affected by a remote code execution vulnerability due
to improper input validation of the parameters in an HTTP request
processed by the XmpFileUploadServlet servlet. An unauthenticated,
remote attacker can exploit this issue, via a specially crafted HTTP
request, to upload a Java Server Pages (JSP) file to a specific
folder using path traversal techniques and then execute that file
remotely. An exploit could allow the attacker to execute arbitrary
commands on the affected device with the privileges of the SYSTEM user");
# https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180502-prime-upload
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e1ab861c");
script_set_attribute(attribute:"solution", value:
"Upgrade to Cisco Prime Data Center Network Manager version 10.3(1) or
later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/02");
script_set_attribute(attribute:"patch_publication_date", value:"2018/05/02");
script_set_attribute(attribute:"plugin_publication_date", value:"2018/06/13");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:prime_data_center_network_manager");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CISCO");
script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("cisco_prime_dcnm_web_detect.nasl", "os_fingerprint.nasl");
script_require_keys("installed_sw/cisco_dcnm_web");
script_require_ports("Services/www", 443);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");
# Cisco says the Windows version is affected, but the Linux version is not.
os = get_kb_item('Host/OS');
# Test regardless of detected OS if Paranoid is set
if((report_paranoia < 2) && os && ('Windows' >!< os))
audit(AUDIT_HOST_NOT, 'affected');
app = "cisco_dcnm_web";
# Exit if app is not detected on host
get_install_count(app_name:app, exit_if_zero:TRUE);
# Exit if app is not detected on this port
port = get_http_port(default:443);
install = get_single_install(app_name:app, port:port, exit_if_unknown_ver:FALSE);
boundary = "--------" + rand_str(length:12, charset:"0123456789abcdef");
content_type = "multipart/form-data; boundary=" + boundary;
file_name = 'webshell.war';
file_content = 'file contents for ' + file_name;
# To verify the vulnerability, change the tacCaseID to use valid
# characters in directory names. A file will be saved in
# C:\temp\<tacCaseID>\<file_name>
# Example: tac_case_id = 'some_dir';
tac_case_id = '%00';
uri = '/Upload?svc=upload&maxFileSize=100000&tacCaseID=' + tac_case_id;
data = '--' + boundary + '\r\n';
data += 'Content-Disposition: form-data; name="data"; filename="' + file_name +'"\r\n';
data += 'Content-Type: text/plain\r\n\r\n';
data += file_content + '\r\n';
data += '--' + boundary + '--\r\n';
res = http_send_recv3(
method : 'POST',
item : uri,
port : port,
content_type : content_type,
data : data,
exit_on_fail : TRUE
);
# Patched: file upload endpoint no longer exists
if(res[0] =~ "^HTTP/[0-9]\.[0-9] 404")
{
audit(AUDIT_INST_VER_NOT_VULN, app, install['version']);
}
# Vulnerable: server attempted to create a directory but failed
else if(res[0] =~ "^HTTP/[0-9]\.[0-9] 500")
{
req = http_last_sent_request();
report =
'\nNessus was able to detect the issue by sending the following ' +
'request :' +
'\n' +
'\n' +
req;
security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);
}
# Unexpected
else
{
audit(AUDIT_RESP_BAD, port, 'a HTTP request. Unexpected response status : ' + res[0]);
}
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
73.2%