Details of VAR-201512-0416

ID

VAR-201512-0416

CVE

CVE-2015-6383

TITLE

Cisco ASR 1000 Run on device Cisco IOS XE Vulnerabilities that bypass license restrictions

Trust: 0.8

sources: JVNDB: JVNDB-2015-006077

DESCRIPTION

Cisco IOS XE 15.4(3)S on ASR 1000 devices improperly loads software packages, which allows local users to bypass license restrictions and obtain certain root privileges by using the CLI to enter crafted filenames, aka Bug ID CSCuv93130. The Cisco IOS XE on ASR 1000 is a set of operating systems running on the ASR 1000 Series routers from Cisco. Attackers can exploit this issue to bypass certain security restrictions and perform unauthorized actions in the context of the affected system. This issue is being tracked by Cisco Bug ID CSCuv93130

Trust: 2.52

sources: NVD: CVE-2015-6383 // JVNDB: JVNDB-2015-006077 // CNVD: CNVD-2015-07907 // BID: 78521 // VULHUB: VHN-84344

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2015-07907

AFFECTED PRODUCTS

vendor:	cisco	model:	ios xe	scope:	eq	version:	15.4\(3\)s	Trust: 1.6
vendor:	cisco	model:	ios xe	scope:	eq	version:	3s	Trust: 0.8
vendor:	cisco	model:	ios xe 15.4 s	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2015-07907 // JVNDB: JVNDB-2015-006077 // CNNVD: CNNVD-201512-027 // NVD: CVE-2015-6383

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-6383
value:	HIGH
Trust: 1.0
NVD:	CVE-2015-6383
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2015-07907
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201512-027
value:	HIGH
Trust: 0.6
VULHUB:	VHN-84344
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2015-6383
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2015-07907
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-84344
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CNVD: CNVD-2015-07907 // VULHUB: VHN-84344 // JVNDB: JVNDB-2015-006077 // CNNVD: CNNVD-201512-027 // NVD: CVE-2015-6383

PROBLEMTYPE DATA

problemtype:

CWE-264

Trust: 1.9

sources: VULHUB: VHN-84344 // JVNDB: JVNDB-2015-006077 // NVD: CVE-2015-6383

THREAT TYPE

local

Trust: 0.9

sources: BID: 78521 // CNNVD: CNNVD-201512-027

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201512-027

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-006077

PATCH

title:	cisco-sa-20151130-iosxe3s	url:	http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151130-iosxe3s	Trust: 0.8
title:	Patch for Cisco ASR 1000 IOS XE Security Bypass Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/67643	Trust: 0.6
title:	Cisco ASR 1000 IOS XE Fixes for permission permissions and access control vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=58894	Trust: 0.6

sources: CNVD: CNVD-2015-07907 // JVNDB: JVNDB-2015-006077 // CNNVD: CNNVD-201512-027

EXTERNAL IDS

db:	NVD	id:	CVE-2015-6383	Trust: 3.4
db:	BID	id:	78521	Trust: 1.4
db:	SECTRACK	id:	1034277	Trust: 1.1
db:	SECTRACK	id:	1034296	Trust: 1.1
db:	JVNDB	id:	JVNDB-2015-006077	Trust: 0.8
db:	CNNVD	id:	CNNVD-201512-027	Trust: 0.7
db:	CNVD	id:	CNVD-2015-07907	Trust: 0.6
db:	SEEBUG	id:	SSVID-89996	Trust: 0.1
db:	VULHUB	id:	VHN-84344	Trust: 0.1

sources: CNVD: CNVD-2015-07907 // VULHUB: VHN-84344 // BID: 78521 // JVNDB: JVNDB-2015-006077 // CNNVD: CNNVD-201512-027 // NVD: CVE-2015-6383

REFERENCES

url:	http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20151130-asa	Trust: 1.7
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-6383	Trust: 1.4
url:	http://www.securityfocus.com/bid/78521	Trust: 1.1
url:	http://www.securitytracker.com/id/1034277	Trust: 1.1
url:	http://www.securitytracker.com/id/1034296	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-6383	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3
url:	http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20151130-iosxe3s	Trust: 0.3

sources: CNVD: CNVD-2015-07907 // VULHUB: VHN-84344 // BID: 78521 // JVNDB: JVNDB-2015-006077 // CNNVD: CNNVD-201512-027 // NVD: CVE-2015-6383

CREDITS

Cisco

Trust: 0.3

sources: BID: 78521

SOURCES

db:	CNVD	id:	CNVD-2015-07907
db:	VULHUB	id:	VHN-84344
db:	BID	id:	78521
db:	JVNDB	id:	JVNDB-2015-006077
db:	CNNVD	id:	CNNVD-201512-027
db:	NVD	id:	CVE-2015-6383

LAST UPDATE DATE

2024-11-23T23:12:37.258000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2015-07907	date:	2015-12-04T00:00:00
db:	VULHUB	id:	VHN-84344	date:	2017-09-14T00:00:00
db:	BID	id:	78521	date:	2015-12-08T22:23:00
db:	JVNDB	id:	JVNDB-2015-006077	date:	2015-12-04T00:00:00
db:	CNNVD	id:	CNNVD-201512-027	date:	2015-12-04T00:00:00
db:	NVD	id:	CVE-2015-6383	date:	2024-11-21T02:34:53.820

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2015-07907	date:	2015-12-04T00:00:00
db:	VULHUB	id:	VHN-84344	date:	2015-12-03T00:00:00
db:	BID	id:	78521	date:	2015-11-30T00:00:00
db:	JVNDB	id:	JVNDB-2015-006077	date:	2015-12-04T00:00:00
db:	CNNVD	id:	CNNVD-201512-027	date:	2015-12-03T00:00:00
db:	NVD	id:	CVE-2015-6383	date:	2015-12-03T03:59:00.127