Details of VAR-201607-0451

ID

VAR-201607-0451

CVE

CVE-2016-1408

TITLE

Cisco Prime Infrastructure and Evolved Programmable Network Manager Vulnerable to arbitrary command execution

Trust: 0.8

sources: JVNDB: JVNDB-2016-003418

DESCRIPTION

Cisco Prime Infrastructure 1.2 through 3.1 and Evolved Programmable Network Manager (EPNM) 1.2 and 2.0 allow remote authenticated users to execute arbitrary commands or upload files via a crafted HTTP request, aka Bug ID CSCuz01488. Cisco Prime Infrastructure software is prone to a remote code-execution vulnerability. An attacker can exploit this issue to execute arbitrary code on the affected system. This may aid in further attacks. This issue being tracked by Cisco Bug ID's CSCuz01488 and CSCuz01495. Cisco Prime Infrastructure software versions 1.2 through version 3.1 are vulnerable. PI is a set of wireless management solutions through Cisco Prime LAN Management Solution (LMS) and Cisco Prime Network Control System (NCS) technologies; EPNM is a set of network management solutions. A security vulnerability exists in the web interface of Cisco PI and EPNM

Trust: 1.98

sources: NVD: CVE-2016-1408 // JVNDB: JVNDB-2016-003418 // BID: 91506 // VULHUB: VHN-90227

AFFECTED PRODUCTS

vendor:	cisco	model:	evolved programmable network manager	scope:	eq	version:	1.2.1.3	Trust: 1.6
vendor:	cisco	model:	evolved programmable network manager	scope:	eq	version:	1.2.500	Trust: 1.6
vendor:	cisco	model:	evolved programmable network manager	scope:	eq	version:	1.2.0	Trust: 1.6
vendor:	cisco	model:	evolved programmable network manager	scope:	eq	version:	1.2.400	Trust: 1.6
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	1.2.1	Trust: 1.6
vendor:	cisco	model:	evolved programmable network manager	scope:	eq	version:	1.2.300	Trust: 1.6
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	1.2.0.103	Trust: 1.0
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	2.1.0	Trust: 1.0
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	2.2	Trust: 1.0
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	1.3	Trust: 1.0
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	1.4.0.45	Trust: 1.0
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	1.4.1	Trust: 1.0
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	1.2	Trust: 1.0
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	3.1	Trust: 1.0
vendor:	cisco	model:	evolved programmable network manager	scope:	eq	version:	1.2.200	Trust: 1.0
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	2.0	Trust: 1.0
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	2.2\(2\)	Trust: 1.0
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	1.4	Trust: 1.0
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	1.3.0.20	Trust: 1.0
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	1.4.2	Trust: 1.0
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	3.0	Trust: 1.0
vendor:	cisco	model:	evolved programmable network manager	scope:	eq	version:	1.2	Trust: 0.8
vendor:	cisco	model:	evolved programmable network manager	scope:	eq	version:	2.0	Trust: 0.8
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	1.2 to 3.1	Trust: 0.8
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	1.4.0	Trust: 0.6
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	1.3.0	Trust: 0.6
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	1.2.0	Trust: 0.6
vendor:	cisco	model:	prime infrastructure	scope:	eq	version:	2.0.0	Trust: 0.6

sources: JVNDB: JVNDB-2016-003418 // CNNVD: CNNVD-201606-653 // NVD: CVE-2016-1408

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-1408
value:	HIGH
Trust: 1.0
NVD:	CVE-2016-1408
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201606-653
value:	HIGH
Trust: 0.6
VULHUB:	VHN-90227
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2016-1408
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-90227
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-1408
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-90227 // JVNDB: JVNDB-2016-003418 // CNNVD: CNNVD-201606-653 // NVD: CVE-2016-1408

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.9

sources: VULHUB: VHN-90227 // JVNDB: JVNDB-2016-003418 // NVD: CVE-2016-1408

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201606-653

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-201606-653

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-003418

PATCH

title:	cisco-sa-20160629-pi-epnm	url:	http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160629-pi-epnm	Trust: 0.8
title:	Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=62562	Trust: 0.6

sources: JVNDB: JVNDB-2016-003418 // CNNVD: CNNVD-201606-653

EXTERNAL IDS

db:	NVD	id:	CVE-2016-1408	Trust: 2.8
db:	BID	id:	91506	Trust: 2.0
db:	SECTRACK	id:	1036197	Trust: 1.7
db:	JVNDB	id:	JVNDB-2016-003418	Trust: 0.8
db:	CNNVD	id:	CNNVD-201606-653	Trust: 0.7
db:	VULHUB	id:	VHN-90227	Trust: 0.1

sources: VULHUB: VHN-90227 // BID: 91506 // JVNDB: JVNDB-2016-003418 // CNNVD: CNNVD-201606-653 // NVD: CVE-2016-1408

REFERENCES

url:	http://www.securityfocus.com/bid/91506	Trust: 1.7
url:	http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20160629-pi-epnm	Trust: 1.7
url:	http://www.securitytracker.com/id/1036197	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-1408	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-1408	Trust: 0.8

sources: VULHUB: VHN-90227 // JVNDB: JVNDB-2016-003418 // CNNVD: CNNVD-201606-653 // NVD: CVE-2016-1408

CREDITS

This vulnerability was found and reported to Cisco by Daniel Jensen from Security-Assessment.com.

Trust: 0.6

sources: CNNVD: CNNVD-201606-653

SOURCES

db:	VULHUB	id:	VHN-90227
db:	BID	id:	91506
db:	JVNDB	id:	JVNDB-2016-003418
db:	CNNVD	id:	CNNVD-201606-653
db:	NVD	id:	CVE-2016-1408

LAST UPDATE DATE

2024-11-23T22:49:14.429000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-90227	date:	2019-07-29T00:00:00
db:	BID	id:	91506	date:	2016-06-29T00:00:00
db:	JVNDB	id:	JVNDB-2016-003418	date:	2016-07-06T00:00:00
db:	CNNVD	id:	CNNVD-201606-653	date:	2019-07-30T00:00:00
db:	NVD	id:	CVE-2016-1408	date:	2024-11-21T02:46:23.193

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-90227	date:	2016-07-02T00:00:00
db:	BID	id:	91506	date:	2016-06-29T00:00:00
db:	JVNDB	id:	JVNDB-2016-003418	date:	2016-07-06T00:00:00
db:	CNNVD	id:	CNNVD-201606-653	date:	2016-06-30T00:00:00
db:	NVD	id:	CVE-2016-1408	date:	2016-07-02T14:59:07.430