Details of VAR-201311-0297

ID

VAR-201311-0297

CVE

CVE-2013-5556

TITLE

Cisco Nexus 1000V Switch and Nexus 1000V For switch Cisco Virtual Security Gateway Vulnerability gained in

Trust: 0.8

sources: JVNDB: JVNDB-2013-005152

DESCRIPTION

The license-installation module on the Cisco Nexus 1000V switch 4.2(1)SV1(5.2b) and earlier for VMware vSphere, Cisco Nexus 1000V switch 5.2(1)SM1(5.1) for Microsoft Hyper-V, and Cisco Virtual Security Gateway 4.2(1)VSG1(1) for Nexus 1000V switches allows local users to gain privileges and execute arbitrary commands via crafted "install all iso" arguments, aka Bug ID CSCui21340. Because the install all iso command fails to properly filter user input, the local attacker is allowed to submit the specially configured parameters to the install all iso command to execute the shell command. Local authenticated attackers can exploit this issue to execute arbitrary commands on the underlying operating system. This issue is being tracked by Cisco bug ID CSCui21340. The software is used to replace the built-in distributed virtual switch of Vmware, and includes two components: the virtual Ethernet module (VEM) running inside the hypervisor and the external virtual control engine module (VSM) that manages the VEM

Trust: 2.52

sources: NVD: CVE-2013-5556 // JVNDB: JVNDB-2013-005152 // CNVD: CNVD-2013-14509 // BID: 63732 // VULHUB: VHN-65558

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2013-14509

AFFECTED PRODUCTS

vendor:	cisco	model:	nexus 1000v	scope:	eq	version:	4.2\(1\)sv1\(5.1\)	Trust: 1.6
vendor:	cisco	model:	nexus 1000v	scope:	eq	version:	4.2\(1\)_sv1\(4a\)	Trust: 1.6
vendor:	cisco	model:	nexus 1000v	scope:	eq	version:	4.2\(1\)vsg1\(1\)	Trust: 1.6
vendor:	cisco	model:	nexus 1000v	scope:	eq	version:	4.2\(1\)sv1\(5.2\)	Trust: 1.6
vendor:	cisco	model:	nexus 1000v	scope:	eq	version:	4.2\(1\)sv1\(5.1a\)	Trust: 1.6
vendor:	cisco	model:	nexus 1000v	scope:	eq	version:	4.2\(1\)_sv1\(4\)	Trust: 1.6
vendor:	cisco	model:	nexus 1000v	scope:	eq	version:	4.2\(1\)_sv1\(4b\)	Trust: 1.6
vendor:	cisco	model:	nexus 1000v	scope:	eq	version:	5.2\(1\)sm1\(5.1\)	Trust: 1.6
vendor:	cisco	model:	nexus 1000v	scope:	lte	version:	4.2\(1\)sv1\(5.2b\)	Trust: 1.0
vendor:	cisco	model:	nexus 1000v switch	scope:	eq	version:	switch microsoft hyper-v for 5.2(1)sm1(5.1)	Trust: 0.8
vendor:	cisco	model:	nexus 1000v switch	scope:	lte	version:	switch vmware vsphere for 4.2(1)sv1(5.2b)	Trust: 0.8
vendor:	cisco	model:	nexus 1000v switch	scope:	eq	version:	for switch cisco virtual security gateway 4.2(1)vsg1(1)	Trust: 0.8
vendor:	cisco	model:	nexus	scope:	eq	version:	1000v	Trust: 0.6
vendor:	cisco	model:	nexus 1000v	scope:	eq	version:	4.2\(1\)sv1\(5.2b\)	Trust: 0.6
vendor:	cisco	model:	nexus	scope:	eq	version:	1000v0	Trust: 0.3

sources: CNVD: CNVD-2013-14509 // BID: 63732 // JVNDB: JVNDB-2013-005152 // CNNVD: CNNVD-201311-241 // NVD: CVE-2013-5556

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2013-5556
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2013-5556
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2013-14509
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201311-241
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-65558
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2013-5556
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:L/AC:L/AU:S/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.1
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2013-14509
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:L/AC:L/AU:S/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.1
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-65558
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:L/AC:L/AU:S/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.1
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CNVD: CNVD-2013-14509 // VULHUB: VHN-65558 // JVNDB: JVNDB-2013-005152 // CNNVD: CNNVD-201311-241 // NVD: CVE-2013-5556

PROBLEMTYPE DATA

problemtype:

CWE-264

Trust: 1.9

sources: VULHUB: VHN-65558 // JVNDB: JVNDB-2013-005152 // NVD: CVE-2013-5556

THREAT TYPE

local

Trust: 0.9

sources: BID: 63732 // CNNVD: CNNVD-201311-241

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201311-241

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-005152

PATCH

title:	Cisco Nexus 1000V Arbitrary Command Execution Vulnerability	url:	http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5556	Trust: 0.8
title:	31774	url:	http://tools.cisco.com/security/center/viewAlert.x?alertId=31774	Trust: 0.8
title:	Patch for Cisco Nexus 1000V Local Arbitrary Command Execution Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/41143	Trust: 0.6

sources: CNVD: CNVD-2013-14509 // JVNDB: JVNDB-2013-005152

EXTERNAL IDS

db:	NVD	id:	CVE-2013-5556	Trust: 3.4
db:	BID	id:	63732	Trust: 1.0
db:	JVNDB	id:	JVNDB-2013-005152	Trust: 0.8
db:	CNNVD	id:	CNNVD-201311-241	Trust: 0.7
db:	CNVD	id:	CNVD-2013-14509	Trust: 0.6
db:	CISCO	id:	20131114 CISCO NEXUS 1000V ARBITRARY COMMAND EXECUTION VULNERABILITY	Trust: 0.6
db:	VULHUB	id:	VHN-65558	Trust: 0.1

sources: CNVD: CNVD-2013-14509 // VULHUB: VHN-65558 // BID: 63732 // JVNDB: JVNDB-2013-005152 // CNNVD: CNNVD-201311-241 // NVD: CVE-2013-5556

REFERENCES

url:	http://tools.cisco.com/security/center/content/ciscosecuritynotice/cve-2013-5556	Trust: 2.3
url:	http://tools.cisco.com/security/center/viewalert.x?alertid=31774	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-5556	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-5556	Trust: 0.8
url:	http://tools.cisco.com/support/bugtoolkit/search/getbugdetails.do?method=fetchbugdetails&bugid=cscui21340	Trust: 0.6

sources: CNVD: CNVD-2013-14509 // VULHUB: VHN-65558 // JVNDB: JVNDB-2013-005152 // CNNVD: CNNVD-201311-241 // NVD: CVE-2013-5556

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 63732

SOURCES

db:	CNVD	id:	CNVD-2013-14509
db:	VULHUB	id:	VHN-65558
db:	BID	id:	63732
db:	JVNDB	id:	JVNDB-2013-005152
db:	CNNVD	id:	CNNVD-201311-241
db:	NVD	id:	CVE-2013-5556

LAST UPDATE DATE

2024-11-23T23:02:50.901000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2013-14509	date:	2013-11-18T00:00:00
db:	VULHUB	id:	VHN-65558	date:	2013-11-20T00:00:00
db:	BID	id:	63732	date:	2013-11-19T00:46:00
db:	JVNDB	id:	JVNDB-2013-005152	date:	2013-11-20T00:00:00
db:	CNNVD	id:	CNNVD-201311-241	date:	2013-11-21T00:00:00
db:	NVD	id:	CVE-2013-5556	date:	2024-11-21T01:57:41.837

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2013-14509	date:	2013-11-18T00:00:00
db:	VULHUB	id:	VHN-65558	date:	2013-11-18T00:00:00
db:	BID	id:	63732	date:	2013-11-14T00:00:00
db:	JVNDB	id:	JVNDB-2013-005152	date:	2013-11-20T00:00:00
db:	CNNVD	id:	CNNVD-201311-241	date:	2013-11-21T00:00:00
db:	NVD	id:	CVE-2013-5556	date:	2013-11-18T03:55:06.040