Details of VAR-201709-0699

ID

VAR-201709-0699

CVE

CVE-2017-12230

TITLE

Cisco IOS XE Vulnerabilities related to authorization, permissions, and access control

Trust: 0.8

sources: JVNDB: JVNDB-2017-008499

DESCRIPTION

A vulnerability in the web-based user interface (web UI) of Cisco IOS XE 16.2 could allow an authenticated, remote attacker to elevate their privileges on an affected device. The vulnerability is due to incorrect default permission settings for new users who are created by using the web UI of the affected software. An attacker could exploit this vulnerability by using the web UI of the affected software to create a new user and then logging into the web UI as the newly created user. A successful exploit could allow the attacker to elevate their privileges on the affected device. This vulnerability affects Cisco devices that are running a vulnerable release Cisco IOS XE Software, if the HTTP Server feature is enabled for the device. The newly redesigned, web-based administration UI was introduced in the Denali 16.2 Release of Cisco IOS XE Software. This vulnerability does not affect the web-based administration UI in earlier releases of Cisco IOS XE Software. Cisco Bug IDs: CSCuy83062. Vendors have confirmed this vulnerability Bug ID CSCuy83062 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state

Trust: 1.98

sources: NVD: CVE-2017-12230 // JVNDB: JVNDB-2017-008499 // BID: 101036 // VULHUB: VHN-102732

AFFECTED PRODUCTS

vendor:	cisco	model:	ios xe	scope:	eq	version:	16.2.1	Trust: 1.6
vendor:	cisco	model:	ios xe	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	ios xe software denali	scope:	eq	version:	16.2	Trust: 0.3
vendor:	cisco	model:	ios denali-16.3.1	scope:	-	version:	-	Trust: 0.3
vendor:	cisco	model:	ios	scope:	eq	version:	16.2.1	Trust: 0.3

sources: BID: 101036 // JVNDB: JVNDB-2017-008499 // CNNVD: CNNVD-201709-1304 // NVD: CVE-2017-12230

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-12230
value:	HIGH
Trust: 1.0
NVD:	CVE-2017-12230
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201709-1304
value:	HIGH
Trust: 0.6
VULHUB:	VHN-102732
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2017-12230
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-102732
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-12230
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-102732 // JVNDB: JVNDB-2017-008499 // CNNVD: CNNVD-201709-1304 // NVD: CVE-2017-12230

PROBLEMTYPE DATA

problemtype:	CWE-264	Trust: 1.9
problemtype:	CWE-276	Trust: 1.1

sources: VULHUB: VHN-102732 // JVNDB: JVNDB-2017-008499 // NVD: CVE-2017-12230

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201709-1304

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201709-1304

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-008499

PATCH

title:	cisco-sa-20170927-privesc	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170927-privesc	Trust: 0.8
title:	Cisco IOS XE Fixes for permission permissions and access control vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=75189	Trust: 0.6

sources: JVNDB: JVNDB-2017-008499 // CNNVD: CNNVD-201709-1304

EXTERNAL IDS

db:	NVD	id:	CVE-2017-12230	Trust: 2.8
db:	BID	id:	101036	Trust: 2.0
db:	SECTRACK	id:	1039446	Trust: 1.7
db:	JVNDB	id:	JVNDB-2017-008499	Trust: 0.8
db:	CNNVD	id:	CNNVD-201709-1304	Trust: 0.7
db:	VULHUB	id:	VHN-102732	Trust: 0.1

sources: VULHUB: VHN-102732 // BID: 101036 // JVNDB: JVNDB-2017-008499 // CNNVD: CNNVD-201709-1304 // NVD: CVE-2017-12230

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20170927-privesc	Trust: 2.0
url:	http://www.securityfocus.com/bid/101036	Trust: 1.7
url:	http://www.securitytracker.com/id/1039446	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-12230	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-12230	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3

sources: VULHUB: VHN-102732 // BID: 101036 // JVNDB: JVNDB-2017-008499 // CNNVD: CNNVD-201709-1304 // NVD: CVE-2017-12230

CREDITS

Cisco

Trust: 0.3

sources: BID: 101036

SOURCES

db:	VULHUB	id:	VHN-102732
db:	BID	id:	101036
db:	JVNDB	id:	JVNDB-2017-008499
db:	CNNVD	id:	CNNVD-201709-1304
db:	NVD	id:	CVE-2017-12230

LAST UPDATE DATE

2024-11-23T22:52:22.229000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-102732	date:	2019-10-09T00:00:00
db:	BID	id:	101036	date:	2017-09-27T00:00:00
db:	JVNDB	id:	JVNDB-2017-008499	date:	2017-10-20T00:00:00
db:	CNNVD	id:	CNNVD-201709-1304	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2017-12230	date:	2024-11-21T03:09:05.040

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-102732	date:	2017-09-29T00:00:00
db:	BID	id:	101036	date:	2017-09-27T00:00:00
db:	JVNDB	id:	JVNDB-2017-008499	date:	2017-10-20T00:00:00
db:	CNNVD	id:	CNNVD-201709-1304	date:	2017-09-28T00:00:00
db:	NVD	id:	CVE-2017-12230	date:	2017-09-29T01:34:48.717