Vulnerabilities > CVE-2018-0152 - Insufficient Session Expiration vulnerability in Cisco IOS XE 16.1.1

047910
CVSS 9.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
cisco
CWE-613
critical
nessus
NVD
Published: 2018-03-28
Updated: 2019-12-03

Summary

A vulnerability in the web-based user interface (web UI) of Cisco IOS XE Software could allow an authenticated, remote attacker to gain elevated privileges on an affected device. The vulnerability exists because the affected software does not reset the privilege level for each web UI session. An attacker who has valid credentials for an affected device could exploit this vulnerability by remotely accessing a VTY line to the device. A successful exploit could allow the attacker to access an affected device with the privileges of the user who previously logged in to the web UI. This vulnerability affects Cisco devices that are running a vulnerable release of Cisco IOS XE Software, if the HTTP Server feature is enabled and authentication, authorization, and accounting (AAA) authorization is not configured for EXEC sessions. The default state of the HTTP Server feature is version-dependent. This vulnerability was introduced in Cisco IOS XE Software Release 16.1.1. Cisco Bug IDs: CSCvf71769.

Vulnerable Configurations

Part Description Count
OS
Cisco
1

Common Weakness Enumeration (CWE)

Nessus

NASL familyCISCO
NASL idCISCO-SA-20180328-XEPRIV.NASL
descriptionAccording to its self-reported version, Cisco IOS XE Software is affected by a privilege escalation vulnerability in the web-based user interface (web UI). This vulnerability exists because the affected software does not reset the privilege level for each web UI session. An authenticated, remote attacker can exploit this by remotely accessing a VTY line to the device in order to attain the privileges of the user previously logged into the web UI. Please see the included Cisco BIDs and Cisco Security Advisory for more information. Note that Nessus has not tested for this issue but has instead relied only on the application
last seen2020-06-01
modified2020-06-02
plugin id131126
published2019-11-19
reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/131126
titleCisco IOS XE Software Web UI Remote Access Privilege Escalation (cisco-sa-20180328-xepriv)
code
#TRUSTED 25d18dffe50da6243cb6c39c096150a0c3cdcc65d93dd4b6e8a3e8d6b4db05470debb1b9a6e6705c39eed1934014d260d82bd32fae3d021b45c766dbdca1e1c9de55b3ba7697413d7d0ace577482ebf9e368a0d627f3878db478a8fc2a4138db36d153a8e5963924e812b80e3ac28b9d35dc288ab82854094c264acfd1f137fd520a6f9d2bf04a068e72c9c000f74a78f19a3821b2218777c84a6ce249a39889f0b8871cf7ff2d2450c21a3e6724d6f938294f3450ef3b80c0636db69dd1c1d5241fb4298a850cf7bc96fc40f1405462fcc38a3e412c41dd59cabf74de67bc3f4297d41caa7a6d2ac4c397370c07cc5c4f46e887095a163261b92f702739b168300da25aa3831afd98b7650ee9ccd5c8bee912bfa346bef0f4b2aa2185eb55b6a67c992f38bb57212a1dee5d14a357b2de00027f04898d751edb1a683f7d6cc785a3309749ddc9ef503113205462f06bf710f8cfa15bbc210b3050152a5226a0ffedf8cc51773afe1c6314c72d7605f50b5d837d98bcdd0b9d19d1ac67a55987e9a1e063a9ef627fb267ca1aae6fae0a57db9acf3cec5da19ce21b057a18cf9720e0aae348bb5ecccf37df16dd6dbe0042bd79ddf4bf0dd278836848704bd1da944c10e5d968ed46832274a287a531e389fea60d40b65cc02e5b5142aa0690b02a797fb72a71abd6bda6f2c0674ef977391be78244fc875353f3c2118f995362
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(131126);
  script_version("1.4");
  script_cvs_date("Date: 2019/11/20");

  script_cve_id("CVE-2018-0152");
  script_bugtraq_id(103558);
  script_xref(name:"CISCO-BUG-ID", value:"CSCvf71769");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20180328-xepriv");

  script_name(english:"Cisco IOS XE Software Web UI Remote Access Privilege Escalation (cisco-sa-20180328-xepriv)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco IOS XE Software is affected by a privilege escalation vulnerability in
the web-based user interface (web UI). This vulnerability exists because the affected software does not reset the 
privilege level for each web UI session. An authenticated, remote attacker can exploit this by remotely accessing a VTY
line to the device in order to attain the privileges of the user previously logged into the web UI.

Please see the included Cisco BIDs and Cisco Security Advisory for more information.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-xepriv
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9bf09003");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf71769");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID(s) CSCvf71769.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-0152");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/03/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/03/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/19");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_xe_version.nasl");
  script_require_keys("Host/Cisco/IOS-XE/Version");

  exit(0);
}

include('cisco_workarounds.inc');
include('ccf.inc');

product_info = cisco::get_product_info(name:'Cisco IOS XE Software');

vuln_versions = make_list(
  '16.1.1',
  '16.1.2',
  '16.1.3',
  '16.2.1',
  '16.2.2',
  '16.3.1',
  '16.3.2',
  '16.3.3',
  '16.3.1a',
  '16.3.4',
  '16.4.1',
  '16.4.2',
  '16.5.1',
  '16.5.1a',
  '16.5.1b',
  '16.5.2',
  '3.18.3bSP',
  '16.6.1',
  '16.9.1b'
);

workarounds = make_list(CISCO_WORKAROUNDS['HTTP_Server_iosxe']);
workaround_params = {'exec_aaa_configured' : 1};

reporting = make_array(
  'port'     , 0,
  'severity' , SECURITY_HOLE,
  'version'  , product_info.version,
  'bug_id'   , 'CSCvf71769',
  'cmds'     , make_list('show running-config')
);

cisco::check_and_report(
  product_info:product_info,
  reporting:reporting,
  vuln_versions:vuln_versions,
  workarounds:workarounds,
  workaround_params:workaround_params
);

References