Details of VAR-201507-0523

ID

VAR-201507-0523

CVE

CVE-2015-4235

TITLE

Cisco Application Policy Infrastructure Controller Device software and Nexus 9000 ACI In device software root Privileged vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2015-003929

DESCRIPTION

Cisco Application Policy Infrastructure Controller (APIC) devices with software before 1.0(3o) and 1.1 before 1.1(1j) and Nexus 9000 ACI devices with software before 11.0(4o) and 11.1 before 11.1(1j) do not properly restrict access to the APIC filesystem, which allows remote authenticated users to obtain root privileges via unspecified use of the APIC cluster-management configuration feature, aka Bug IDs CSCuu72094 and CSCuv11991. Vendors have confirmed this vulnerability Bug IDs CSCuu72094 and CSCuv11991 It is released as.By a third party APIC Through unspecified use of the cluster management configuration feature of root You may get permission. The Cisco Application Policy Infrastructure is a controller that automates the management of application-centric infrastructure. The Cisco Nexus 9000 Series ACI Mode Switches is a 9000 Series switch for Application-Centric Infrastructure (ACI). This may aid in further attacks. This issue is being tracked by Cisco Bug IDs CSCuu72094 and CSCuv11991

Trust: 2.52

sources: NVD: CVE-2015-4235 // JVNDB: JVNDB-2015-003929 // CNVD: CNVD-2015-04981 // BID: 75994 // VULHUB: VHN-82196

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2015-04981

AFFECTED PRODUCTS

vendor:	cisco	model:	application policy infrastructure controller \	scope:	eq	version:	1.0\(1e\)	Trust: 1.6
vendor:	cisco	model:	nx-os	scope:	eq	version:	11.0\(3i\)	Trust: 1.6
vendor:	cisco	model:	nx-os	scope:	eq	version:	11.0\(3k\)	Trust: 1.6
vendor:	cisco	model:	nx-os	scope:	eq	version:	11.0\(3f\)	Trust: 1.6
vendor:	cisco	model:	nx-os	scope:	eq	version:	11.0\(1c\)	Trust: 1.6
vendor:	cisco	model:	nx-os	scope:	eq	version:	11.0\(2m\)	Trust: 1.6
vendor:	cisco	model:	nx-os	scope:	eq	version:	11.0\(1e\)	Trust: 1.6
vendor:	cisco	model:	nx-os	scope:	eq	version:	11.0\(1b\)	Trust: 1.6
vendor:	cisco	model:	nx-os	scope:	eq	version:	11.0\(1d\)	Trust: 1.6
vendor:	cisco	model:	nx-os	scope:	eq	version:	11.0\(2j\)	Trust: 1.6
vendor:	cisco	model:	nx-os	scope:	eq	version:	11.0\(3n\)	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	eq	version:	11.0\(4h\)	Trust: 1.0
vendor:	cisco	model:	application policy infrastructure controller software	scope:	lt	version:	1.0(3o)	Trust: 0.8
vendor:	cisco	model:	application policy infrastructure controller software	scope:	lt	version:	1.0(4o)	Trust: 0.8
vendor:	cisco	model:	application policy infrastructure controller software	scope:	lt	version:	1.1(1j)	Trust: 0.8
vendor:	cisco	model:	nexus 9000 series	scope:	eq	version:	aci	Trust: 0.8
vendor:	cisco	model:	nx-os	scope:	lt	version:	11.0(4o)	Trust: 0.8
vendor:	cisco	model:	nx-os	scope:	lt	version:	11.1(1j)	Trust: 0.8
vendor:	cisco	model:	application policy infrastructure controller <1.0	scope:	-	version:	-	Trust: 0.6
vendor:	cisco	model:	application policy infrastructure controller 1.1 )	scope:	-	version:	-	Trust: 0.6
vendor:	cisco	model:	nexus aci <11.0	scope:	eq	version:	9000	Trust: 0.6
vendor:	cisco	model:	nexus aci 11.x )	scope:	eq	version:	9000	Trust: 0.6

sources: CNVD: CNVD-2015-04981 // JVNDB: JVNDB-2015-003929 // CNNVD: CNNVD-201507-733 // NVD: CVE-2015-4235

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-4235
value:	HIGH
Trust: 1.0
NVD:	CVE-2015-4235
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2015-04981
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201507-733
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-82196
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2015-4235
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2015-04981
severity:	HIGH
baseScore:	8.5
vectorString:	AV:N/AC:M/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	6.8
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-82196
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CNVD: CNVD-2015-04981 // VULHUB: VHN-82196 // JVNDB: JVNDB-2015-003929 // CNNVD: CNNVD-201507-733 // NVD: CVE-2015-4235

PROBLEMTYPE DATA

problemtype:

CWE-264

Trust: 1.9

sources: VULHUB: VHN-82196 // JVNDB: JVNDB-2015-003929 // NVD: CVE-2015-4235

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201507-733

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201507-733

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-003929

PATCH

title:	cisco-sa-20150722-apic	url:	http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150722-apic	Trust: 0.8
title:	39563	url:	http://tools.cisco.com/security/center/viewAlert.x?alertId=39563	Trust: 0.8
title:	cisco-sa-20150722-apic	url:	http://www.cisco.com/cisco/web/support/JP/113/1130/1130211_cisco-sa-20150722-apic-j.html	Trust: 0.8
title:	Cisco Application Policy Infrastructure Controllers and Nexus 9000 Series ACI Mode Switches are not authorized to access vulnerable patches	url:	https://www.cnvd.org.cn/patchInfo/show/61671	Trust: 0.6

sources: CNVD: CNVD-2015-04981 // JVNDB: JVNDB-2015-003929

EXTERNAL IDS

db:	NVD	id:	CVE-2015-4235	Trust: 3.4
db:	BID	id:	75994	Trust: 1.6
db:	SECTRACK	id:	1033025	Trust: 1.1
db:	JVNDB	id:	JVNDB-2015-003929	Trust: 0.8
db:	CNNVD	id:	CNNVD-201507-733	Trust: 0.7
db:	CNVD	id:	CNVD-2015-04981	Trust: 0.6
db:	VULHUB	id:	VHN-82196	Trust: 0.1

sources: CNVD: CNVD-2015-04981 // VULHUB: VHN-82196 // BID: 75994 // JVNDB: JVNDB-2015-003929 // CNNVD: CNNVD-201507-733 // NVD: CVE-2015-4235

REFERENCES

url:	http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20150722-apic	Trust: 2.6
url:	http://www.securitytracker.com/id/1033025	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-4235	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-4235	Trust: 0.8
url:	http://www.securityfocus.com/bid/75994	Trust: 0.6
url:	http://www.cisco.com/c/en/us/products/cloud-systems-management/application-policy-infrastructure-controller-apic/index.html	Trust: 0.3
url:	http://www.cisco.com	Trust: 0.3
url:	http://www.cisco.com/c/en/us/products/switches/nexus-9000-series-switches/index.html	Trust: 0.3

sources: CNVD: CNVD-2015-04981 // VULHUB: VHN-82196 // BID: 75994 // JVNDB: JVNDB-2015-003929 // CNNVD: CNNVD-201507-733 // NVD: CVE-2015-4235

CREDITS

Cisco

Trust: 0.9

sources: BID: 75994 // CNNVD: CNNVD-201507-733

SOURCES

db:	CNVD	id:	CNVD-2015-04981
db:	VULHUB	id:	VHN-82196
db:	BID	id:	75994
db:	JVNDB	id:	JVNDB-2015-003929
db:	CNNVD	id:	CNNVD-201507-733
db:	NVD	id:	CVE-2015-4235

LAST UPDATE DATE

2024-11-23T22:38:47.793000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2015-04981	date:	2015-07-29T00:00:00
db:	VULHUB	id:	VHN-82196	date:	2017-09-21T00:00:00
db:	BID	id:	75994	date:	2015-07-22T00:00:00
db:	JVNDB	id:	JVNDB-2015-003929	date:	2015-07-28T00:00:00
db:	CNNVD	id:	CNNVD-201507-733	date:	2015-07-27T00:00:00
db:	NVD	id:	CVE-2015-4235	date:	2024-11-21T02:30:41.317

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2015-04981	date:	2015-07-28T00:00:00
db:	VULHUB	id:	VHN-82196	date:	2015-07-24T00:00:00
db:	BID	id:	75994	date:	2015-07-22T00:00:00
db:	JVNDB	id:	JVNDB-2015-003929	date:	2015-07-28T00:00:00
db:	CNNVD	id:	CNNVD-201507-733	date:	2015-07-23T00:00:00
db:	NVD	id:	CVE-2015-4235	date:	2015-07-24T14:59:00.073