Executive Summary

Summary
Title Cisco IOS XE Software HTTP Command Injection Vulnerability
Informations
Name cisco-sa-20170322-xeci First vendor Publication 2017-03-22
Vendor Cisco Last vendor Modification 2017-03-22
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:S/C:C/I:C/A:C)
Cvss Base Score 9 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 8 Authentication Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

A vulnerability in the web framework of Cisco IOS XE Software could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges.

The vulnerability is due to insufficient input validation of HTTP parameters supplied by the user. An attacker could exploit this vulnerability by authenticating to the device and submitting crafted input to the affected web page parameter. The user must be authenticated to access the affected parameter. A successful exploit could allow the attacker to execute commands with root privileges.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-xeci ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-xeci"]

This advisory is part of the March 22, 2017, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes five Cisco Security Advisories that describe five vulnerabilities. All the vulnerabilities have a Security Impact Rating of High. For a complete list of the advisories and links to them, see Cisco Event Response: March 2017 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication ["http://tools.cisco.com/security/center/viewErp.x?alertId=ERP-60851"].

BEGIN PGP SIGNATURE

iQKBBAEBAgBrBQJY0qLVZBxDaXNjbyBTeXN0ZW1zIFByb2R1Y3QgU2VjdXJpdHkg SW5jaWRlbnQgUmVzcG9uc2UgVGVhbSAoQ2lzY28gUFNJUlQga2V5IDIwMTYtMjAx NykgPHBzaXJ0QGNpc2NvLmNvbT4ACgkQrz2APcQAkHk2PRAA2MQa31L4atqX8Gcy N+Bsvk0aB5wIrzVyT1t0nFZT0inuZVGDvmCyBHBG8LST9C0ugqh/omBKDHLFkWg/ 7IFw3ujyonJkTk3MbSZy8zwP/iyjFqabhliBRBTsKG32cmMfaoUc1Cyt70SWkfQQ OGNJHFuuUGwywc9/sqs1QlJ6ohwn/iPygVo2U4jttb+KHrA1VoDI2jGcqHwMK+YB YT7ar5/N06PuXT4Kw8VjUsZq2slJrmjRn9NYmzwEPI3BiW5L/Wc/HL4DnFl40nam BUx8s4Vlvoi4KkvXLbeS+njnx9Wdkv6FWj2xfej+aW2vmhx9DOTkUBfYtA/NgUaZ QzqjoOQNjlQXTKvl7fVq0bcZJVrT7CxpeCBPmiltKutCataPeNp7xFo4OyTMJyl0 XuYgvuV/ZYrHVvRIRUFJbYFY1R5DFRWfwSm3mGlv8QqMScUrnDhqOtYhFwCRJWFd xLf+Uo/zyk4TXTFEAqM+ZkUhseu9m6j5k+sY4Wqg6Pc3y/Wqf5UEtj/m7w9BEmJq u+BgODP4+Hax18VU8NyTvnEUibWJHfZAhsXKRWHuETS2XhUD5IhlVQG8i7yN11be xEkpvoiiC68IbRcj5auezOMT85OF0KDhvFJW2X6iHnNz8fFE2DYEVk2AUq1yVV9y G1bzl8lz9oqtvEZyftzMq1up5ek= =BfA1 END PGP SIGNATURE

_______________________________________________ cust-security-announce mailing list cust-security-announce@cisco.com To unsubscribe, send the command "unsubscribe" in the subject of your message to cust-security-announce-leave@cisco.com

Original Source

Url : http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco (...)

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-20 Improper Input Validation

CPE : Common Platform Enumeration

TypeDescriptionCount
Os 2

Snort® IPS/IDS

Date Description
2017-03-23 Cisco IOS XE webui software upgrade command injection attempt
RuleID : 42061 - Revision : 1 - Type : SERVER-WEBAPP

Nessus® Vulnerability Scanner

Date Description
2017-03-29 Name : The remote device is missing a vendor-supplied security patch.
File : cisco-sa-20170322-xeci.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
Date Informations
2017-03-30 13:24:40
  • Multiple Updates
2017-03-27 21:22:44
  • Multiple Updates
2017-03-23 00:25:04
  • Multiple Updates
2017-03-22 21:22:55
  • First insertion