Sign-up

ID

VAR-201708-1358


CVE

CVE-2017-6768


TITLE

Cisco Application Policy Infrastructure Controller Vulnerabilities related to authorization, permissions, and access control

Trust: 0.8

sources: JVNDB: JVNDB-2017-007076

DESCRIPTION

A vulnerability in the build procedure for certain executable system files installed at boot time on Cisco Application Policy Infrastructure Controller (APIC) devices could allow an authenticated, local attacker to gain root-level privileges. The vulnerability is due to a custom executable system file that was built to use relative search paths for libraries without properly validating the library to be loaded. An attacker could exploit this vulnerability by authenticating to the device and loading a malicious library that can escalate the privilege level. A successful exploit could allow the attacker to gain root-level privileges and take full control of the device. The attacker must have valid user credentials to log in to the device. Cisco Bug IDs: CSCvc96087. Known Affected Releases: 1.1(0.920a), 1.1(1j), 1.1(3f); 1.2 Base, 1.2(2), 1.2(3), 1.2.2; 1.3(1), 1.3(2), 1.3(2f); 2.0 Base, 2.0(1). Cisco Application Policy Infrastructure Controller (APIC) Contains vulnerabilities related to authorization, permissions, and access control. Vendors have confirmed this vulnerability Bug ID CSCvc96087 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. There is a privilege escalation vulnerability in the build procedure of the executable system file in Cisco APIC

Trust: 1.98

sources: NVD: CVE-2017-6768 // JVNDB: JVNDB-2017-007076 // BID: 100363 // VULHUB: VHN-114971

AFFECTED PRODUCTS

vendor:ciscomodel:application policy infrastructure controllerscope:eqversion:1.3\(1\)

Trust: 1.6

vendor:ciscomodel:application policy infrastructure controllerscope:eqversion:2.0_base

Trust: 1.6

vendor:ciscomodel:application policy infrastructure controllerscope:eqversion:2.0\(1\)

Trust: 1.6

vendor:ciscomodel:application policy infrastructure controllerscope:eqversion:1.2\(3\)

Trust: 1.6

vendor:ciscomodel:application policy infrastructure controllerscope:eqversion:1.2_base

Trust: 1.6

vendor:ciscomodel:application policy infrastructure controllerscope:eqversion:1.3\(2\)

Trust: 1.6

vendor:ciscomodel:application policy infrastructure controllerscope:eqversion:1.2\(2\)

Trust: 1.6

vendor:ciscomodel:application policy infrastructure controllerscope:eqversion:1.1\(0.920a\)

Trust: 1.6

vendor:ciscomodel:application policy infrastructure controllerscope:eqversion:1.2.2

Trust: 1.6

vendor:ciscomodel:application policy infrastructure controllerscope:eqversion:1.3\(2f\)

Trust: 1.6

vendor:ciscomodel:application policy infrastructure controllerscope:eqversion:1.1\(3f\)

Trust: 1.0

vendor:ciscomodel:application policy infrastructure controllerscope:eqversion:1.1\(1j\)

Trust: 1.0

vendor:ciscomodel:application policy infrastructure controller softwarescope: - version: -

Trust: 0.8

vendor:ciscomodel:application policy infrastructure controller 2.0scope: - version: -

Trust: 0.3

sources: BID: 100363 // JVNDB: JVNDB-2017-007076 // CNNVD: CNNVD-201708-721 // NVD: CVE-2017-6768

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-6768
value: HIGH

Trust: 1.0

NVD: CVE-2017-6768
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201708-721
value: HIGH

Trust: 0.6

VULHUB: VHN-114971
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2017-6768
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-114971
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-6768
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-114971 // JVNDB: JVNDB-2017-007076 // CNNVD: CNNVD-201708-721 // NVD: CVE-2017-6768

PROBLEMTYPE DATA

problemtype:CWE-426

Trust: 1.1

problemtype:CWE-264

Trust: 0.9

sources: VULHUB: VHN-114971 // JVNDB: JVNDB-2017-007076 // NVD: CVE-2017-6768

THREAT TYPE

local

Trust: 0.9

sources: BID: 100363 // CNNVD: CNNVD-201708-721

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-201708-721

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-007076

PATCH
title:cisco-sa-20170816-apic2url:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170816-apic2
Trust: 0.8
title:Cisco Application Policy Infrastructure Controller Fixes for permission permissions and access control vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=74072
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2017-007076 // 
            
            
            
            CNNVD: CNNVD-201708-721

EXTERNAL IDS
db:NVDid:CVE-2017-6768
Trust: 2.8
db:BIDid:100363
Trust: 2.0
db:SECTRACKid:1039179
Trust: 1.7
db:JVNDBid:JVNDB-2017-007076
Trust: 0.8
db:CNNVDid:CNNVD-201708-721
Trust: 0.7
db:VULHUBid:VHN-114971
Trust: 0.1
sources:
            
            
            VULHUB: VHN-114971 // 
            
            
            
            BID: 100363 // 
            
            
            
            JVNDB: JVNDB-2017-007076 // 
            
            
            
            CNNVD: CNNVD-201708-721 // 
            
            
            
            NVD: CVE-2017-6768

REFERENCES
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20170816-apic2
Trust: 2.0
url:http://www.securityfocus.com/bid/100363
Trust: 1.7
url:http://www.securitytracker.com/id/1039179
Trust: 1.7
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-6768
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-6768
Trust: 0.8
url:http://www.cisco.com/
Trust: 0.3
sources:
            
            
            VULHUB: VHN-114971 // 
            
            
            
            BID: 100363 // 
            
            
            
            JVNDB: JVNDB-2017-007076 // 
            
            
            
            CNNVD: CNNVD-201708-721 // 
            
            
            
            NVD: CVE-2017-6768

CREDITS
Mgr. Lubomir Vesely.
Trust: 0.9
sources:
            
            
            BID: 100363 // 
            
            
            
            CNNVD: CNNVD-201708-721

SOURCES
db:VULHUBid:VHN-114971
db:BIDid:100363
db:JVNDBid:JVNDB-2017-007076
db:CNNVDid:CNNVD-201708-721
db:NVDid:CVE-2017-6768

LAST UPDATE DATE
2024-11-23T22:30:41.171000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-114971date:2019-10-03T00:00:00
db:BIDid:100363date:2017-08-16T00:00:00
db:JVNDBid:JVNDB-2017-007076date:2017-09-11T00:00:00
db:CNNVDid:CNNVD-201708-721date:2019-10-23T00:00:00
db:NVDid:CVE-2017-6768date:2024-11-21T03:30:28.883

SOURCES RELEASE DATE
db:VULHUBid:VHN-114971date:2017-08-17T00:00:00
db:BIDid:100363date:2017-08-16T00:00:00
db:JVNDBid:JVNDB-2017-007076date:2017-09-11T00:00:00
db:CNNVDid:CNNVD-201708-721date:2017-08-17T00:00:00
db:NVDid:CVE-2017-6768date:2017-08-17T20:29:00.433