Vulnerabilities > CVE-2018-0196 - Unspecified vulnerability in Cisco IOS XE 16.1.2/16.2.0/16.3(1)

047910
CVSS 4.9 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
HIGH
Confidentiality impact
NONE
Integrity impact
HIGH
Availability impact
NONE
network
low complexity
cisco
nessus

Summary

A vulnerability in the web-based user interface (web UI) of Cisco IOS XE Software could allow an authenticated, remote attacker to write arbitrary files to the operating system of an affected device. The vulnerability is due to insufficient input validation of HTTP requests that are sent to the web UI of the affected software. An attacker could exploit this vulnerability by sending a malicious HTTP request to the web UI of the affected software. A successful exploit could allow the attacker to write arbitrary files to the operating system of an affected device. Cisco Bug IDs: CSCvb22645.

Vulnerable Configurations

Part Description Count
OS
Cisco
3

Nessus

NASL familyCISCO
NASL idCISCO-SA-20180328-WFW.NASL
descriptionAccording to its self-reported version, Cisco IOS XE Software is affected by an arbitrary file write vulnerability in the web-based user interface (web UI) due to insufficient input validation of HTTP requests that are sent to the web UI of the affected software. An authenticated, remote attacker can exploit this, by sending a malicious HTTP request to the web UI of the affected software, in order to write arbitrary files to the operating system of an affected device. Please see the included Cisco BIDs and Cisco Security Advisory for more information. Note that Nessus has not tested for this issue but has instead relied only on the application
last seen2020-06-01
modified2020-06-02
plugin id132077
published2019-12-17
reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/132077
titleCisco IOS XE Software Arbitrary File Write (cisco-sa-20180328-wfw)
code
#TRUSTED 5da2b1808e4583ac3dcd11bc30b6a5b3131dbfad40a639139ffc0681dc48a27d9d4a3cf3444aeaf144bb7cef8f128c28ef221fafccc47f996e3da4a3c777fa5ec6e2f1885288ab877e0468899f1f3b29a375d76cf51d57ca1fd26651e55e69533385d8bf603f8841df46321f7c212c57d0a3b325f32f1cf63dd2132a3f15925b9625b7db85c96ee05c577784caf9bea05675a55ac433648675ad7ccd899cba3bcdfad34d65ad189ed89d2f0681231c591baa97d2c3832776ec573664804d59c483a6bac70c1aab2d8f48b92de275ced716403e5fb0e6797f168c41fae162338ea0ef2db954e3152a352b54f541d7d7183c07e29127fa3a5715df0ff225acba689d65546ce046d5ab8029c8dbd86a8296446094a0cf149dfbd53816f9437ff3e62606da0672dc5daabcd1ef1a31ff4c490606791782b205e5bbce450709484157d71375d52d1dd9f15d68c63f469c1e4e213ac36a20ded7b2a23b035bc7750c32e88765d4bc1dfa7ddfc870499d75813eb21a9dfadddb367369ef06f4d1682fc54514d7383dafc4746e1600a99bf68946f0c146664134cc7bccb9645744ecd51fc6ced42e5935ca6e0c19a5e50970d063416c3349d3f30146090be37791ccb2e694a1935815f6162c3d630c075a1ec3e486def88008d7b7cce673c569488e99f645ed1c7afbbc82a391b75098cb3ae4bf94751132829302c46472bbe8f24eb405
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(132077);
  script_version("1.4");
  script_cvs_date("Date: 2019/12/19");

  script_cve_id("CVE-2018-0196");
  script_bugtraq_id(103570);
  script_xref(name:"CISCO-BUG-ID", value:"CSCvb22645");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20180328-wfw");

  script_name(english:"Cisco IOS XE Software Arbitrary File Write (cisco-sa-20180328-wfw)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco IOS XE Software is affected by an arbitrary file write vulnerability in
the web-based user interface (web UI) due to insufficient input validation of HTTP requests that are sent to the web
UI of the affected software. An authenticated, remote attacker can exploit this, by sending a malicious HTTP request to
the web UI of the affected software, in order to write arbitrary files to the operating system of an affected device.

Please see the included Cisco BIDs and Cisco Security Advisory for more information.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-wfw
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?84cc9812");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb22645");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID(s) CSCvb22645.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-0196");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/03/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/03/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/17");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_xe_version.nasl");
  script_require_keys("Host/Cisco/IOS-XE/Version", "Settings/ParanoidReport");

  exit(0);
}

include('cisco_workarounds.inc');
include('ccf.inc');
include('audit.inc');

if (report_paranoia < 2) audit(AUDIT_PARANOID);

product_info = cisco::get_product_info(name:'Cisco IOS XE Software');

workarounds = make_list(CISCO_WORKAROUNDS['no_workaround']);
workaround_params = make_list();

vuln_ranges = [
  {'min_ver' : '16.3',  'fix_ver' : '16.3.2'}
];

reporting = make_array(
  'port'     , 0,
  'severity' , SECURITY_WARNING,
  'version'  , product_info['version'],
  'bug_id'   , 'CSCvb22645'
);

cisco::check_and_report(
  product_info:product_info,
  workarounds:workarounds,
  workaround_params:workaround_params,
  reporting:reporting,
  vuln_ranges:vuln_ranges
);