Cisco IOS XE Software Web UI Command Injection (cisco-sa-web-cmdinj2-fOnjk2LD) - Nessus

High   Plugin ID: 139325

This page contains detailed information about the Cisco IOS XE Software Web UI Command Injection (cisco-sa-web-cmdinj2-fOnjk2LD) Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Table Of Contents
hide

Plugin Overview

ID: 139325
Name: Cisco IOS XE Software Web UI Command Injection (cisco-sa-web-cmdinj2-fOnjk2LD)
Filename: cisco-sa-web-cmdinj2-fOnjk2LD.nasl
Vulnerability Published: 2020-06-03
This Plugin Published: 2020-08-05
Last Modification Time: 2021-01-08
Plugin Version: 1.6
Plugin Type: local
Plugin Family: CISCO
Dependencies: cisco_ios_xe_version.nasl
Required KB Items [?]: Host/Cisco/IOS-XE/Version

Vulnerability Information

Severity: High
Vulnerability Published: 2020-06-03
Patch Published: 2020-06-03
CVE [?]: CVE-2020-3219
CPE [?]: cpe:/o:cisco:ios_xe

Synopsis

The remote device is missing a vendor-supplied security patch.

Description

According to its self-reported version, the IOS XE is affected by command injection vulnerability. A vulnerability in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker to inject and execute arbitrary commands with administrative privileges on the underlying operating system of an affected device.

Please see the included Cisco BIDs and the Cisco Security Advisory for more information.

Solution

Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvq32594.

Public Exploits

Target Network Port(s): N/A
Target Asset(s): N/A
Exploit Available: True (GitHub)
Exploit Ease: Exploits (PoCs) are available

Here's the list of publicly known exploits and PoCs for verifying the Cisco IOS XE Software Web UI Command Injection (cisco-sa-web-cmdinj2-fOnjk2LD) vulnerability:

  1. GitHub: https://github.com/AlAIAL90/CVE-2020-3219
    [CVE-2020-3219: PoC for exploiting CVE-2020-3219 : A vulnerability in the web UI of Cisco IOS XE ...]

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

CVSS Score Source [?]: CVE-2020-3219
CVSS V2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C
CVSS Base Score:9.0 (High)
Impact Subscore:10.0
Exploitability Subscore:8.0
CVSS Temporal Score:6.7 (Medium)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:6.7 (Medium)
CVSS V3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
CVSS Base Score:8.8 (High)
Impact Subscore:5.9
Exploitability Subscore:2.8
CVSS Temporal Score:7.7 (High)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:7.7 (High)

Go back to menu.

Plugin Source

This is the cisco-sa-web-cmdinj2-fOnjk2LD.nasl nessus plugin source code. This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof. 

#TRUSTED 996072ba29a59bc7af1c811d8a24d4165d97c9e56d8d17e9910c6e99a3b2aec1264325cb37d9aea3f213b7561ece270664d88814cb87dd16780f3bf6467b14a6b66045b0e507b0099daab7ba09eafeaedd066360f437d747b3cbcfd504af1e13f1ddca3dbb09395bdc9f3b64ce6b23c65ddfde819ac0a3a0f7f5cf77af4923074ff363362298ae3be19614054aed8d5ec8d5471a399e5f31d06cb5cb87a15e049cb74146cafd6fa5df7029c5014075a35e3a33f745c4a11e7b763a7ac266795848f563efb27fdc824833ed25b9be12c24775910cc561ca744c85c458b3ed4255dbbaf9f386fb52ed7208e2940fe6b3824b26a712a487b9f81c8bbc9592237b8d025c56e6a523d36353170731a2e708a17f1e264c6821960fc81cf7677eaaae2e97a63d798444132c73d0ae1560c93f595d5a775dfca748cc356d498f1c0739378714d6dd447142b50e1b31289417431d911c04068eb16948ea7167eec8f24a9fe675e11cc2dd0839a0774013d5ade8b873e081471550b7bd064113f711ec5c453c61382a1a68e19dcc50038c9e721808f0671b1ed1e08765d5a0578e4774a4157e357584b97b3acb1d069d3c5c702b869ef03aecaf6a19c02e00a7d6c21fc9c0a157170f608abf8a3cad01bcd1ccbf80641147b3755b39df4286563fec005591dab71f77d2ae040ccf396869a1e3c0da1d630609232d32dae5129d591196da63
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(139325);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/08");

  script_cve_id("CVE-2020-3219");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvq32594");
  script_xref(name:"CISCO-SA", value:"cisco-sa-web-cmdinj2-fOnjk2LD");

  script_name(english:"Cisco IOS XE Software Web UI Command Injection (cisco-sa-web-cmdinj2-fOnjk2LD)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, the IOS XE is affected by command injection vulnerability. A vulnerability
in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker to inject and execute arbitrary
commands with administrative privileges on the underlying operating system of an affected device.

Please see the included Cisco BIDs and the Cisco Security Advisory for more information.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-web-cmdinj2-fOnjk2LD
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a672eca9");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq32594");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvq32594.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-3219");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/06/03");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/06/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/08/05");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_xe_version.nasl");
  script_require_keys("Host/Cisco/IOS-XE/Version");

  exit(0);
}

include('audit.inc');
include('ccf.inc');
include('cisco_workarounds.inc');

product_info = cisco::get_product_info(name:"Cisco IOS XE Software");

version_list = make_list(
  '16.1.1',
  '16.1.2',
  '16.1.3',
  '16.2.1',
  '16.2.2',
  '16.3.1a',
  '16.3.2',
  '16.3.3',
  '16.3.4',
  '16.3.5',
  '16.3.5b',
  '16.3.6',
  '16.3.7',
  '16.3.8',
  '16.3.9',
  '16.3.10',
  '16.3.11',
  '16.4.1',
  '16.4.2',
  '16.4.3',
  '16.5.1',
  '16.5.1a',
  '16.5.1b',
  '16.5.2',
  '16.5.3',
  '16.6.1',
  '16.6.2',
  '16.6.3',
  '16.6.4',
  '16.6.4a',
  '16.6.4s',
  '16.6.5',
  '16.6.5a',
  '16.6.5b',
  '16.6.5',
  '16.6.6',
  '16.6.7',
  '16.6.7a',
  '16.7.1',
  '16.7.1a',
  '16.7.1b',
  '16.7.2',
  '16.6.5',
  '16.7.3',
  '16.7.4',
  '16.8.1',
  '16.8.1a',
  '16.8.1b',
  '16.8.1c',
  '16.8.1d',
  '16.8.1e',
  '16.8.1s',
  '16.8.2',
  '16.8.3',
  '16.9.1',
  '16.9.1a',
  '16.9.1b',
  '16.9.1c',
  '16.9.1d',
  '16.9.1s',
  '16.9.2',
  '16.9.2a',
  '16.9.2s',
  '16.9.3',
  '16.9.3a',
  '16.9.3h',
  '16.9.3s',
  '16.9.4',
  '16.9.4c',
  '16.10.1',
  '16.10.1a',
  '16.10.1b',
  '16.10.1c',
  '16.10.1d',
  '16.10.1e',
  '16.10.1f',
  '16.10.1g',
  '16.10.1s',
  '16.10.2',
  '16.10.3',
  '16.11.1',
  '16.11.1a',
  '16.11.1b',
  '16.11.1c',
  '16.11.1s',
  '16.11.2',
  '16.12.1',
  '16.12.1a',
  '16.12.1c',
  '16.12.1s',
  '16.12.1t',
  '16.12.1w',
  '16.12.1x',
  '16.12.1y'
);

workarounds = make_list(CISCO_WORKAROUNDS['HTTP_Server_iosxe']);
workaround_params = make_list();

reporting = make_array(
  'port'     , product_info['port'], 
  'severity' , SECURITY_HOLE,
  'version'  , product_info['version'],
  'bug_id'   , 'CSCvq32594',
  'cmds'     , make_list('show running-config')
);

cisco::check_and_report(
  product_info:product_info,
  workarounds:workarounds,
  workaround_params:workaround_params,
  reporting:reporting,
  vuln_versions:version_list
);

The latest version of this script can be found in these locations depending on your platform:

  • Linux / Unix:
    /opt/nessus/lib/nessus/plugins/cisco-sa-web-cmdinj2-fOnjk2LD.nasl
  • Windows:
    C:\ProgramData\Tenable\Nessus\nessus\plugins\cisco-sa-web-cmdinj2-fOnjk2LD.nasl
  • Mac OS X:
    /Library/Nessus/run/lib/nessus/plugins/cisco-sa-web-cmdinj2-fOnjk2LD.nasl

Go back to menu.

How to Run

Here is how to run the Cisco IOS XE Software Web UI Command Injection (cisco-sa-web-cmdinj2-fOnjk2LD) as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

  1. Click to start a New Scan.
  2. Select Advanced Scan.
  3. Navigate to the Plugins tab.
  4. On the top right corner click to Disable All plugins.
  5. On the left side table select CISCO plugin family.
  6. On the right side table select Cisco IOS XE Software Web UI Command Injection (cisco-sa-web-cmdinj2-fOnjk2LD) plugin ID 139325.
  7. Specify the target on the Settings tab and click to Save the scan.
  8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl cisco-sa-web-cmdinj2-fOnjk2LD.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a cisco-sa-web-cmdinj2-fOnjk2LD.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - cisco-sa-web-cmdinj2-fOnjk2LD.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state cisco-sa-web-cmdinj2-fOnjk2LD.nasl -t <IP/HOST>

Go back to menu.

References

Cisco Bug ID: Cisco Security Advisory: See also: Similar and related Nessus plugins:
  • 137631 - Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution (cisco-sa-tcl-ace-C9KuVKmm)
  • 137654 - Cisco IOS, IOS XE, and NX-OS Software Security Group Tag Exchange Protocol Denial of Service Vulnerability (cisco-sa-sxp-68TEVzR)
  • 137655 - Cisco IOS, IOS XE, and NX-OS Software Security Group Tag Exchange Protocol Denial of Service Vulnerability (cisco-sa-sxp-68TEVzR)
  • 137656 - Cisco IOS, IOS XE, and NX-OS Software Security Group Tag Exchange Protocol Denial of Service Vulnerability (cisco-sa-sxp-68TEVzR)
  • 137659 - Cisco Adaptive Security Appliance Software Web Services Information Disclosure (cisco-sa-asaftd-info-disclose-9eJtycMB)
  • 137835 - Cisco IOS Internet Key Exchange Version 2 DoS (cisco-sa-ikev2-9p23Jj2a)
  • 137836 - Cisco IOS XE Internet Key Exchange Version 2 DoS (cisco-sa-ikev2-9p23Jj2a)
  • 137901 - Cisco IOS Software One Platform Kit Remote Code Execution Vulnerability (cisco-sa-ios-nxos-onepk-rce-6Hhyt4dC)
  • 137902 - IOS XE Software One Platform Kit Remote Code Execution Vulnerability (cisco-sa-ios-nxos-onepk-rce-6Hhyt4dC)
  • 137903 - Cisco NX-OS Software One Platform Kit Remote Code Execution Vulnerability (cisco-sa-ios-nxos-onepk-rce-6Hhyt4dC)
  • 138016 - Cisco IOS and IOS XE Software Common Industrial Protocol Denial of Service (cisco-sa-cipdos-hkfTZXEx)
  • 138017 - Cisco IOS and IOS XE Software Common Industrial Protocol Denial of Service (cisco-sa-cipdos-hkfTZXEx)
  • 138018 - Cisco Webex Meetings Desktop App URL Filtering Arbitrary Program Execution (cisco-sa-webex-client-url-fcmpdfVY)
  • 138092 - Cisco IOS XE Software Flexible NetFlow Version 9 DoS (cisco-sa-iosxe-fnfv9-dos-HND6Fc9u)
  • 138894 - Cisco Adaptive Security Appliance Software Web Services Read-Only Path Traversal (cisco-sa-asaftd-ro-path-KJuQhB86)
  • 138895 - Cisco Firepower Threat Defense Software Web Services Read-Only Path Traversal (cisco-sa-asaftd-ro-path-KJuQhB86)
  • 139064 - Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Read-Only Path Traversal (cisco-sa-asaftd-ro-path-KJuQhB86)
  • 139540 - Cisco Data Center Network Manager Path Traversal (cisco-sa-dcnm-path-trav-2xZOnJdR)
  • 139545 - Multiple Vulnerabilities in Treck IP Stack Affecting Cisco Products: June 2020 (cisco-sa-treck-ip-stack-JyBQ5GyC)
  • 140131 - Cisco NX-OS Software Border Gateway Protocol Multicast VPN Session DoS (cisco-sa-nxosbgp-mvpn-dos-K8kbCrJp)
  • 140272 - Cisco Small Business RV340 Series Routers Firmware < 1.0.03.19 Command Injection and RCE (cisco-sa-rv-osinj-rce-pwTkPCJv)
  • 140632 - Cisco Data Center Network Manager Command Injection (cisco-sa-20200102-dcnm-comm-inject)
  • 141116 - Cisco IOS Software Information Disclosure (cisco-sa-info-disclosure-V4BmJBNF)
  • 141117 - Cisco IOS XE Software Information Disclosure (cisco-sa-info-disclosure-V4BmJBNF)
  • 141172 - Cisco IOS XE Software Web Management Framework Multiple Vulnerabilities (cisco-sa-ios-xe-webui-multi-vfTkk7yr)
  • 141192 - Cisco IP Phones Web Server RCE and DOS (cisco-sa-voip-phones-rce-dos-rB6EeRXs)
  • 141437 - Cisco IOS XE & Cisco IOS XE SDWAN Ethernet Frame DoS (cisco-sa-le-drTOB625)
  • 141830 - Cisco Firepower Threat Defense Software Web Services DoS (cisco-sa-asaftd-webdos-fBzM5Ynw)
  • 141831 - Cisco Adaptive Security Appliance Software Web Services DoS (cisco-sa-asaftd-webdos-fBzM5Ynw)
  • 142018 - Cisco IP Phones Web Server RCE and DOS (cisco-sa-20200205-voip-phones-rce-dos)
  • 142365 - Cisco SD-WAN vManage Software RCE (cisco-sa-vmanrce-4jtWT28P)
  • 142660 - Cisco SD-WAN vManage Software Authorization Bypass (cisco-sa-vmanuafw-ZHkdGGEy)
  • 143150 - Cisco Integrated Management Controller RCE (cisco-sa-ucs-api-rce-UXwpeDHd)
  • 143154 - Cisco IOS XE Software Packet Filtering Bypass (cisco-sa-cedge-filt-bypass-Y6wZMqm4)

Version

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file cisco-sa-web-cmdinj2-fOnjk2LD.nasl version 1.6. For more plugins, visit the Nessus Plugin Library.

Go back to menu.