Vulnerabilities > CVE-2019-1851 - Unspecified vulnerability in Cisco Identity Services Engine 2.2(0.470)/2.3(0.298)/2.4(0.357)

#TRUSTED 34a1eb5623d385c71edd2069a63800a458fd350f3c282944f7a398b3eaadc7f60d7f2ad6273208790b7d8846c5d14ecff074bce4039863615d5e0526010e4fbaff27995100b7c3b0e849fec96786b62e6b99091090cd22ecf59de3179d652bfbabb4bdf9e02ec9346b5b03711a73d99f89634f6a08442b76825138e41a5522b129f64ce8eb0d217b8caf89d44f7285530490a99b6d5c7ab693dba5c78038541e6f9ef50aa2d5ff41665253031864a94eaf7061bfece6073093c4bff17fe3c1d0029e978f89e4b004447e4f9790bd4f6f189592367c3e57e7c15be97d948a57310746d9c3544ef355bce4e70663dda443062821e67ea2f892570d865edb9cbdc710d6129585caa796921645efe6fafc0db6cbfb5ef2d27078e3e77dc2a89973627f247bae209e8ce985af25380d290ded19a95c0b74f23133022d167b0b4c20ee0d82c080e6f9e8a616f9135f9c517217e66a1986809899d92fb7c150f68e4ef792f2ac734e2ea03b4376618adab86ed0e8327405345ddfb1993dbacdc122327942412045efede68c6362ddfbc44410903b9272cba16a8ae19f88e770becb5955b11c78330148b5012a9896f779714b4619356aecb80da939a3dccc6466de0e06aeb610f8dca6131daac16c90f2fd3c5731ae00a29fa6b447f60bf41db071bbe88fe02a43cc73538416eb1c9de4a87331022aebf8ec681ba1b7dc19042ac72e61
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(128684);
  script_version("1.7");
  script_cvs_date("Date: 2020/02/14");

  script_cve_id("CVE-2019-1851");
  script_bugtraq_id(108356);
  script_xref(name:"CISCO-BUG-ID", value:"CSCvm81230");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20190515-ise-certcreation");

  script_name(english:"Cisco Identity Services Engine Arbitrary Client Certificate Creation Vulnerability");
  script_summary(english:"Checks the version of Cisco Identity Services Engine Software");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
  script_set_attribute(attribute:"description", value:
"A vulnerability in the External RESTful Services (ERS) API of the
 Cisco Identity Services Engine (ISE) could allow an authenticated,
 remote attacker to generate arbitrary certificates signed by the
 InternalCertificate Authority (CA) Services on ISE. This
 vulnerability is due to an incorrect implementation of role-based
 access control (RBAC). An attacker could exploit this vulnerability
 by crafting a specific HTTP request with administrative credentials.
 A successful exploit could allow the attacker to generate a
 certificate that is signed and trusted by the ISE CA with arbitrary
 attributes. The attacker could use this certificate to access other
 networks or assets that are protected by certificate authentication.

Please see the included Cisco BIDs and Cisco Security Advisory for
more information");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-ise-certcreation
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?980cfdbf");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvm81230");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID
CSCvm81230");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1851");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_cwe_id(285);

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/05/15");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/05/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/09/11");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:identity_services_engine");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ise_detect.nbin");
  script_require_keys("Host/Cisco/ISE/version", "Settings/ParanoidReport");

  exit(0);
}

include('audit.inc');
include('cisco_workarounds.inc');
include('ccf.inc');
include('lists.inc');

product_info = cisco::get_product_info(name:'Cisco Identity Services Engine Software');
if (report_paranoia < 2) audit(AUDIT_PARANOID);

vuln_ranges = [
{ 'min_ver' : '0.0', 'fix_ver' : '2.2.0.470' },
{ 'min_ver' : '2.3.0', 'fix_ver' : '2.3.0.298' },
{ 'min_ver' : '2.4.0', 'fix_ver' : '2.4.0.357' }
];

workarounds = make_list(CISCO_WORKAROUNDS['no_workaround']);
workaround_params = make_list();

# ISE version doesn't change when patches are installed, so even if
# they are on the proper version we have to double check patch level
required_patch = '';
if (product_info['version'] =~ "^2\.2\.0($|[^0-9])") required_patch = '15';
else if (product_info['version'] =~ "^2\.3\.0($|[^0-9])") required_patch = '7';
else if (product_info['version'] =~ "^2\.4\.0($|[^0-9])") required_patch = '8';

reporting = make_array(
  'port'     , 0,
  'severity' , SECURITY_WARNING,
  'version'  , product_info['version'],
  'bug_id'   , 'CSCvm81230',
  'fix'      , 'See advisory'
);

# uses required_patch parameters set by above version ranges
cisco::check_and_report(
    product_info:product_info,
    reporting:reporting,
    workarounds:workarounds,
    workaround_params:workaround_params,
    vuln_ranges:vuln_ranges,
    required_patch:required_patch);