CVSS2
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:A/AC:L/Au:N/C:C/I:C/A:C
AI Score
Confidence
Low
EPSS
Percentile
61.0%
Cisco ASA is prone to a failover command injection vulnerability.
# Copyright (C) 2015 Greenbone Networks GmbH
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-or-later
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
CPE = "cpe:/a:cisco:asa";
if (description)
{
script_oid("1.3.6.1.4.1.25623.1.0.105998");
script_version("2022-02-09T09:27:46+0000");
script_tag(name:"last_modification", value:"2022-02-09 09:27:46 +0000 (Wed, 09 Feb 2022)");
script_tag(name:"creation_date", value:"2015-05-29 14:07:28 +0700 (Fri, 29 May 2015)");
script_tag(name:"cvss_base", value:"8.3");
script_tag(name:"cvss_base_vector", value:"AV:A/AC:L/Au:N/C:C/I:C/A:C");
script_tag(name:"qod_type", value:"remote_banner");
script_tag(name:"solution_type", value:"VendorFix");
script_cve_id("CVE-2015-0675");
script_name("Cisco ASA Software Failover Command Injection Vulnerability (cisco-sa-20150408-asa)");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2015 Greenbone Networks GmbH");
script_family("CISCO");
script_dependencies("gb_cisco_asa_version.nasl", "gb_cisco_asa_version_snmp.nasl");
script_mandatory_keys("cisco_asa/version");
script_tag(name:"summary", value:"Cisco ASA is prone to a failover command injection vulnerability.");
script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");
script_tag(name:"insight", value:"The vulnerability is due to improper handling of secured
failover communication messages when the failover ipsec feature is configured. An attacker could
exploit this vulnerability by sending crafted UDP packets directed to the failover interface IP
address. An attacker needs IP connectivity to the failover interface IP addresses to exploit this
vulnerability.");
script_tag(name:"impact", value:"An unauthenticated, adjacent attacker could exploit this
vulnerability by sending crafted UDP packets directed to the failover interface IP address of a
targeted device. If successful, the attacker could inject arbitrary failover commands to the
standby failover device, which may result in a complete system compromise of both the active and
standby devices.");
script_tag(name:"affected", value:"Cisco ASA version 9.1, 9.2 and 9.3.");
script_tag(name:"solution", value:"See the referenced vendor advisory for a solution.");
script_xref(name:"URL", value:"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-asa");
exit(0);
}
include("host_details.inc");
include("version_func.inc");
if (!version = get_app_version(cpe: CPE, nofork: TRUE))
exit(0);
if (version_in_range_exclusive(version: version, test_version_lo: "9.1", test_version_up: "9.1.6")) {
report = report_fixed_ver(installed_version: version, fixed_version: "9.1(6)");
security_message(port: 0, data: report);
exit(0);
}
if (version_in_range_exclusive(version: version, test_version_lo: "9.2", test_version_up: "9.2.3.3")) {
report = report_fixed_ver(installed_version: version, fixed_version: "9.2(3.3)");
security_message(port: 0, data: report);
exit(0);
}
if (version_in_range_exclusive(version: version, test_version_lo: "9.3", test_version_up: "9.3.3")) {
report = report_fixed_ver(installed_version: version, fixed_version: "9.3(3)");
security_message(port: 0, data: report);
exit(0);
}
exit(99);