Executive Summary

Summary
Title Cisco NX-OS Software NX-API Arbitrary Code Execution Vulnerability
Informations
Name cisco-sa-20180620-nxos-bo First vendor Publication 2018-06-20
Vendor Cisco Last vendor Modification 2018-06-20
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

A vulnerability in the NX-API feature of Cisco NX-OS Software could allow an unauthenticated, remote attacker to craft a packet to the management interface on an affected system, causing a buffer overflow.

The vulnerability is due to incorrect input validation in the authentication module of the NX-API subsystem. An attacker could exploit this vulnerability by sending a crafted HTTP or HTTPS packet to the management interface of an affected system with the NX-API feature enabled. An exploit could allow the attacker to execute arbitrary code as root.

Note: NX-API is disabled by default.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nxos-bo ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nxos-bo"]

This advisory is part of the June 2018 Cisco FXOS and NX-OS Software Security Advisory Collection, which includes 24 Cisco Security Advisories that describe 24 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: June 2018 Cisco FXOS and NX-OS Software Security Advisory Collection ["https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-67770"].

BEGIN PGP SIGNATURE

iQJ5BAEBAgBjBQJbKnqVXBxDaXNjbyBQcm9kdWN0IFNlY3VyaXR5IEluY2lkZW50 IFJlc3BvbnNlIFRlYW0gKENpc2NvIFBTSVJUIGtleSAyMDE4LTIwMTkpIDxwc2ly dEBjaXNjby5jb20+AAoJEJa12PPJBfczA5UP/RONfMWnFAwB9o7cyK2ta9eWbmwb XWZ4VxQXUkE42LTiAZTWzEzEneymuy2Vw4tfYdQyuXWAptjpoUqNjeV3x37XSLjl YezaGVRw8EOaVi3D16noNw+WjPQ+JINQZ/NjOAsRbdQSwJICotqJ9s5QnXUsPb1a roKXNOj8tchMaUBaGSi1neUT9oK7f+ndtMytWeMQqVG9GtTJ3NdNr3BDdyeItknM vLqEDtJl4tfyAkQv5CU1m1kpuB+oXzas4l09qttcTqS+FCh8TZ20G0qVV9KI0T6L Mn9DHVpZP9E5DYgbdTra005iv14MCnfaIGBFccA9RNKTifeBL3j2OSy38ZcmHNW5 DbyjAT+SM23Z7CFRskcEeBWWwsmXoxSeB/HRkrbRuqYog+0X8PGaAdIwESQddeIl zufUwythsyb2xFzCgNMZh1dTVCqe05Ec91MHfKtx57nUDqKFZ0vVKO+Q9qVrcMrf +pLAOy6ZtBWiHeIl5rra1vFPGHjEYnmEsVjzxebRKLeREsGAO4O+J6Z3uK+ocgjB eCeI9GKyflFBmLvjgvx4uGLbkXH6s6N520uoECL9bTT3s7j7/KxphCDV+lv6p+9I gdPfh7/Pc9aIAYP8hsgvGScAjlBxLSrB7lAEQpZSuZKj3NR303slt8ZNOucOunOE A04L/a476EpOhgIH =EQSD END PGP SIGNATURE

_______________________________________________ cust-security-announce mailing list cust-security-announce@cisco.com To unsubscribe, send the command "unsubscribe" in the subject of your message to cust-security-announce-leave@cisco.com

Original Source

Url : http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco (...)

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 603
Os 589

Nessus® Vulnerability Scanner

Date Description
2018-06-25 Name : The remote device is missing a vendor-supplied security patch.
File : cisco-sa-20180620-nxapi.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2018-08-21 21:22:12
  • Multiple Updates
2018-06-21 00:21:09
  • Multiple Updates
2018-06-20 21:19:21
  • First insertion