Executive Summary
Summary | |
---|---|
Title | Cisco IOS XE Software HTTP Command Injection Vulnerability |
Informations | |||
---|---|---|---|
Name | cisco-sa-20170322-xeci | First vendor Publication | 2017-03-22 |
Vendor | Cisco | Last vendor Modification | 2017-03-22 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:S/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 9 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Low |
Cvss Expoit Score | 8 | Authentication | Requires single instance |
Calculate full CVSS 2.0 Vectors scores |
Detail
A vulnerability in the web framework of Cisco IOS XE Software could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient input validation of HTTP parameters supplied by the user. An attacker could exploit this vulnerability by authenticating to the device and submitting crafted input to the affected web page parameter. The user must be authenticated to access the affected parameter. A successful exploit could allow the attacker to execute commands with root privileges. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-xeci ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-xeci"] This advisory is part of the March 22, 2017, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes five Cisco Security Advisories that describe five vulnerabilities. All the vulnerabilities have a Security Impact Rating of High. For a complete list of the advisories and links to them, see Cisco Event Response: March 2017 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication ["http://tools.cisco.com/security/center/viewErp.x?alertId=ERP-60851"]. BEGIN PGP SIGNATURE iQKBBAEBAgBrBQJY0qLVZBxDaXNjbyBTeXN0ZW1zIFByb2R1Y3QgU2VjdXJpdHkg SW5jaWRlbnQgUmVzcG9uc2UgVGVhbSAoQ2lzY28gUFNJUlQga2V5IDIwMTYtMjAx NykgPHBzaXJ0QGNpc2NvLmNvbT4ACgkQrz2APcQAkHk2PRAA2MQa31L4atqX8Gcy N+Bsvk0aB5wIrzVyT1t0nFZT0inuZVGDvmCyBHBG8LST9C0ugqh/omBKDHLFkWg/ 7IFw3ujyonJkTk3MbSZy8zwP/iyjFqabhliBRBTsKG32cmMfaoUc1Cyt70SWkfQQ OGNJHFuuUGwywc9/sqs1QlJ6ohwn/iPygVo2U4jttb+KHrA1VoDI2jGcqHwMK+YB YT7ar5/N06PuXT4Kw8VjUsZq2slJrmjRn9NYmzwEPI3BiW5L/Wc/HL4DnFl40nam BUx8s4Vlvoi4KkvXLbeS+njnx9Wdkv6FWj2xfej+aW2vmhx9DOTkUBfYtA/NgUaZ QzqjoOQNjlQXTKvl7fVq0bcZJVrT7CxpeCBPmiltKutCataPeNp7xFo4OyTMJyl0 XuYgvuV/ZYrHVvRIRUFJbYFY1R5DFRWfwSm3mGlv8QqMScUrnDhqOtYhFwCRJWFd xLf+Uo/zyk4TXTFEAqM+ZkUhseu9m6j5k+sY4Wqg6Pc3y/Wqf5UEtj/m7w9BEmJq u+BgODP4+Hax18VU8NyTvnEUibWJHfZAhsXKRWHuETS2XhUD5IhlVQG8i7yN11be xEkpvoiiC68IbRcj5auezOMT85OF0KDhvFJW2X6iHnNz8fFE2DYEVk2AUq1yVV9y G1bzl8lz9oqtvEZyftzMq1up5ek= =BfA1 END PGP SIGNATURE _______________________________________________ cust-security-announce mailing list cust-security-announce@cisco.com To unsubscribe, send the command "unsubscribe" in the subject of your message to cust-security-announce-leave@cisco.com |
Original Source
Url : http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco (...) |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-20 | Improper Input Validation |
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Os | 2 |
Snort® IPS/IDS
Date | Description |
---|---|
2017-03-23 | Cisco IOS XE webui software upgrade command injection attempt RuleID : 42061 - Revision : 1 - Type : SERVER-WEBAPP |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2017-03-29 | Name : The remote device is missing a vendor-supplied security patch. File : cisco-sa-20170322-xeci.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2017-03-30 13:24:40 |
|
2017-03-27 21:22:44 |
|
2017-03-23 00:25:04 |
|
2017-03-22 21:22:55 |
|