Details of VAR-201703-0900

ID

VAR-201703-0900

CVE

CVE-2017-3858

TITLE

Cisco IOS XE Software improper input validation vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-002643

DESCRIPTION

A vulnerability in the web framework of Cisco IOS XE Software could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient input validation of HTTP parameters supplied by the user. An attacker could exploit this vulnerability by authenticating to the device and submitting crafted input to the affected web page parameter. The user must be authenticated to access the affected parameter. A successful exploit could allow the attacker to execute commands with root privileges. This vulnerability affects Cisco devices running Cisco IOS XE Software Release 16.2.1, if the HTTP Server feature is enabled for the device. The newly redesigned, web-based administration interface was introduced in the Denali 16.2 Release of Cisco IOS XE Software. The web-based administration interface in earlier releases of Cisco IOS XE Software is not affected by this vulnerability. Cisco Bug IDs: CSCuy83069. Vendors have confirmed this vulnerability Bug ID CSCuy83069 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) An attack may be carried out. Cisco IOSXESoftware is an operating system developed by Cisco Systems for its network devices. This may aid in further attacks

Trust: 2.61

sources: NVD: CVE-2017-3858 // JVNDB: JVNDB-2017-002643 // CNVD: CNVD-2017-04988 // BID: 97009 // VULHUB: VHN-112061 // VULMON: CVE-2017-3858

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2017-04988

AFFECTED PRODUCTS

vendor:	cisco	model:	ios xe	scope:	eq	version:	16.2.1	Trust: 3.0
vendor:	cisco	model:	ios xe	scope:	eq	version:	16.2	Trust: 2.4
vendor:	cisco	model:	ios xe software	scope:	eq	version:	16.2.1	Trust: 0.3

sources: CNVD: CNVD-2017-04988 // BID: 97009 // JVNDB: JVNDB-2017-002643 // CNNVD: CNNVD-201703-989 // NVD: CVE-2017-3858

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-3858
value:	HIGH
Trust: 1.0
NVD:	CVE-2017-3858
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2017-04988
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201703-989
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-112061
value:	HIGH
Trust: 0.1
VULMON:	CVE-2017-3858
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2017-3858
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2017-04988
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-112061
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-3858
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2017-04988 // VULHUB: VHN-112061 // VULMON: CVE-2017-3858 // JVNDB: JVNDB-2017-002643 // CNNVD: CNNVD-201703-989 // NVD: CVE-2017-3858

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.9

sources: VULHUB: VHN-112061 // JVNDB: JVNDB-2017-002643 // NVD: CVE-2017-3858

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201703-989

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201703-989

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-002643

PATCH

title:	cisco-sa-20170322-xeci	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-xeci	Trust: 0.8
title:	Patch for Cisco IOSXE arbitrary command execution vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/91303	Trust: 0.6
title:	Cisco IOS XE Software Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=68700	Trust: 0.6
title:	Threatpost	url:	https://threatpost.com/cisco-patches-critical-iox-vulnerability/124533/	Trust: 0.1

sources: CNVD: CNVD-2017-04988 // VULMON: CVE-2017-3858 // JVNDB: JVNDB-2017-002643 // CNNVD: CNNVD-201703-989

EXTERNAL IDS

db:	NVD	id:	CVE-2017-3858	Trust: 3.5
db:	BID	id:	97009	Trust: 1.5
db:	SECTRACK	id:	1038102	Trust: 1.2
db:	JVNDB	id:	JVNDB-2017-002643	Trust: 0.8
db:	CNNVD	id:	CNNVD-201703-989	Trust: 0.7
db:	CNVD	id:	CNVD-2017-04988	Trust: 0.6
db:	VULHUB	id:	VHN-112061	Trust: 0.1
db:	VULMON	id:	CVE-2017-3858	Trust: 0.1

sources: CNVD: CNVD-2017-04988 // VULHUB: VHN-112061 // VULMON: CVE-2017-3858 // BID: 97009 // JVNDB: JVNDB-2017-002643 // CNNVD: CNNVD-201703-989 // NVD: CVE-2017-3858

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20170322-xeci	Trust: 2.7
url:	http://www.securityfocus.com/bid/97009	Trust: 1.3
url:	http://www.securitytracker.com/id/1038102	Trust: 1.2
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-3858	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-3858	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/20.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://threatpost.com/cisco-patches-critical-iox-vulnerability/124533/	Trust: 0.1

sources: CNVD: CNVD-2017-04988 // VULHUB: VHN-112061 // VULMON: CVE-2017-3858 // BID: 97009 // JVNDB: JVNDB-2017-002643 // CNNVD: CNNVD-201703-989 // NVD: CVE-2017-3858

CREDITS

Cisco.

Trust: 0.3

sources: BID: 97009

SOURCES

db:	CNVD	id:	CNVD-2017-04988
db:	VULHUB	id:	VHN-112061
db:	VULMON	id:	CVE-2017-3858
db:	BID	id:	97009
db:	JVNDB	id:	JVNDB-2017-002643
db:	CNNVD	id:	CNNVD-201703-989
db:	NVD	id:	CVE-2017-3858

LAST UPDATE DATE

2024-11-23T22:42:13.158000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-04988	date:	2017-04-21T00:00:00
db:	VULHUB	id:	VHN-112061	date:	2017-07-12T00:00:00
db:	VULMON	id:	CVE-2017-3858	date:	2017-07-12T00:00:00
db:	BID	id:	97009	date:	2017-03-23T00:01:00
db:	JVNDB	id:	JVNDB-2017-002643	date:	2017-04-24T00:00:00
db:	CNNVD	id:	CNNVD-201703-989	date:	2017-03-23T00:00:00
db:	NVD	id:	CVE-2017-3858	date:	2024-11-21T03:26:15.390

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2017-04988	date:	2017-04-21T00:00:00
db:	VULHUB	id:	VHN-112061	date:	2017-03-22T00:00:00
db:	VULMON	id:	CVE-2017-3858	date:	2017-03-22T00:00:00
db:	BID	id:	97009	date:	2017-03-22T00:00:00
db:	JVNDB	id:	JVNDB-2017-002643	date:	2017-04-24T00:00:00
db:	CNNVD	id:	CNNVD-201703-989	date:	2017-03-23T00:00:00
db:	NVD	id:	CVE-2017-3858	date:	2017-03-22T19:59:00.337