Vulnerabilities > CVE-2020-3227 - Incorrect Authorization vulnerability in Cisco IOS XE

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
cisco
CWE-863
critical
nessus
NVD
Published: 2020-06-03
Updated: 2022-12-23

Summary

A vulnerability in the authorization controls for the Cisco IOx application hosting infrastructure in Cisco IOS XE Software could allow an unauthenticated, remote attacker to execute Cisco IOx API commands without proper authorization. The vulnerability is due to incorrect handling of requests for authorization tokens. An attacker could exploit this vulnerability by using a crafted API call to request such a token. An exploit could allow the attacker to obtain an authorization token and execute any of the IOx API commands on an affected device.

Vulnerable Configurations

Part Description Count
OS
Cisco
70

Common Weakness Enumeration (CWE)

Nessus

NASL familyCISCO
NASL idCISCO-SA-IOXPE-KGGVCAF9-IOSXE.NASL
descriptionAccording to its self-reported version, Cisco IOS XE Software is affected by a vulnerability in the authorization controls for the Cisco IOx application hosting infrastructure due to incorrect handling of requests for authorization tokens. An unauthenticated, remote attacker can exploit this, by using a crafted API call to request such a token, in order to execute Cisco IOx API commands without proper authorization. Please see the included Cisco BIDs and Cisco Security Advisory for more information.
last seen2020-06-10
modified2020-06-05
plugin id137143
published2020-06-05
reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/137143
titleCisco IOx for IOS XE Software Privilege Escalation (cisco-sa-ioxPE-KgGvCAf9)
code
#TRUSTED 6c84d799e1868780ad5bef612f619619b0414249cf1bb85aa847c551ad36e8d4330e98267950334d1b1b3ad224516a628bef5ce53134739738ba0316b9c433b1b4cf26d09667b20ac544de98b71d4cc48032a7e18d6d520820cc63d389d415c94b00ede95e50c6ea38d587f371721df8565eb8ce220c35f9e5613e52b99cb768f2a8aa7492d5dba206c54551f28fd3ce40358c3bbaf52425952aa3e82c258e5c8863c1b6256468fa7bfdcd263800692e736af8cb0cef7531aae311e2d0549e661a36a53a30bb814fb63f128a9e748ba6e6f3e0abc024e5284e6260cb2041dd4b85d68c5f28a1c98958ffd6cc2e6387d7c2538de234ec50b095e269c04670a02e9da5eb1ead014a00360aeab457190c9277f3872fc13d3adde54a11992f50f62df11259670ea9ab44408e40d70cfd398f107ecd2007369e9595eac5413245bed9007e43855d5389528d4db0595a6229b8912811cec104070bcd0e68c26c899cd2d70b14ab7e666e7893f68853ea193438c60c0901b837e518ce8e6488686f4069e021d9042f11e845ece15a6a075c159c6d0f2e229b7cd935cfb4b3cbcdcb0f02a1b348edbd954014bf13b6fd156f1801ceba6fba32073746e7dfe516974e346f68ae74410bb88cc17d2e11af583867b202d077019cb902cbf60e455c0210190ada9900fb82b9930275e0d0c039d9630d9095e4a140de6ec1bd010ede71af0f07
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(137143);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/08");

  script_cve_id("CVE-2020-3227");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvq18527");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvq83400");
  script_xref(name:"CISCO-SA", value:"cisco-sa-ioxPE-KgGvCAf9");
  script_xref(name:"IAVA", value:"2020-A-0239");

  script_name(english:"Cisco IOx for IOS XE Software Privilege Escalation (cisco-sa-ioxPE-KgGvCAf9)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco IOS XE Software is affected by a vulnerability in the authorization
controls for the Cisco IOx application hosting infrastructure due to incorrect handling of requests for authorization
tokens. An unauthenticated, remote attacker can exploit this, by using a crafted API call to request such a token, in
order to execute Cisco IOx API commands without proper authorization.

Please see the included Cisco BIDs and Cisco Security Advisory for more information.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ioxPE-KgGvCAf9
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?fc91c220");
  script_set_attribute(attribute:"see_also", value:"http://tools.cisco.com/security/center/viewErp.x?alertId=ERP-73388");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq18527");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq83400");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug IDs CSCvq18527, CSCvq83400");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-3227");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_cwe_id(264);

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/06/03");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/06/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/06/05");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_xe_version.nasl");
  script_require_keys("Host/Cisco/IOS-XE/Version");

  exit(0);
}

include('cisco_workarounds.inc');
include('ccf.inc');

get_kb_item_or_exit("Host/local_checks_enabled");

product_info = cisco::get_product_info(name:'Cisco IOS XE Software');

version_list=make_list(
  '16.9.4c',
  '16.9.4',
  '16.9.3s',
  '16.9.3h',
  '16.9.3a',
  '16.9.3',
  '16.9.2s',
  '16.9.2a',
  '16.9.2',
  '16.9.1s',
  '16.9.1d',
  '16.9.1c',
  '16.9.1b',
  '16.9.1a',
  '16.9.1',
  '16.8.3',
  '16.8.2',
  '16.8.1s',
  '16.8.1c',
  '16.8.1b',
  '16.8.1a',
  '16.8.1',
  '16.7.3',
  '16.7.2',
  '16.7.1',
  '16.6.6',
  '16.6.5b',
  '16.6.5a',
  '16.6.5',
  '16.6.4s',
  '16.6.4a',
  '16.6.4',
  '16.6.3',
  '16.6.2',
  '16.6.1',
  '16.5.3',
  '16.5.2',
  '16.5.1b',
  '16.5.1a',
  '16.5.1',
  '16.4.3',
  '16.4.2',
  '16.4.1',
  '16.3.9',
  '16.3.8',
  '16.3.7',
  '16.3.6',
  '16.3.5b',
  '16.3.5',
  '16.3.4',
  '16.3.3',
  '16.3.2',
  '16.3.1a',
  '16.3.1',
  '16.12.1c',
  '16.12.1a',
  '16.12.1',
  '16.11.1s',
  '16.11.1c',
  '16.11.1b',
  '16.11.1a',
  '16.11.1',
  '16.10.3',
  '16.10.2',
  '16.10.1s',
  '16.10.1e',
  '16.10.1b',
  '16.10.1a',
  '16.10.1'
);

workarounds = make_list(CISCO_WORKAROUNDS['iox_enabled']);

reporting = make_array(
'port'     , 0,
'severity' , SECURITY_HOLE,
'version'  , product_info['version'],
'bug_id'   , 'CSCvq18527, CSCvq83400',
'cmds'     , make_list('show running-config')
);

cisco::check_and_report(
  product_info:product_info,
  workarounds:workarounds,
  reporting:reporting,
  vuln_versions:version_list
);

References