Cisco IOS Software Secure Copy Privilege Escalation Vulnerability - Cisco Systems

This script is (C) 2010-2014 Tenable Network Security, Inc.


Synopsis :

The remote device is missing a vendor-supplied security patch.

Description :

The server side of the Secure Copy (SCP) implementation in Cisco IOS
software contains a vulnerability that could allow authenticated users
with an attached command-line interface (CLI) view to transfer files to
and from a Cisco IOS device that is configured to be an SCP server,
regardless of what users are authorized to do, per the CLI view
configuration. This vulnerability could allow valid users to retrieve
or write to any file on the device's file system, including the
device's saved configuration and Cisco IOS image files, even if the CLI
view attached to the user does not allow it. This configuration file
may include passwords or other sensitive information.

The Cisco IOS SCP server is an optional service that is disabled by
default. CLI views are a fundamental component of the Cisco IOS
Role-Based CLI Access feature, which is also disabled by default.
Devices that are not specifically configured to enable the Cisco IOS
SCP server, or that are configured to use it but do not use role-based
CLI access, are not affected by this vulnerability.

This vulnerability does not apply to the Cisco IOS SCP client feature.
Cisco has released free software updates that address this
vulnerability.

There are no workarounds available for this vulnerability apart from
disabling either the SCP server or the CLI view feature if these
services are not required by administrators.

See also :

http://www.nessus.org/u?c4db32be
http://www.nessus.org/u?87fb42f7

Solution :

Apply the relevant patch referenced in Cisco Security Advisory
cisco-sa-20090325-scp.

Risk factor :

High / CVSS Base Score : 9.0
(CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C)
CVSS Temporal Score : 7.4
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: CISCO

Nessus Plugin ID: 49032 (cisco-sa-20090325-scphttp.nasl)

Bugtraq ID: 34247

CVE ID: CVE-2009-0637