Vulnerabilities > CVE-2019-12671 - Incorrect Authorization vulnerability in Cisco IOS XE 16.11.1

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
cisco
CWE-863
nessus

Summary

A vulnerability in the CLI of Cisco IOS XE Software could allow an authenticated, local attacker to gain shell access on an affected device and execute commands on the underlying operating system (OS). The vulnerability is due to insufficient enforcement of the consent token in authorizing shell access. An attacker could exploit this vulnerability by authenticating to the CLI and requesting shell access on an affected device. A successful exploit could allow the attacker to gain shell access on the affected device and execute commands on the underlying OS.

Common Weakness Enumeration (CWE)

Nessus

NASL familyCISCO
NASL idCISCO-SA-20190925-IOSXE-CTBYPASS.NASL
descriptionAccording to its self-reported version, Cisco IOS XE Software is affected by a vulnerability it the CLI. The source of the vulnerability is insufficient enforcement of the consent token in authorizing shell access. By authenticating to the CLI and requesting shell access, an attacker could use this vulnerability to run commands on the underlying OS. Please see the included Cisco BIDs and Cisco Security Advisory for more information. Note that Nessus has not tested for this issue but has instead relied only on the application
last seen2020-05-09
modified2019-10-04
plugin id129586
published2019-10-04
reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/129586
titleCisco IOS XE Software Consent Token Bypass Vulnerability (cisco-sa-20190925-iosxe-ctbypass)
code
#TRUSTED af2b810bdd7a0c0bcc5fb1cfd69292fba8962f9331e4bf3cd56baa5b0c76568f90c20c468d354ae9a52dbc4ca082b24591619dad7e9a72a29b26925aff4b1928dd6b0b6c8350de5b6182d62ee616d654ca459c9561b0c5a5b41cd7731a0dfb21b541851c0e56f13838381c3faf6fbb7f28a76974873b2ff680c6fb85cd319d44702f9546aaf84f344d54839bfe8ab3723f34d58b6f478bb859f2afd9246d97b7ad93c3d98c21e63a92651d6637bb570ebeaba202f8a6e8eafbf8e09f9fa396d68a9d49a10a475a11744ac8b511c9d6621712583c3f0fa53d05ced08ef5647318092fe36d165652ad07a021344239d67fa16196ebe7d90ce4752318f0b3b3e9157df6893d06a17fd65cd2d03ef70e1e42b912f077a8c3893dc75b4a542ab887e4b60110325613bb9ffde77ff74909bb3983658958020e3d9f2177f7e1d7b8aa56ddf82f45a09457423d556c647c771bb10d87e67f937042c70007fc5ab3b0cfa896711b6fa31b15bf6aeffabb066926c1ccdc3e290a08ee7fbc52edfb0946974fb653321e6000762ff97ddadc9ba7bec248bab8f8b7eeac279d19546aac0116e78927dfe3cd2b743bd699250950946e41d1cb7aa9de31bf0d47da0aadfbab720cd0fbc791efd346fa21abeb7d26bc23f02e8c466f31f26c847194bcc4597de986e927c082c4b2b67214579af68e4beb4eb0052f7c771a985d21a31f76cfdd00b8
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(129586);
  script_version("1.7");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/08");

  script_cve_id("CVE-2019-12671");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvp34481");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20190925-iosxe-ctbypass");
  script_xref(name:"IAVA", value:"2019-A-0352-S");

  script_name(english:"Cisco IOS XE Software Consent Token Bypass Vulnerability (cisco-sa-20190925-iosxe-ctbypass)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco IOS XE Software is affected by a vulnerability it the CLI. The source of
the vulnerability is insufficient enforcement of the consent token in authorizing shell access. By authenticating to
the CLI and requesting shell access, an attacker could use this vulnerability to run commands on the underlying OS.

Please see the included Cisco BIDs and Cisco Security Advisory for more information.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-iosxe-ctbypass
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?10434195");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp34481");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvp34481");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-12671");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_cwe_id(285);

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/25");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/09/25");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/04");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_xe_version.nasl");
  script_require_keys("Host/Cisco/IOS-XE/Version");

  exit(0);
}

include('audit.inc');
include('cisco_workarounds.inc');
include('ccf.inc');

product_info = cisco::get_product_info(name:'Cisco IOS XE Software');

version_list=make_list(
  '3.6.10E',
  '3.4.6SG',
  '3.4.5SG',
  '3.2.9SG',
  '3.2.0JA',
  '3.18.3bSP',
  '3.14.0S',
  '3.13.9S',
  '3.13.1S',
  '16.9.3s',
  '16.11.1a',
  '16.11.1'
);

workarounds = make_list(CISCO_WORKAROUNDS['no_workaround']);
workaround_params = make_list();


reporting = make_array(
'port'     , 0,
'severity' , SECURITY_HOLE,
'version'  , product_info['version'],
'bug_id'   , 'CSCvp34481'
);

cisco::check_and_report(product_info:product_info, workarounds:workarounds, workaround_params:workaround_params, reporting:reporting, vuln_versions:version_list);