Vulnerabilities > CVE-2019-12648 - Incorrect Authorization vulnerability in Cisco IOS 15.7(3)M3

047910
CVSS 8.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
cisco
CWE-863
nessus

Summary

A vulnerability in the IOx application environment for Cisco IOS Software could allow an authenticated, remote attacker to gain unauthorized access to the Guest Operating System (Guest OS) running on an affected device. The vulnerability is due to incorrect role-based access control (RBAC) evaluation when a low-privileged user requests access to a Guest OS that should be restricted to administrative accounts. An attacker could exploit this vulnerability by authenticating to the Guest OS by using the low-privileged-user credentials. An exploit could allow the attacker to gain unauthorized access to the Guest OS as a root user.

Common Weakness Enumeration (CWE)

Nessus

NASL familyCISCO
NASL idCISCO-SA-20190925-IOS-GOS-AUTH.NASL
descriptionAccording to its self-reported version, IOS is affected by a vulnerability in the IOx application environment. This is due to incorrect role-based access control evaluation when a low-privileged user request access to a Guest OS that should be restricted to administrative accounts. An attacker can exploit this vulnerability by authenticating to the Guest OS using the low-privileged user credentials in order to gain unauthorized access to the GuestOS as a root user. Please see the included Cisco BIDs and Cisco Security Advisory for more information. Note that Nessus has not tested for this issue but has instead relied only on the application
last seen2020-06-01
modified2020-06-02
plugin id129713
published2019-10-08
reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/129713
titleCisco IOx for IOS Software Guest Operating System Unauthorized Access Vulnerability (cisco-sa-20190925-ios-gos-auth)
code
#TRUSTED 2b52434dfe9d448be1b2ab3ce4aeab36e7e901f4499cdb2b06524feabcd2f7360a8af8f662490b8ef68ff6f2fc85dbfa31155876a633d8ef9e2a98c5378f19dfd39f9622b7d372010741e92bfd7c4ac19ff5fbd576e51d271944fd98298c33201de53e01012ba76c6f5754dfb4a20953df35c5cdfd4afe3852930f472b538d2c79bc9d80126abfd670d0e99adfc7dc83d4e516f012a8569b2929e9f2e8957ddf868b732cecd3c7fae8c482eaa041fd67114b3d723c6e6e7cd76590a5f0829ac39cbd00f1bffeee3c8afa3c1f7aaf42bd59a9daec54870891fcbe0bfe813ee01d5cb0847cf38ccb606ecc2d9fcc39f919b7089a39ecab8eba0672e7fd055df3810dab2bb72319709357b8978289a413b6cafdc028407c7c96d9ed7f43479a421f0d2365cfb1b2cc684549b0d460abe5323bb5a7543528d59575bc0ee1cac3cf08412e3a82beca17c063c4633304d32e0aab43a229195c45d3d1f8ebcac586882dbc71c07cb2d154f5a4e1aec1aa5a537439f102d203e7bd84b5507f281cbb76d1cddb1e1afc6d1bc0b1a2052059ca2053088019557e64186135bab64aca18bce39c67f6df07c35b4ca7548de47b011d7eda87b863a50cd7cf9528ffcd49e1505693d06828857cd6eb66cdae989ab1a635f21f36dc2290a92a494ad05e01d4a5ebd610068a5398b471d0c9c1b1a6c39728bad17fd67009c479b126053bd9c63755
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(129713);
  script_version("1.5");
  script_cvs_date("Date: 2019/12/20");

  script_cve_id("CVE-2019-12648");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvm86480");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20190925-ios-gos-auth");

  script_name(english:"Cisco IOx for IOS Software Guest Operating System Unauthorized Access Vulnerability (cisco-sa-20190925-ios-gos-auth)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, IOS is affected by a vulnerability in the IOx application environment. This is
due to incorrect role-based access control evaluation when a low-privileged user request access to a Guest OS that
should be restricted to administrative accounts. An attacker can exploit this vulnerability by authenticating to the
Guest OS using the low-privileged user credentials in order to gain unauthorized access to the GuestOS as a root user.

Please see the included Cisco BIDs and Cisco Security Advisory for more information.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-ios-gos-auth
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?378b51aa");
  script_set_attribute(attribute:"see_also", value:"http://tools.cisco.com/security/center/viewErp.x?alertId=ERP-72547");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvm86480");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvm86480");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-12648");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_cwe_id(284);

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/25");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/09/25");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/08");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_version.nasl");
  script_require_keys("Host/Cisco/IOS/Version", "Host/Cisco/IOS/Model");

  exit(0);
}

include('audit.inc');
include('cisco_workarounds.inc');
include('ccf.inc');

product_info = cisco::get_product_info(name:'Cisco IOS');
model = product_info.model;

if (
    ( model !~ '^IR8[0-9]{2}([^0-9]|$)') &&
    !('CGR' >< model && model =~ '[^0-9]1[0-9]{3}([^0-9]|$)')
   )
  audit(AUDIT_HOST_NOT, 'affected');

version_list=make_list(
  '15.8(3)M1',
  '15.8(3)M0a',
  '15.8(3)M',
  '15.7(3)M4b',
  '15.7(3)M4a',
  '15.7(3)M4',
  '15.7(3)M3',
  '15.7(3)M2',
  '15.7(3)M1',
  '15.7(3)M'
);

workarounds = make_list(CISCO_WORKAROUNDS['ios_iox_host_list']);
workaround_params = make_list();


reporting = make_array(
'port'     , 0,
'severity' , SECURITY_HOLE,
'version'  , product_info['version'],
'bug_id'   , 'CSCvm86480',
'cmds'     , make_list('show iox list detail')
);

cisco::check_and_report(product_info:product_info, workarounds:workarounds, workaround_params:workaround_params, reporting:reporting, vuln_versions:version_list, router_only:TRUE);