Vulnerabilities > CVE-2017-3819 - Missing Authentication for Critical Function vulnerability in Cisco ASR 5000 Series Software and Virtualized Packet Core

CVSS 8.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

cisco

CWE-306

nessus

NVD

Published: 2017-03-15

Updated: 2019-10-03

Summary

A privilege escalation vulnerability in the Secure Shell (SSH) subsystem in the StarOS operating system for Cisco ASR 5000 Series, ASR 5500 Series, ASR 5700 Series devices, and Cisco Virtualized Packet Core could allow an authenticated, remote attacker to gain unrestricted, root shell access. The vulnerability is due to missing input validation of parameters passed during SSH or SFTP login. An attacker could exploit this vulnerability by providing crafted user input to the SSH or SFTP command-line interface (CLI) during SSH or SFTP login. An exploit could allow an authenticated attacker to gain root privileges access on the router. Note: Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability can be triggered via both IPv4 and IPv6 traffic. An established TCP connection toward port 22, the SSH default port, is needed to perform the attack. The attacker must have valid credentials to login to the system via SSH or SFTP. The following products have been confirmed to be vulnerable: Cisco ASR 5000/5500/5700 Series devices running StarOS after 17.7.0 and prior to 18.7.4, 19.5, and 20.2.3 with SSH configured are vulnerable. Cisco Virtualized Packet Core - Single Instance (VPC-SI) and Distributed Instance (VPC-DI) devices running StarOS prior to N4.2.7 (19.3.v7) and N4.7 (20.2.v0) with SSH configured are vulnerable. Cisco Bug IDs: CSCva65853.

Vulnerable Configurations

Part	Description	Count
Application	Cisco Cisco ASR 5000 Series Software 18.0.0 Cisco ASR 5000 Series Software 18.0.L0.59219 Cisco ASR 5000 Series Software 18.1.0 Cisco ASR 5000 Series Software 19.3.0 Cisco ASR 5000 Series Software 19.0.M0.60828 Cisco ASR 5000 Series Software 18.3.0 Cisco ASR 5000 Series Software 18.1_Base Cisco ASR 5000 Series Software 19.2.0 Cisco ASR 5000 Series Software 18.0.0.57828 Cisco ASR 5000 Series Software 18.4.0 Cisco ASR 5000 Series Software 19.1.0.61559 Cisco ASR 5000 Series Software 18.1.0.59776 Cisco ASR 5000 Series Software 18.0.0.59167 Cisco ASR 5000 Series Software 19.0.M0.61045 Cisco ASR 5000 Series Software 19.1.0 Cisco ASR 5000 Series Software 18.0.0.59211 Cisco ASR 5000 Series Software 19.0.M0.60737 Cisco ASR 5000 Series Software 20.0.0 Cisco ASR 5000 Series Software 18.1.0.59780 Cisco ASR 5000 Series Software 19.0.1 Cisco ASR 5000 Series Software 18.3_Base Cisco Virtualized Packet Core V18.0_Base Cisco Virtualized Packet Core V20.0_Base Cisco Virtualized Packet Core V19.0_Base	24

Common Weakness Enumeration (CWE)

CWE-306 - Missing Authentication for Critical Function

Common Attack Pattern Enumeration and Classification (CAPEC)

Choosing a Message/Channel Identifier on a Public/Multicast Channel
Attackers aware that more data is being fed into a multicast or public information distribution means can 'select' information bound only for another client, even if the distribution means itself forces users to authenticate in order to connect initially. Doing so allows the attacker to gain access to possibly privileged information, possibly perpetrate other attacks through the distribution means by impersonation. If the channel/message being manipulated is an input rather than output mechanism for the system, (such as a command bus), this style of attack could change its identifier from a less privileged to more so privileged channel or command.
Using Unpublished Web Service APIs
An attacker searches for and invokes Web Services APIs that the target system designers did not intend to be publicly available. If these APIs fail to authenticate requests the attacker may be able to invoke services and/or gain privileges they are not authorized for.
Manipulating Writeable Terminal Devices
This attack exploits terminal devices that allow themselves to be written to by other users. The attacker sends command strings to the target terminal device hoping that the target user will hit enter and thereby execute the malicious command with their privileges. The attacker can send the results (such as copying /etc/passwd) to a known directory and collect once the attack has succeeded.
Cross Site Request Forgery (aka Session Riding)
An attacker crafts malicious web links and distributes them (via web pages, email, etc.), typically in a targeted manner, hoping to induce users to click on the link and execute the malicious action against some third-party application. If successful, the action embedded in the malicious link will be processed and accepted by the targeted application with the users' privilege level. This type of attack leverages the persistence and implicit trust placed in user session cookies by many web applications today. In such an architecture, once the user authenticates to an application and a session cookie is created on the user's system, all following transactions for that session are authenticated using that cookie including potential actions initiated by an attacker and simply "riding" the existing session cookie.

Nessus

NASL family	CISCO
NASL id	CISCO-SA-20170315-ASR.NASL
description	The remote Cisco ASR device is affected by a privilege escalation vulnerability in StarOS in the Secure Shell (SSH) subsystem due to improper validation of parameters passed during SSH or SFTP login. An authenticated, remote attacker can exploit this, by sending specially crafted input during the SSH or SFTP login, to gain root privileges.
last seen	2020-06-01
modified	2020-06-02
plugin id	99266
published	2017-04-10
reporter	This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/99266
title	Cisco ASR StarOS SSH Login Parameter Handling Privilege Escalation (cisco-sa-20170315-asr)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(99266); script_version("1.6"); script_cvs_date("Date: 2018/07/06 11:26:06"); script_cve_id("CVE-2017-3819"); script_bugtraq_id(96913); script_xref(name:"CISCO-BUG-ID", value:"CSCva65853"); script_xref(name:"CISCO-SA", value:"cisco-sa-20170315-asr"); script_name(english:"Cisco ASR StarOS SSH Login Parameter Handling Privilege Escalation (cisco-sa-20170315-asr)"); script_summary(english:"Checks the StarOS version."); script_set_attribute(attribute:"synopsis", value: "The remote device is affected by a privilege escalation vulnerability."); script_set_attribute(attribute:"description", value: "The remote Cisco ASR device is affected by a privilege escalation vulnerability in StarOS in the Secure Shell (SSH) subsystem due to improper validation of parameters passed during SSH or SFTP login. An authenticated, remote attacker can exploit this, by sending specially crafted input during the SSH or SFTP login, to gain root privileges."); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170315-asr script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?908587cb"); script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCva65853"); script_set_attribute(attribute:"solution", value: "Upgrade to the relevant fixed version referenced in Cisco bug ID CSCva65853."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/15"); script_set_attribute(attribute:"patch_publication_date", value:"2017/03/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/10"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:staros"); script_set_attribute(attribute:"cpe", value:"cpe:/h:cisco:asr_5000"); script_set_attribute(attribute:"cpe", value:"cpe:/h:cisco:asr_5500"); script_set_attribute(attribute:"cpe", value:"cpe:/h:cisco:asr_5700"); script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:asr_5000_series_software"); script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:asr_5500_series_software"); script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:asr_5700_series_software"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CISCO"); script_copyright(english:"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/Cisco/ASR/Model", "Host/Cisco/StarOS"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); get_kb_item_or_exit("Host/Cisco/StarOS"); version = get_kb_item_or_exit("Host/Cisco/StarOS/Version"); model = get_kb_item_or_exit("Host/Cisco/ASR/Model"); major = NULL; build = NULL; fix = NULL; train = NULL; # only affects ASR 5000/5500/5700 series systems if (model !~ "^5[057]\d{2}$") audit(AUDIT_DEVICE_NOT_VULN, 'The ASR ' + model); # Normalize train characters version= toupper(version); # For newer versions, We may be able to get the build number during detection build = get_kb_item("Host/Cisco/StarOS/Build"); if (!empty_or_null(build)) version += "." + build; # defensive check for the pregmatches below if (version !~ "^[\d\.]+\([\d\.]+" && version !~ "^[\d\.]+([A-Z]{1,2}\d+)?\.\d+$") audit(AUDIT_DEVICE_NOT_VULN, "ASR " + model, version); # old style of versioning 15.0(5439), style change mid 16.1, making # all of the old style versions fall into the vulnerable range. if ("(" >< version) { major = pregmatch(pattern:"^([\d\.]+)\(", string:version); if(!isnull(major)) { major = major[1]; if (isnull(build)) { build = pregmatch(pattern:"^[\d\.]+\(([\d\.]+)", string:version); if(!isnull(build)) { build = build[1]; # Set the train to an empty string, or it causes issues when # seeing if a patched version exists using NULL as the value train = ''; } else exit(1, "Unable to extract build number."); } } else exit(1, "Unable to extract version number."); } else { # extract major, train, and build for new style extract = pregmatch(pattern:"^([\d\.]+)\.([A-Z]{1,2}\d+)?\.?(\d+)?", string:version); if (!isnull(extract)) { major = extract[1]; train = extract[2]; if (isnull(build)) build = extract[3]; } } # Defensive checking for versions that we haven't yet seen if(empty_or_null(major) \|\| empty_or_null(build)) exit(1, "An error occurred during version extraction."); fix_array = make_array( "18.8", make_array( "M0", 65044 ), "19.3", make_array( "V7", 66412 ), "19.5", make_array( "M0", 65050 ), "20.2", make_array( "A4", 65307, "B0", 66290, "V0", 64855 ) ); # Versions after 17.7.0 and prior to 18.7.4 are vulnerable if (ver_compare(ver:major, minver:"17.7.1", fix:"18.7.4", strict:FALSE) < 0) fix = "18.7.4.65019"; else if (ver_compare(ver:major, minver:"19.0", fix:"19.5", strict:FALSE) < 0) fix = "19.5.0.65092"; else if (ver_compare(ver:major, minver:"20.0", fix:"20.2", strict:FALSE) < 0) fix = "20.2.1.64798"; if (major == "18.7.4" && int(build) < 65019) fix = "18.7.4.65019"; else if (major == "19.5.0" && int(build) < 65092) fix = "19.5.0.65092"; else if (major == "20.2.1" && int(build) < 64798) fix = "20.2.1.64798"; else if ( !empty_or_null(fix_array[major]) && !empty_or_null(train) && int(build) < fix_array[major][train] ) fix = major + "." + train + "." + string(fix_array[major][train]); if (!isnull(fix)) { report = '\n Model : ASR ' + model + '\n Installed version : ' + version + '\n Fixed version : ' + fix + '\n'; security_report_v4(port:0, extra:report, severity:SECURITY_HOLE); exit(0); } else audit(AUDIT_DEVICE_NOT_VULN, "ASR " + model, version);

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Nessus

References