Vulnerabilities > CVE-2019-15255 - Missing Authorization vulnerability in Cisco Identity Services Engine 2.2/2.2(0.470)

#TRUSTED 23211e3637f16cf02003c0556841abea3290883b08c6ba013c6388df0c4f1bf3bf6c68771aaa5e7bc8523dd170c08991418cfa9b7847ee05e77353f8e710e6d42fa783dfccd836bc3c773edce3722b88d7a4beeb23220337682967cfaf52812777b4ca5681029ba22963c1a8a6328db61c0305504760df62a1cc40248ff3cfb6835ffc6aaf2151afcc8f3b8abf7879d61e0eabbd349c5f75a8d30488eb3d12788df1999c3db6b51760487c527d0741b6d5e2d806a66a0c6c8d71e7d9296dadb12fdac04ef9bc3bed012ffd6ccfbad46b74813a66a66d5e11f5e13b7b4edf48cb1703226fee9f82305949e436bb5ef01928afd1a2ee512e693bb394c2762d3fb5edd49198ffee3cbc0dc2d0b2b66d3a2dcbf07553ada3525d168cd4dd1aa02e77d14e54c9f017b46c0ce1d2b52f7840cf436aaf22e57d9df0b4e4f67031192e142350ac8226f7c4766ab7734a5150d8cba2a390fc13335bb5cacff723cb5a4148602fee65aa552058d98da307dbbec7c93c6095e394c5d701e143e727e9662e8fa137fc26352a2194a8ba386620f68156716d07c847f7b739829341e5803a6268d9c37f690c1bd38d9241c560d4043ef418c8fd0e24da88ac995aa316a3c1464f815453ce558129e92f0a3c756704b11d38cb1563325eff310f2a963c0d4b65efd3d7cd3f3ac0b222d66c7b9acb4491faba2080bb2837edccf47dd22df344c74a
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(133864);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/25");

  script_cve_id("CVE-2019-15255");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvq67348");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20200108-ise-auth-bypass");
  script_xref(name:"IAVA", value:"2019-A-0361");

  script_name(english:"Cisco Identity Services Engine Authorization Bypass (cisco-sa-20200108-ise-auth-bypass)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"An authentication bypass vulnerability exists in the web-based
management component of Cisco Identity Services Engine due to
insufficient validation of user-supplied URL input. An authenticated,
remote attacker can exploit this, by submitting specially crafted URL
to an affected host, to bypass authentication and gain access to
sensitive information.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200108-ise-auth-bypass
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c44d3d67");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq67348");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID
CSCvq67348.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-15255");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/01/26");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/01/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/24");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cpe:/a:cisco:identity_services_engine");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ise_detect.nbin");
  script_require_keys("Host/Cisco/ISE/version");

  exit(0);
}

include('audit.inc');
include('cisco_workarounds.inc');
include('ccf.inc');

product_info = cisco::get_product_info(name:'Cisco Identity Services Engine Software');

vuln_ranges = [
  { 'min_ver':'2.2.0', 'fix_ver':'2.2.0' }
];

workarounds = make_list(CISCO_WORKAROUNDS['no_workaround']);
workaround_params = make_list();

# ISE version doesn't change when patches are installed, so even if
# they are on the proper version we have to double check patch level
required_patch = '';
if (product_info['version'] =~ "^2\.2\.0($|[^0-9])") required_patch = '16';

reporting = make_array(
  'port'     , 0,
  'severity' , SECURITY_WARNING,
  'version'  , product_info['version'],
  'bug_id'   , 'CSCvq67348',
  'fix'      , 'See advisory'
);

# uses required_patch parameters set by above version ranges
cisco::check_and_report(
  product_info:			product_info,
  reporting:			reporting,
  workarounds:			workarounds,
  workaround_params:	workaround_params,
  vuln_ranges:			vuln_ranges,
  required_patch:		required_patch
);