Vulnerabilities > CVE-2017-3819 - Missing Authentication for Critical Function vulnerability in Cisco ASR 5000 Series Software and Virtualized Packet Core

047910
CVSS 9.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
cisco
CWE-306
critical
nessus
NVD
Published: 2017-03-15
Updated: 2019-10-03

Summary

A privilege escalation vulnerability in the Secure Shell (SSH) subsystem in the StarOS operating system for Cisco ASR 5000 Series, ASR 5500 Series, ASR 5700 Series devices, and Cisco Virtualized Packet Core could allow an authenticated, remote attacker to gain unrestricted, root shell access. The vulnerability is due to missing input validation of parameters passed during SSH or SFTP login. An attacker could exploit this vulnerability by providing crafted user input to the SSH or SFTP command-line interface (CLI) during SSH or SFTP login. An exploit could allow an authenticated attacker to gain root privileges access on the router. Note: Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability can be triggered via both IPv4 and IPv6 traffic. An established TCP connection toward port 22, the SSH default port, is needed to perform the attack. The attacker must have valid credentials to login to the system via SSH or SFTP. The following products have been confirmed to be vulnerable: Cisco ASR 5000/5500/5700 Series devices running StarOS after 17.7.0 and prior to 18.7.4, 19.5, and 20.2.3 with SSH configured are vulnerable. Cisco Virtualized Packet Core - Single Instance (VPC-SI) and Distributed Instance (VPC-DI) devices running StarOS prior to N4.2.7 (19.3.v7) and N4.7 (20.2.v0) with SSH configured are vulnerable. Cisco Bug IDs: CSCva65853.

Vulnerable Configurations

Part Description Count
Application
Cisco
24

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Choosing a Message/Channel Identifier on a Public/Multicast Channel
    Attackers aware that more data is being fed into a multicast or public information distribution means can 'select' information bound only for another client, even if the distribution means itself forces users to authenticate in order to connect initially. Doing so allows the attacker to gain access to possibly privileged information, possibly perpetrate other attacks through the distribution means by impersonation. If the channel/message being manipulated is an input rather than output mechanism for the system, (such as a command bus), this style of attack could change its identifier from a less privileged to more so privileged channel or command.
  • Using Unpublished Web Service APIs
    An attacker searches for and invokes Web Services APIs that the target system designers did not intend to be publicly available. If these APIs fail to authenticate requests the attacker may be able to invoke services and/or gain privileges they are not authorized for.
  • Manipulating Writeable Terminal Devices
    This attack exploits terminal devices that allow themselves to be written to by other users. The attacker sends command strings to the target terminal device hoping that the target user will hit enter and thereby execute the malicious command with their privileges. The attacker can send the results (such as copying /etc/passwd) to a known directory and collect once the attack has succeeded.
  • Cross Site Request Forgery (aka Session Riding)
    An attacker crafts malicious web links and distributes them (via web pages, email, etc.), typically in a targeted manner, hoping to induce users to click on the link and execute the malicious action against some third-party application. If successful, the action embedded in the malicious link will be processed and accepted by the targeted application with the users' privilege level. This type of attack leverages the persistence and implicit trust placed in user session cookies by many web applications today. In such an architecture, once the user authenticates to an application and a session cookie is created on the user's system, all following transactions for that session are authenticated using that cookie including potential actions initiated by an attacker and simply "riding" the existing session cookie.

Nessus

NASL familyCISCO
NASL idCISCO-SA-20170315-ASR.NASL
descriptionThe remote Cisco ASR device is affected by a privilege escalation vulnerability in StarOS in the Secure Shell (SSH) subsystem due to improper validation of parameters passed during SSH or SFTP login. An authenticated, remote attacker can exploit this, by sending specially crafted input during the SSH or SFTP login, to gain root privileges.
last seen2020-06-01
modified2020-06-02
plugin id99266
published2017-04-10
reporterThis script is Copyright (C) 2017-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/99266
titleCisco ASR StarOS SSH Login Parameter Handling Privilege Escalation (cisco-sa-20170315-asr)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(99266);
  script_version("1.6");
  script_cvs_date("Date: 2018/07/06 11:26:06");

  script_cve_id("CVE-2017-3819");
  script_bugtraq_id(96913);
  script_xref(name:"CISCO-BUG-ID", value:"CSCva65853");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20170315-asr");

  script_name(english:"Cisco ASR StarOS SSH Login Parameter Handling Privilege Escalation (cisco-sa-20170315-asr)");
  script_summary(english:"Checks the StarOS version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is affected by a privilege escalation vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote Cisco ASR device is affected by a privilege escalation
vulnerability in StarOS in the Secure Shell (SSH) subsystem due to
improper validation of parameters passed during SSH or SFTP login. An
authenticated, remote attacker can exploit this, by sending specially
crafted input during the SSH or SFTP login, to gain root privileges.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170315-asr
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?908587cb");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCva65853");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID
CSCva65853.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/15");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/03/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/10");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:staros");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:cisco:asr_5000");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:cisco:asr_5500");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:cisco:asr_5700");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:asr_5000_series_software");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:asr_5500_series_software");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:asr_5700_series_software");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/Cisco/ASR/Model", "Host/Cisco/StarOS");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

get_kb_item_or_exit("Host/Cisco/StarOS");

version  = get_kb_item_or_exit("Host/Cisco/StarOS/Version");
model   = get_kb_item_or_exit("Host/Cisco/ASR/Model");

major = NULL;
build = NULL;
fix = NULL;
train = NULL;

# only affects ASR 5000/5500/5700 series systems
if (model !~ "^5[057]\d{2}$")
  audit(AUDIT_DEVICE_NOT_VULN, 'The ASR ' + model);

# Normalize train characters
version= toupper(version);

# For newer versions, We may be able to get the build number during detection
build = get_kb_item("Host/Cisco/StarOS/Build");
if (!empty_or_null(build))
  version += "." + build;

# defensive check for the pregmatches below
if (version !~ "^[\d\.]+\([\d\.]+" &&
    version !~ "^[\d\.]+([A-Z]{1,2}\d+)?\.\d+$")
  audit(AUDIT_DEVICE_NOT_VULN, "ASR " + model, version);

# old style of versioning 15.0(5439), style change mid 16.1, making
# all of the old style versions fall into the vulnerable range.
if ("(" >< version)
{
  major = pregmatch(pattern:"^([\d\.]+)\(", string:version);

  if(!isnull(major))
  {
    major = major[1];

    if (isnull(build))
    {
      build = pregmatch(pattern:"^[\d\.]+\(([\d\.]+)", string:version);
      if(!isnull(build))
      {
        build = build[1];

        # Set the train to an empty string, or it causes issues when
        # seeing if a patched version exists using NULL as the value
        train = '';
      }
      else
        exit(1, "Unable to extract build number.");
    }
  }
  else
    exit(1, "Unable to extract version number.");
}
else
{
  # extract major, train, and build for new style
  extract = pregmatch(pattern:"^([\d\.]+)\.([A-Z]{1,2}\d+)?\.?(\d+)?", string:version);
  if (!isnull(extract))
  {
    major = extract[1];
    train = extract[2];
    if (isnull(build))
      build = extract[3];
  }
}

# Defensive checking for versions that we haven't yet seen
if(empty_or_null(major) || empty_or_null(build))
  exit(1, "An error occurred during version extraction.");

fix_array = make_array(
  "18.8", make_array( "M0", 65044 ),
  "19.3", make_array( "V7", 66412 ),
  "19.5", make_array( "M0", 65050 ),
  "20.2", make_array( "A4", 65307, "B0", 66290, "V0", 64855 )
);

# Versions after 17.7.0 and prior to 18.7.4 are vulnerable
if (ver_compare(ver:major, minver:"17.7.1", fix:"18.7.4", strict:FALSE) < 0)
  fix = "18.7.4.65019";
else if (ver_compare(ver:major, minver:"19.0", fix:"19.5", strict:FALSE) < 0)
  fix = "19.5.0.65092";
else if (ver_compare(ver:major, minver:"20.0", fix:"20.2", strict:FALSE) < 0)
  fix = "20.2.1.64798";

if (major == "18.7.4" && int(build) < 65019)
  fix = "18.7.4.65019";
else if (major == "19.5.0" && int(build) < 65092)
  fix = "19.5.0.65092";
else if (major == "20.2.1" && int(build) < 64798)
  fix = "20.2.1.64798";

else if ( 
          !empty_or_null(fix_array[major]) && 
          !empty_or_null(train) && 
          int(build) < fix_array[major][train]
        )
  fix = major + "." + train + "." + string(fix_array[major][train]);

if (!isnull(fix))
{
  report =
    '\n  Model             : ASR ' + model +
    '\n  Installed version : ' + version +
    '\n  Fixed version     : ' + fix +
    '\n';

  security_report_v4(port:0, extra:report, severity:SECURITY_HOLE);
  exit(0);
}
else
  audit(AUDIT_DEVICE_NOT_VULN, "ASR " + model, version);

References