Vulnerabilities > CVE-2019-12648 - Incorrect Authorization vulnerability in Cisco IOS 15.7(3)M3

CVSS 9.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

low complexity

cisco

CWE-863

critical

nessus

NVD

Published: 2019-09-25

Updated: 2019-10-09

Summary

A vulnerability in the IOx application environment for Cisco IOS Software could allow an authenticated, remote attacker to gain unauthorized access to the Guest Operating System (Guest OS) running on an affected device. The vulnerability is due to incorrect role-based access control (RBAC) evaluation when a low-privileged user requests access to a Guest OS that should be restricted to administrative accounts. An attacker could exploit this vulnerability by authenticating to the Guest OS by using the low-privileged-user credentials. An exploit could allow the attacker to gain unauthorized access to the Guest OS as a root user.

Vulnerable Configurations

Part	Description	Count
OS	Cisco Cisco IOS 15.7$3$M3	1
Hardware	Cisco Cisco 807 Industrial Integrated Services Routers - Cisco 809 Industrial Integrated Services Routers - Cisco 829 Industrial Integrated Services Routers - Cisco Cgr1240 - Cisco CGR 1120 -	5

Common Weakness Enumeration (CWE)

CWE-863 - Incorrect Authorization

Nessus

NASL family	CISCO
NASL id	CISCO-SA-20190925-IOS-GOS-AUTH.NASL
description	According to its self-reported version, IOS is affected by a vulnerability in the IOx application environment. This is due to incorrect role-based access control evaluation when a low-privileged user request access to a Guest OS that should be restricted to administrative accounts. An attacker can exploit this vulnerability by authenticating to the Guest OS using the low-privileged user credentials in order to gain unauthorized access to the GuestOS as a root user. Please see the included Cisco BIDs and Cisco Security Advisory for more information. Note that Nessus has not tested for this issue but has instead relied only on the application
last seen	2020-06-01
modified	2020-06-02
plugin id	129713
published	2019-10-08
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/129713
title	Cisco IOx for IOS Software Guest Operating System Unauthorized Access Vulnerability (cisco-sa-20190925-ios-gos-auth)
code	#TRUSTED 2b52434dfe9d448be1b2ab3ce4aeab36e7e901f4499cdb2b06524feabcd2f7360a8af8f662490b8ef68ff6f2fc85dbfa31155876a633d8ef9e2a98c5378f19dfd39f9622b7d372010741e92bfd7c4ac19ff5fbd576e51d271944fd98298c33201de53e01012ba76c6f5754dfb4a20953df35c5cdfd4afe3852930f472b538d2c79bc9d80126abfd670d0e99adfc7dc83d4e516f012a8569b2929e9f2e8957ddf868b732cecd3c7fae8c482eaa041fd67114b3d723c6e6e7cd76590a5f0829ac39cbd00f1bffeee3c8afa3c1f7aaf42bd59a9daec54870891fcbe0bfe813ee01d5cb0847cf38ccb606ecc2d9fcc39f919b7089a39ecab8eba0672e7fd055df3810dab2bb72319709357b8978289a413b6cafdc028407c7c96d9ed7f43479a421f0d2365cfb1b2cc684549b0d460abe5323bb5a7543528d59575bc0ee1cac3cf08412e3a82beca17c063c4633304d32e0aab43a229195c45d3d1f8ebcac586882dbc71c07cb2d154f5a4e1aec1aa5a537439f102d203e7bd84b5507f281cbb76d1cddb1e1afc6d1bc0b1a2052059ca2053088019557e64186135bab64aca18bce39c67f6df07c35b4ca7548de47b011d7eda87b863a50cd7cf9528ffcd49e1505693d06828857cd6eb66cdae989ab1a635f21f36dc2290a92a494ad05e01d4a5ebd610068a5398b471d0c9c1b1a6c39728bad17fd67009c479b126053bd9c63755 # # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(129713); script_version("1.5"); script_cvs_date("Date: 2019/12/20"); script_cve_id("CVE-2019-12648"); script_xref(name:"CISCO-BUG-ID", value:"CSCvm86480"); script_xref(name:"CISCO-SA", value:"cisco-sa-20190925-ios-gos-auth"); script_name(english:"Cisco IOx for IOS Software Guest Operating System Unauthorized Access Vulnerability (cisco-sa-20190925-ios-gos-auth)"); script_set_attribute(attribute:"synopsis", value: "The remote device is missing a vendor-supplied security patch"); script_set_attribute(attribute:"description", value: "According to its self-reported version, IOS is affected by a vulnerability in the IOx application environment. This is due to incorrect role-based access control evaluation when a low-privileged user request access to a Guest OS that should be restricted to administrative accounts. An attacker can exploit this vulnerability by authenticating to the Guest OS using the low-privileged user credentials in order to gain unauthorized access to the GuestOS as a root user. Please see the included Cisco BIDs and Cisco Security Advisory for more information. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-ios-gos-auth script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?378b51aa"); script_set_attribute(attribute:"see_also", value:"http://tools.cisco.com/security/center/viewErp.x?alertId=ERP-72547"); script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvm86480"); script_set_attribute(attribute:"solution", value: "Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvm86480"); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-12648"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_cwe_id(284); script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/25"); script_set_attribute(attribute:"patch_publication_date", value:"2019/09/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/08"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CISCO"); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("cisco_ios_version.nasl"); script_require_keys("Host/Cisco/IOS/Version", "Host/Cisco/IOS/Model"); exit(0); } include('audit.inc'); include('cisco_workarounds.inc'); include('ccf.inc'); product_info = cisco::get_product_info(name:'Cisco IOS'); model = product_info.model; if ( ( model !~ '^IR8[0-9]{2}([^0-9]\|$)') && !('CGR' >< model && model =~ '[^0-9]1[0-9]{3}([^0-9]\|$)') ) audit(AUDIT_HOST_NOT, 'affected'); version_list=make_list( '15.8(3)M1', '15.8(3)M0a', '15.8(3)M', '15.7(3)M4b', '15.7(3)M4a', '15.7(3)M4', '15.7(3)M3', '15.7(3)M2', '15.7(3)M1', '15.7(3)M' ); workarounds = make_list(CISCO_WORKAROUNDS['ios_iox_host_list']); workaround_params = make_list(); reporting = make_array( 'port' , 0, 'severity' , SECURITY_HOLE, 'version' , product_info['version'], 'bug_id' , 'CSCvm86480', 'cmds' , make_list('show iox list detail') ); cisco::check_and_report(product_info:product_info, workarounds:workarounds, workaround_params:workaround_params, reporting:reporting, vuln_versions:version_list, router_only:TRUE);

References

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-ios-gos-auth

Part	Description	Count
OS	Cisco Cisco IOS 15.7\(3\)M3	1
Hardware	Cisco Cisco 807 Industrial Integrated Services Routers - Cisco 809 Industrial Integrated Services Routers - Cisco 829 Industrial Integrated Services Routers - Cisco Cgr1240 - Cisco CGR 1120 -	5