Vulnerabilities > CVE-2018-0428 - Improper Privilege Management vulnerability in Cisco web Security Appliance

047910
CVSS 7.2 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
low complexity
cisco
CWE-269
nessus
NVD
Published: 2018-08-15
Updated: 2019-10-09

Summary

A vulnerability in the account management subsystem of Cisco Web Security Appliance (WSA) could allow an authenticated, local attacker to elevate privileges to root. The attacker must authenticate with valid administrator credentials. The vulnerability is due to improper implementation of access controls. An attacker could exploit this vulnerability by authenticating to the device as a specific user to gain the information needed to elevate privileges to root in a separate login shell. A successful exploit could allow the attacker to escape the CLI subshell and execute system-level commands on the underlying operating system as root. Cisco Bug IDs: CSCvj93548.

Vulnerable Configurations

Part Description Count
Hardware
Cisco
4

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Restful Privilege Elevation
    Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.

Nessus

  • NASL familyCISCO
    NASL idCISCO_SA_20180815_WSA_CVE_2018_0428.NASL
    descriptionAccording to its self-reported version, the Cisco Web Security Appliance (WSA) running on the remote host may be affected by privilege escalation vulnerability.
    last seen2020-06-01
    modified2020-06-02
    plugin id112122
    published2018-08-27
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/112122
    titleCisco Web Security Appliance Privilege Escalation Vulnerability.
    code
    #TRUSTED 713cec060178b8aab02239ff7b5342a698e1a531d1c6c4ca074aa6918ec160431b0297059c24e5c3095bf2617465e8c11992a58795e8c1b7279ac63555fbc6cb02bb4a3d517fdc1494c18770d6c6e703e043cd8927185a2cb4d2204b12467275d7e1e83676c924393dc95c1c84227f121d854a94a965cd3478e83195711ac95a49c34ae93064c083f225a36c3ba56a16f3b9818301d3e393866fa9796910e888fdba9ae0b86f9a242a5a165e31a00085806e3b8ade81afcc05adcfef6123eb77a08a2416247932e4d9cb9207551883a652d294743712615a484c1207ef4f1744567763378c6c94d34677ad865de38d6f41287387d62075a1c33d71302dfbcfe7844c94577657b82e265d7b470c9095fc0d26fc6980fe41a167df4e22986814811c3ccdd3d2b9705962c1f76bfcb01ed78765741555d4f11095aa317df7798961bb773d582fc5462055c7d95d20972ce42fcfbdb95e688eb11b791417bb459973fc291061118d2640868020760e5bd5d3ecc554c9a15ab45ac9b4e3e39c8bb36aa5d31cb9a9efe95ca5c25eb7c19edc7d75d33e328bd57d755fe26f425063f66dfedde21370e4f5a9c840b2e68ab235724def25b043d59b1bed95b19d1d40e9098e7855e80a39ca48b4d0a2506370445251c47a3ed62424566c8910aa2eec44758fec3863b64aecbfa7dd2baf778af87e29c144775aed9cba23ba5bd2a1598e27
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(112122);
  script_version("1.8");
  script_cvs_date("Date: 2019/12/20");

  script_cve_id("CVE-2018-0428");
  script_bugtraq_id(105104);
  script_xref(name:"CISCO-BUG-ID", value:"CSCvj93548");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20180815-wsa-escalation");

  script_name(english:"Cisco Web Security Appliance Privilege Escalation Vulnerability.");
  script_summary(english:"Checks the WSA version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote security appliance may be affected by a privilege escalation vulnerability.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, the Cisco Web Security
Appliance (WSA) running on the remote host may be affected by privilege escalation vulnerability.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180815-wsa-escalation
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?87dd52c9");
  # https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvj93548
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b9bd6384");
  script_set_attribute(attribute:"solution", value:
"Apply the vendor supplied patch.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-0428");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");


  script_set_attribute(attribute:"vuln_publication_date", value:"2018/08/15");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/08/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/27");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:cisco:web_security_appliance");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_wsa_version.nasl");
  script_require_keys("Host/AsyncOS/Cisco Web Security Appliance/DisplayVersion");

  exit(0);
}


include("audit.inc");
include("cisco_workarounds.inc");
include("ccf.inc");


product_info = cisco::get_product_info(name:"Cisco Web Security Appliance (WSA)");
workarounds = make_list(CISCO_WORKAROUNDS["no_workaround"]);
workaround_params = make_list();

# 11.0.0-FCS-250, 11.5.0-FCS-000, WSA10.0.0-959, WSA10.5.0-FCS-000
vuln_versions = make_list(
  "11.0.0.250",
  "11.5.0.0",
  "10.0.0.959",
  "10.5.0.0");

reporting = make_array(
  "port"     , 0,
  "severity" , SECURITY_HOLE,
  'bug_id'   , "CSCvj93548",
  "version"  , product_info["display_version"],
  "fix"      , "See advisory"
);

cisco::check_and_report(product_info:product_info, workarounds:workarounds, workaround_params:workaround_params, reporting:reporting, vuln_versions:vuln_versions);
  • NASL familyCISCO
    NASL idCISCO_SA_20180815_WSA_CVE_2018_0410.NASL
    descriptionAccording to its self-reported version, the Cisco Web Security Appliance (WSA) running on the remote host may be affected by multiple vulnerabilities.
    last seen2020-06-01
    modified2020-06-02
    plugin id112121
    published2018-08-27
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/112121
    titleCisco Web Security Appliance Multiple Vulnerabilities.

References