Vulnerabilities > CVE-2018-15465 - Incorrect Authorization vulnerability in Cisco Adaptive Security Appliance Software

047910
CVSS 8.1 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
NONE
network
low complexity
cisco
CWE-863
nessus
NVD
Published: 2018-12-24
Updated: 2023-08-15

Summary

A vulnerability in the authorization subsystem of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, but unprivileged (levels 0 and 1), remote attacker to perform privileged actions by using the web management interface. The vulnerability is due to improper validation of user privileges when using the web management interface. An attacker could exploit this vulnerability by sending specific HTTP requests via HTTPS to an affected device as an unprivileged user. An exploit could allow the attacker to retrieve files (including the running configuration) from the device or to upload and replace software images on the device.

Vulnerable Configurations

Part Description Count
Application
Cisco
529
OS
Cisco
162

Common Weakness Enumeration (CWE)

Nessus

NASL familyCISCO
NASL idCISCO-SA-20181219-ASA-PRIVESC.NASL
descriptionAccording to its self-reported version the Cisco Adaptive Security Appliance (ASA) software running on the remote device is affected by a privilege escalation vulnerability in web management interface due to improper validation of user privileges. An authenticated, remote attacker can exploit, by sending specific HTTP requests via HTTPS, to gain elevated privileges. Please see the included Cisco BIDs and Cisco Security Advisories for more information.
last seen2020-04-30
modified2018-12-21
plugin id119844
published2018-12-21
reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/119844
titleCisco ASA Privilege Escalation Vulnerability (cisco-sa-20181219-asa-privesc)
code
#TRUSTED 66a5ff228d2b811c5b4de16f0a4b30d5708cd57af63f98c0e6182a265879c498cb95ad790ad1fdf88f572c6d331503a54999023e5944cd59ad702adf5d44953bbeffbe99a301ee6745c0b7ab4f449c9e371186183675e4ed632fae9c740c8a84c957698ab145d7bea51e434a5bfd8f8ddf7b81463a83e30ec7f441b839d3839cc8d14bf053d69fc701b8a4e352429ca7d73895f70382a9b9929dbedaf114d23c42676740f6776fd9e4f65f22e66a856aacc7024343150262dbb22a033a86d642c310d1370795041f541b8da642138fa699cad3eb55926d5005daf5066ef9486b820e8cb4c56e3df35e23245eca2162a8648c45d283f889d58a4d80ce44da34dee52afd068b478e409256f2506bac88feee203890c0dcdc051a5952da44c39d5d45d6fc6448e5698172239728903c093a26935b8e3fd6fe602f901ba1fbadd5a134b488e61d80169c008569be47ea0da8721c018c916d841cb7bfc3c632b25a9055c3e3425a4a9eeb3c97386a8abea04fc3ba12830de1dfa16e52be556237ca1da424e0e443287d4ba552a4eac14526f45da61d3f8620d65d63a0e71f4da19c4f5c3fa64637954775f5c4893ddc9ac795bd6c792833153da23399b700a5e06a0ec0edab901ebf1ba4396d40460d3fb9804362ae5ed3155f512ff57f7439b2d7b8001c5041514b92dd3f65179652231a2ad6b2ed185688f666ffb635ce1a2fd6df
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(119844);
  script_version("1.9");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/27");

  script_cve_id("CVE-2018-15465");
  script_bugtraq_id(106256);
  script_xref(name:"CISCO-BUG-ID", value:"CSCvm53531");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20181219-asa-privesc");
  script_xref(name:"TRA", value:"TRA-2018-46");

  script_name(english:"Cisco ASA Privilege Escalation Vulnerability (cisco-sa-20181219-asa-privesc)");
  script_summary(english:"Checks the ASA version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version the Cisco Adaptive Security
Appliance (ASA) software running on the remote device is affected by
a privilege escalation vulnerability in web management interface due
to improper validation of user privileges. An authenticated, remote
attacker can exploit, by sending specific HTTP requests via HTTPS, to
gain elevated privileges. Please see the included Cisco BIDs and Cisco
Security Advisories for more information.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181219-asa-privesc
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?391d8efe");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco security
advisory cisco-sa-20181219-asa-privesc.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-15465");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/12/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/12/19");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/12/21");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:adaptive_security_appliance_software");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "os_fingerprint.nasl");
  script_require_keys("Host/Cisco/ASA", "Host/Cisco/ASA/model", "Settings/ParanoidReport");

  exit(0);
}

include("audit.inc");
include("cisco_workarounds.inc");
include("ccf.inc");

product_info = cisco::get_product_info(name:"Cisco Adaptive Security Appliance (ASA) Software");

vuln_ranges = [
  {'min_ver' : '0.0',  'fix_ver' : '9.4.4.29'},
  {'min_ver' : '9.5',  'fix_ver' : '9.6.4.20'},
  {'min_ver' : '9.7',  'fix_ver' : '9.8.3.18'},
  {'min_ver' : '9.9',  'fix_ver' : '9.9.2.36'},
  {'min_ver' : '9.10', 'fix_ver' : '9.10.1.7'}
];

workarounds = make_list(CISCO_WORKAROUNDS['ASA_HTTP_Server']);

workaround_params = make_list();

reporting = make_array(
  'port'     , 0,
  'severity' , SECURITY_WARNING,
  'version'  , product_info['version'],
  'bug_id'   , "CSCvm53531"
);

cisco::check_and_report(product_info:product_info, workarounds:workarounds, workaround_params:workaround_params, reporting:reporting, vuln_ranges:vuln_ranges);

References