Vulnerabilities > CVE-2019-1679 - Server-Side Request Forgery (SSRF) vulnerability in Cisco Telepresence Video Communication Server

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
NONE
Integrity impact
LOW
Availability impact
NONE
network
low complexity
cisco
CWE-918
nessus
NVD
Published: 2019-02-07
Updated: 2023-03-23

Summary

A vulnerability in the web interface of Cisco TelePresence Conductor, Cisco Expressway Series, and Cisco TelePresence Video Communication Server (VCS) Software could allow an authenticated, remote attacker to trigger an HTTP request from an affected server to an arbitrary host. This type of attack is commonly referred to as server-side request forgery (SSRF). The vulnerability is due to insufficient access controls for the REST API of Cisco Expressway Series and Cisco TelePresence VCS. An attacker could exploit this vulnerability by submitting a crafted HTTP request to the affected server. Versions prior to XC4.3.4 are affected.

Vulnerable Configurations

Part Description Count
Application
Cisco
79

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyCISCO
    NASL idCISCO_TELEPRESENCE_VCS_CSCVN33987.NASL
    descriptionAccording to its self-reported version number, the Cisco TelePresence VCS or Expressway Series on the remote host contains a vulnerability in the web interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) software could allow an authenticated, remote attacker to trigger an HTTP request from an affected server to an arbitrary host. This type of attack is commonly referred to as server-side request forgery (SSRF).
    last seen2020-06-01
    modified2020-06-02
    plugin id128177
    published2019-08-27
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128177
    titleCisco TelePresence VCS / Expressway Series < 12.5 REST API Server-Side Request Forgery Vulnerability
    code
    #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(128177);
  script_version("1.2");
  script_cvs_date("Date: 2019/10/17 14:31:04");

  script_cve_id("CVE-2019-1679");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvn33987");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20190206-rest-api-ssrf");

  script_name(english:"Cisco TelePresence VCS / Expressway Series < 12.5 REST API Server-Side Request Forgery Vulnerability");
  script_summary(english:"Checks the software version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by a security bypass vulnerability.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the Cisco TelePresence
VCS or Expressway Series on the remote host contains a vulnerability
in the web interface of Cisco Expressway Series and Cisco TelePresence
Video Communication Server (VCS) software could allow an authenticated,
remote attacker to trigger an HTTP request from an affected server to
an arbitrary host. This type of attack is commonly referred to as 
server-side request forgery (SSRF).");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvn33987");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190206-rest-api-ssrf
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ee44583b");
  script_set_attribute(attribute:"solution", value:
"Upgrade to version 12.5 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1679");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/02/06");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/02/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/27");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:telepresence_video_communication_server_software");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:expressway_software");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_telepresence_video_communication_server_detect.nbin");
  script_require_keys("Cisco/TelePresence_VCS/Version");

  exit(0);
}

include("vcf.inc");

app = "Cisco TelePresence Device";

app_info = vcf::get_app_info(app:app, port:port, kb_ver: 'Cisco/TelePresence_VCS/Version');

constraints = [
  { "min_version" : "8.7", "fixed_version" : "12.5" }
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
  • NASL familyCISCO
    NASL idCISCO_TELEPRESENCE_CONDUCTOR_CSCVN51692.NASL
    descriptionAccording to its self-reported version number, remote Cisco TelePresence Conductor device is affected by a server-side request forgery vulnerability which could allow an authenticated, remote attacker to trigger an HTTP request from an affected server to an arbitrary host. Note that an attacker must be authenticated before the device is exposed to this exploit.
    last seen2020-06-01
    modified2020-06-02
    plugin id128176
    published2019-08-27
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128176
    titleCisco TelePresence Conductor REST API Server-Side Request Forgery Vulnerability
    code
    #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(128176);
  script_version("1.2");
  script_cvs_date("Date: 2019/10/17 14:31:04");

  script_cve_id("CVE-2019-1679");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvn51692");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20190206-rest-api-ssrf");

  script_name(english:"Cisco TelePresence Conductor REST API Server-Side Request Forgery Vulnerability");
  script_summary(english:"Checks the software version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote Cisco TelePresence Conductor device is affected by a
command injection vulnerability.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version number, remote Cisco
TelePresence Conductor device is affected by a server-side request
forgery vulnerability which could allow an authenticated, remote 
attacker to trigger an HTTP request from an affected server to an 
arbitrary host.

Note that an attacker must be authenticated before the device is
exposed to this exploit.");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvn339873");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190206-rest-api-ssrf
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ee44583b");
  script_set_attribute(attribute:"solution", value:
"Upgrade to version XC4.3.4 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1679");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/02/06");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/02/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/27");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:telepresence_conductor");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_telepresence_conductor_detect.nbin");
  script_require_keys("Host/Cisco_TelePresence_Conductor/Version");

  exit(0);
}

include("vcf.inc");

app = "Cisco TelePresence Conductor";

app_info = vcf::get_app_info(app:app, port:port, kb_ver: 'Host/Cisco_TelePresence_Conductor/Version');

constraints = [
  { "min_version" : "1.0.0", "fixed_version" : "4.3.4" }
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);

References