CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
PHYSICAL
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
48.2%
A vulnerability in a startup script of Cisco IOS XE Software could allow an
unauthenticated attacker with physical access to the targeted system to execute arbitrary commands on the
underlying operating system with the privileges of the root user.
# SPDX-FileCopyrightText: 2017 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
CPE = "cpe:/o:cisco:ios_xe";
if (description)
{
script_oid("1.3.6.1.4.1.25623.1.0.106723");
script_cve_id("CVE-2017-6606");
script_tag(name:"cvss_base", value:"6.9");
script_tag(name:"cvss_base_vector", value:"AV:L/AC:M/Au:N/C:C/I:C/A:C");
script_version("2023-07-25T05:05:58+0000");
script_name("Cisco IOS XE Software Startup Script Local Command Execution Vulnerability");
script_xref(name:"URL", value:"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170405-iosxe");
script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");
script_tag(name:"solution", value:"See the referenced vendor advisory for a solution.");
script_tag(name:"summary", value:"A vulnerability in a startup script of Cisco IOS XE Software could allow an
unauthenticated attacker with physical access to the targeted system to execute arbitrary commands on the
underlying operating system with the privileges of the root user.");
script_tag(name:"insight", value:"The vulnerability is due to insufficient validation of ROMMON variables
values. An attacker could exploit this vulnerability by manipulating the content of some ROMMON variables, which
will allow an external script containing the command to execute at boot time. A reload of the affected system is
needed to exploit the vulnerability. An attacker would need console access to exploit this vulnerability.");
script_tag(name:"qod_type", value:"package");
script_tag(name:"solution_type", value:"VendorFix");
script_tag(name:"last_modification", value:"2023-07-25 05:05:58 +0000 (Tue, 25 Jul 2023)");
script_tag(name:"severity_vector", value:"CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_tag(name:"severity_origin", value:"NVD");
script_tag(name:"severity_date", value:"2017-07-12 01:29:00 +0000 (Wed, 12 Jul 2017)");
script_tag(name:"creation_date", value:"2017-04-07 10:44:47 +0200 (Fri, 07 Apr 2017)");
script_category(ACT_GATHER_INFO);
script_family("CISCO");
script_copyright("Copyright (C) 2017 Greenbone AG");
script_dependencies("gb_cisco_ios_xe_consolidation.nasl");
script_mandatory_keys("cisco/ios_xe/detected");
exit(0);
}
include("host_details.inc");
include("version_func.inc");
if (!version = get_app_version(cpe: CPE, nofork: TRUE))
exit(0);
affected = make_list(
'16.1.1',
'16.1.2',
'16.2.1',
'3.1.0S',
'3.1.0SG',
'3.1.1S',
'3.1.1SG',
'3.1.2S',
'3.1.3S',
'3.1.4S',
'3.1.4a.S',
'3.10.0S',
'3.10.1S',
'3.10.1xb.S',
'3.10.2S',
'3.10.2t.S',
'3.10.3S',
'3.10.4S',
'3.10.5S',
'3.10.6S',
'3.10.7S',
'3.11.0S',
'3.11.1S',
'3.11.2S',
'3.11.3S',
'3.11.4S',
'3.12.0S',
'3.12.0a.S',
'3.12.1S',
'3.12.2S',
'3.12.3S',
'3.12.4S',
'3.13.0S',
'3.13.0a.S',
'3.13.1S',
'3.13.2S',
'3.13.2a.S',
'3.13.3S',
'3.13.4S',
'3.13.5S',
'3.13.5a.S',
'3.14.0S',
'3.14.1S',
'3.14.2S',
'3.14.3S',
'3.15.0S',
'3.15.1S',
'3.15.1c.S',
'3.15.2S',
'3.15.3S',
'3.16.0S',
'3.16.0c.S',
'3.16.1S',
'3.16.1a.S',
'3.16.2S',
'3.16.2a.S',
'3.16.2b.S',
'3.17.0S',
'3.17.1S',
'3.17.1a.S',
'3.18.0S',
'3.18.0a.S',
'3.2.0SE',
'3.2.0SG',
'3.2.0XO',
'3.2.10SG',
'3.2.11SG',
'3.2.1S',
'3.2.1SE',
'3.2.1SG',
'3.2.1XO',
'3.2.2S',
'3.2.2SE',
'3.2.2SG',
'3.2.3SE',
'3.2.3SG',
'3.2.4SG',
'3.2.5SG',
'3.2.6SG',
'3.2.7SG',
'3.2.8SG',
'3.2.9SG',
'3.3.0S',
'3.3.0SE',
'3.3.0SG',
'3.3.0SQ',
'3.3.0XO',
'3.3.1S',
'3.3.1SE',
'3.3.1SG',
'3.3.1SQ',
'3.3.1XO',
'3.3.2S',
'3.3.2SE',
'3.3.2SG',
'3.3.2XO',
'3.3.3SE',
'3.3.4SE',
'3.3.5SE',
'3.4.0S',
'3.4.0SG',
'3.4.0SQ',
'3.4.0a.S',
'3.4.1S',
'3.4.1SG',
'3.4.1SQ',
'3.4.2S',
'3.4.2SG',
'3.4.3S',
'3.4.3SG',
'3.4.4S',
'3.4.4SG',
'3.4.5S',
'3.4.5SG',
'3.4.6S',
'3.4.6SG',
'3.4.7SG',
'3.4.8SG',
'3.5.0E',
'3.5.0S',
'3.5.0SQ',
'3.5.1E',
'3.5.1S',
'3.5.1SQ',
'3.5.2E',
'3.5.2S',
'3.5.2SQ',
'3.5.3E',
'3.6.0E',
'3.6.0S',
'3.6.1E',
'3.6.1S',
'3.6.2S',
'3.6.2a.E',
'3.6.3E',
'3.6.4E',
'3.6.5E',
'3.6.5a.E',
'3.6.6E',
'3.6.7E',
'3.7.0E',
'3.7.0S',
'3.7.0b.S',
'3.7.1E',
'3.7.1S',
'3.7.2E',
'3.7.2S',
'3.7.2t.S',
'3.7.3E',
'3.7.3S',
'3.7.4E',
'3.7.4S',
'3.7.5S',
'3.7.6S',
'3.7.7S',
'3.8.0E',
'3.8.0S',
'3.8.1E',
'3.8.1S',
'3.8.2E',
'3.8.2S',
'3.9.0S',
'3.9.1S',
'3.9.2S');
foreach af (affected) {
if (version == af) {
report = report_fixed_ver(installed_version: version, fixed_version: "See advisory");
security_message(port: 0, data: report);
exit(0);
}
}
exit(99);
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
PHYSICAL
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
48.2%