Vulnerabilities > CVE-2019-12671 - Incorrect Authorization vulnerability in Cisco IOS XE 16.11.1

CVSS 7.8 - HIGH

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

local

low complexity

cisco

CWE-863

nessus

NVD

Published: 2019-09-25

Updated: 2023-05-23

Summary

A vulnerability in the CLI of Cisco IOS XE Software could allow an authenticated, local attacker to gain shell access on an affected device and execute commands on the underlying operating system (OS). The vulnerability is due to insufficient enforcement of the consent token in authorizing shell access. An attacker could exploit this vulnerability by authenticating to the CLI and requesting shell access on an affected device. A successful exploit could allow the attacker to gain shell access on the affected device and execute commands on the underlying OS.

Vulnerable Configurations

Part	Description	Count
OS	Cisco Cisco IOS XE 16.11.1	2
Hardware	Cisco Cisco 4321/K9 RF Integrated Services Router - Cisco 4321/K9 WS Integrated Services Router - Cisco 4321/K9 Integrated Services Router - Cisco 4331/K9 RF Integrated Services Router - Cisco 4331/K9 WS Integrated Services Router - Cisco 4331/K9 Integrated Services Router - Cisco 4351/K9 RF Integrated Services Router - Cisco 4351/K9 WS Integrated Services Router - Cisco 4351/K9 Integrated Services Router - Cisco Asr1001 HX - Cisco Asr1001 HX RF - Cisco Asr1001 X - Cisco Asr1001 X RF - Cisco Asr1001 X WS - Cisco Asr1002 HX - Cisco Asr1002 HX RF - Cisco Asr1002 HX WS - Cisco Asr1002 X - Cisco Asr1002 X RF - Cisco Asr1002 X WS - Cisco C1117 4P - Cisco C1117 4Plteea - Cisco C1117 4Pltela - Cisco Encs5412/K9 - Cisco Encs5412/K9 RF - Cisco Sasr1K1Xucmk9 1610 - Cisco Sasr1K2Xucmk9 1610 - Cisco Sasr1Khxucmk9 1610 - Cisco Sisr1100Ucmk9 1610 -	29

Common Weakness Enumeration (CWE)

CWE-863 - Incorrect Authorization

Nessus

NASL family	CISCO
NASL id	CISCO-SA-20190925-IOSXE-CTBYPASS.NASL
description	According to its self-reported version, Cisco IOS XE Software is affected by a vulnerability it the CLI. The source of the vulnerability is insufficient enforcement of the consent token in authorizing shell access. By authenticating to the CLI and requesting shell access, an attacker could use this vulnerability to run commands on the underlying OS. Please see the included Cisco BIDs and Cisco Security Advisory for more information. Note that Nessus has not tested for this issue but has instead relied only on the application
last seen	2020-05-09
modified	2019-10-04
plugin id	129586
published	2019-10-04
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/129586
title	Cisco IOS XE Software Consent Token Bypass Vulnerability (cisco-sa-20190925-iosxe-ctbypass)
code	#TRUSTED af2b810bdd7a0c0bcc5fb1cfd69292fba8962f9331e4bf3cd56baa5b0c76568f90c20c468d354ae9a52dbc4ca082b24591619dad7e9a72a29b26925aff4b1928dd6b0b6c8350de5b6182d62ee616d654ca459c9561b0c5a5b41cd7731a0dfb21b541851c0e56f13838381c3faf6fbb7f28a76974873b2ff680c6fb85cd319d44702f9546aaf84f344d54839bfe8ab3723f34d58b6f478bb859f2afd9246d97b7ad93c3d98c21e63a92651d6637bb570ebeaba202f8a6e8eafbf8e09f9fa396d68a9d49a10a475a11744ac8b511c9d6621712583c3f0fa53d05ced08ef5647318092fe36d165652ad07a021344239d67fa16196ebe7d90ce4752318f0b3b3e9157df6893d06a17fd65cd2d03ef70e1e42b912f077a8c3893dc75b4a542ab887e4b60110325613bb9ffde77ff74909bb3983658958020e3d9f2177f7e1d7b8aa56ddf82f45a09457423d556c647c771bb10d87e67f937042c70007fc5ab3b0cfa896711b6fa31b15bf6aeffabb066926c1ccdc3e290a08ee7fbc52edfb0946974fb653321e6000762ff97ddadc9ba7bec248bab8f8b7eeac279d19546aac0116e78927dfe3cd2b743bd699250950946e41d1cb7aa9de31bf0d47da0aadfbab720cd0fbc791efd346fa21abeb7d26bc23f02e8c466f31f26c847194bcc4597de986e927c082c4b2b67214579af68e4beb4eb0052f7c771a985d21a31f76cfdd00b8 # # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(129586); script_version("1.7"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/08"); script_cve_id("CVE-2019-12671"); script_xref(name:"CISCO-BUG-ID", value:"CSCvp34481"); script_xref(name:"CISCO-SA", value:"cisco-sa-20190925-iosxe-ctbypass"); script_xref(name:"IAVA", value:"2019-A-0352-S"); script_name(english:"Cisco IOS XE Software Consent Token Bypass Vulnerability (cisco-sa-20190925-iosxe-ctbypass)"); script_set_attribute(attribute:"synopsis", value: "The remote device is missing a vendor-supplied security patch"); script_set_attribute(attribute:"description", value: "According to its self-reported version, Cisco IOS XE Software is affected by a vulnerability it the CLI. The source of the vulnerability is insufficient enforcement of the consent token in authorizing shell access. By authenticating to the CLI and requesting shell access, an attacker could use this vulnerability to run commands on the underlying OS. Please see the included Cisco BIDs and Cisco Security Advisory for more information. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-iosxe-ctbypass script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?10434195"); script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp34481"); script_set_attribute(attribute:"solution", value: "Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvp34481"); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-12671"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_cwe_id(285); script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/25"); script_set_attribute(attribute:"patch_publication_date", value:"2019/09/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/04"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CISCO"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("cisco_ios_xe_version.nasl"); script_require_keys("Host/Cisco/IOS-XE/Version"); exit(0); } include('audit.inc'); include('cisco_workarounds.inc'); include('ccf.inc'); product_info = cisco::get_product_info(name:'Cisco IOS XE Software'); version_list=make_list( '3.6.10E', '3.4.6SG', '3.4.5SG', '3.2.9SG', '3.2.0JA', '3.18.3bSP', '3.14.0S', '3.13.9S', '3.13.1S', '16.9.3s', '16.11.1a', '16.11.1' ); workarounds = make_list(CISCO_WORKAROUNDS['no_workaround']); workaround_params = make_list(); reporting = make_array( 'port' , 0, 'severity' , SECURITY_HOLE, 'version' , product_info['version'], 'bug_id' , 'CSCvp34481' ); cisco::check_and_report(product_info:product_info, workarounds:workarounds, workaround_params:workaround_params, reporting:reporting, vuln_versions:version_list);

References

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-iosxe-ctbypass