Details of VAR-201704-1340

ID

VAR-201704-1340

CVE

CVE-2017-6602

TITLE

Cisco Unified Computing System Manager and Firepower Product CLI Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-003069

DESCRIPTION

A vulnerability in the CLI of Cisco Unified Computing System (UCS) Manager, Cisco Firepower 4100 Series Next-Generation Firewall (NGFW), and Cisco Firepower 9300 Security Appliance could allow an authenticated, local attacker to perform a command injection attack. More Information: CSCvb66189 CSCvb86775. Known Affected Releases: 2.0(1.68) 3.1(1k)A. Known Fixed Releases: 92.2(1.101) 92.1(1.1742) 92.1(1.1658) 2.1(1.38) 2.0(1.107) 2.0(1.87) 1.1(4.148) 1.1(4.138). Vendors have confirmed this vulnerability Bug ID CSCvb66189 and CSCvb86775 It is released as.Information may be obtained and information may be altered. The Cisco Unified Computing System (UCS) Manager provides unified embedded management of all software and hardware components in Cisco UCS. The Cisco Firepower 4100 Series is the next generation firewall. The Cisco Firepower 9300 is a scalable carrier-grade platform. Multiple Cisco Products are prone to a local command-injection vulnerability. A local attacker can exploit this issue to execute arbitrary commands. This issue being tracked by Cisco Bug ID CSCvb66189 and CSCvb86775. A local attacker could exploit this vulnerability by injecting specially crafted command parameters into affected CLI commands to read or write arbitrary files with user privileges and gain access to the device

Trust: 2.52

sources: NVD: CVE-2017-6602 // JVNDB: JVNDB-2017-003069 // CNVD: CNVD-2017-05645 // BID: 97472 // VULHUB: VHN-114805

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2017-05645

AFFECTED PRODUCTS

vendor:	cisco	model:	firepower extensible operating system	scope:	eq	version:	2.0\(1.68\)	Trust: 1.6
vendor:	cisco	model:	unified computing system	scope:	eq	version:	3.1\(1k\)a	Trust: 1.6
vendor:	cisco	model:	firepower extensible operating system	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	unified computing system software	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	firepower series next-generation firewall	scope:	eq	version:	4100	Trust: 0.6
vendor:	cisco	model:	firepower security appliance	scope:	eq	version:	9300	Trust: 0.6
vendor:	cisco	model:	unified computing system manager	scope:	-	version:	-	Trust: 0.6
vendor:	cisco	model:	unified computing system manager	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	unified computing system 3.1 a	scope:	-	version:	-	Trust: 0.3
vendor:	cisco	model:	firepower security appliance	scope:	eq	version:	93000	Trust: 0.3
vendor:	cisco	model:	firepower series	scope:	eq	version:	90002.0(1.68)	Trust: 0.3
vendor:	cisco	model:	firepower series next-generation firewall	scope:	eq	version:	41000	Trust: 0.3

sources: CNVD: CNVD-2017-05645 // BID: 97472 // JVNDB: JVNDB-2017-003069 // CNNVD: CNNVD-201704-428 // NVD: CVE-2017-6602

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-6602
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-6602
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2017-05645
value:	LOW
Trust: 0.6
CNNVD:	CNNVD-201704-428
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-114805
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2017-6602
severity:	LOW
baseScore:	3.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2017-05645
severity:	LOW
baseScore:	3.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-114805
severity:	LOW
baseScore:	3.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-6602
baseSeverity:	MEDIUM
baseScore:	4.4
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	1.8
impactScore:	2.5
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2017-05645 // VULHUB: VHN-114805 // JVNDB: JVNDB-2017-003069 // CNNVD: CNNVD-201704-428 // NVD: CVE-2017-6602

PROBLEMTYPE DATA

problemtype:	CWE-78	Trust: 1.1
problemtype:	CWE-77	Trust: 0.9

sources: VULHUB: VHN-114805 // JVNDB: JVNDB-2017-003069 // NVD: CVE-2017-6602

THREAT TYPE

local

Trust: 0.9

sources: BID: 97472 // CNNVD: CNNVD-201704-428

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201704-428

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-003069

PATCH

title:	cisco-sa-20170405-cli2	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170405-cli2	Trust: 0.8
title:	Patches for multiple Cisco product CLI command injection vulnerabilities	url:	https://www.cnvd.org.cn/patchInfo/show/92944	Trust: 0.6
title:	Multiple Cisco Product Command Injection Vulnerability Fixes	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=73811	Trust: 0.6

sources: CNVD: CNVD-2017-05645 // JVNDB: JVNDB-2017-003069 // CNNVD: CNNVD-201704-428

EXTERNAL IDS

db:	NVD	id:	CVE-2017-6602	Trust: 3.4
db:	BID	id:	97472	Trust: 2.6
db:	SECTRACK	id:	1038197	Trust: 1.7
db:	JVNDB	id:	JVNDB-2017-003069	Trust: 0.8
db:	CNNVD	id:	CNNVD-201704-428	Trust: 0.7
db:	CNVD	id:	CNVD-2017-05645	Trust: 0.6
db:	VULHUB	id:	VHN-114805	Trust: 0.1

sources: CNVD: CNVD-2017-05645 // VULHUB: VHN-114805 // BID: 97472 // JVNDB: JVNDB-2017-003069 // CNNVD: CNNVD-201704-428 // NVD: CVE-2017-6602

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20170405-cli2	Trust: 2.6
url:	http://www.securityfocus.com/bid/97472	Trust: 2.3
url:	http://www.securitytracker.com/id/1038197	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-6602	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-6602	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3

sources: CNVD: CNVD-2017-05645 // VULHUB: VHN-114805 // BID: 97472 // JVNDB: JVNDB-2017-003069 // CNNVD: CNNVD-201704-428 // NVD: CVE-2017-6602

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 97472

SOURCES

db:	CNVD	id:	CNVD-2017-05645
db:	VULHUB	id:	VHN-114805
db:	BID	id:	97472
db:	JVNDB	id:	JVNDB-2017-003069
db:	CNNVD	id:	CNNVD-201704-428
db:	NVD	id:	CVE-2017-6602

LAST UPDATE DATE

2024-11-23T22:22:33.859000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-05645	date:	2017-04-29T00:00:00
db:	VULHUB	id:	VHN-114805	date:	2019-10-03T00:00:00
db:	BID	id:	97472	date:	2017-04-11T00:03:00
db:	JVNDB	id:	JVNDB-2017-003069	date:	2017-05-12T00:00:00
db:	CNNVD	id:	CNNVD-201704-428	date:	2019-10-23T00:00:00
db:	NVD	id:	CVE-2017-6602	date:	2024-11-21T03:30:05.810

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2017-05645	date:	2017-04-29T00:00:00
db:	VULHUB	id:	VHN-114805	date:	2017-04-07T00:00:00
db:	BID	id:	97472	date:	2017-04-05T00:00:00
db:	JVNDB	id:	JVNDB-2017-003069	date:	2017-05-12T00:00:00
db:	CNNVD	id:	CNNVD-201704-428	date:	2017-04-07T00:00:00
db:	NVD	id:	CVE-2017-6602	date:	2017-04-07T17:59:00.700