ID
VAR-201710-0664
CVE
CVE-2017-12301
TITLE
Cisco NX-OS Software input validation vulnerability
Trust: 0.8
DESCRIPTION
A vulnerability in the Python scripting subsystem of Cisco NX-OS Software could allow an authenticated, local attacker to escape the Python parser and gain unauthorized access to the underlying operating system of the device. The vulnerability exists due to insufficient sanitization of user-supplied parameters that are passed to certain Python functions within the scripting sandbox of the affected device. An attacker could exploit this vulnerability to escape the scripting sandbox and execute arbitrary commands on the underlying operating system with the privileges of the authenticated user. To exploit this vulnerability, an attacker must have local access and be authenticated to the targeted device with administrative or Python execution privileges. These requirements could limit the possibility of a successful exploit. This vulnerability affects the following Cisco products if they are running Cisco NX-OS Software: Multilayer Director Switches, Nexus 2000 Series Fabric Extenders, Nexus 3000 Series Switches, Nexus 3500 Platform Switches, Nexus 5000 Series Switches, Nexus 5500 Platform Switches, Nexus 5600 Platform Switches, Nexus 6000 Series Switches, Nexus 7000 Series Switches, Nexus 7700 Series Switches, Nexus 9000 Series Switches - Standalone, NX-OS mode, Nexus 9500 R-Series Line Cards and Fabric Modules. Cisco Bug IDs: CSCvb86832, CSCvd86474, CSCvd86479, CSCvd86484, CSCvd86490, CSCve97102, CSCvf12757, CSCvf12804, CSCvf12815, CSCvf15198. Cisco NX-OS The software contains an input validation vulnerability. Vendors have confirmed this vulnerability Bug ID CSCvb86832 , CSCvd86474 , CSCvd86479 , CSCvd86484 , CSCvd86490 , CSCve97102 , CSCvf12757 , CSCvf12804 , CSCvf12815 ,and CSCvf15198 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Cisco NX-OS software is a data center-level operating system that reflects modular design, resiliency, and maintainability. Cisco Multilayer Director Switches, etc. are all products of Cisco (Cisco). Cisco Multilayer Director Switches is a switch product. NX-OS Software is an operating system used in it. Python scripting subsystem is one of the Python scripting subsystems. The vulnerability stems from the fact that the program does not adequately filter the parameters submitted by users
Trust: 2.25
IOT TAXONOMY
| category: | ['Network device'] | sub_category: | - | Trust: 0.6 |
AFFECTED PRODUCTS
| vendor: | cisco | model: | nx-os | scope: | eq | version: | 6.0\(2\)a8\(6.213\) | Trust: 1.6 |
| vendor: | cisco | model: | nx-os | scope: | eq | version: | 8.0\(0.74\) | Trust: 1.6 |
| vendor: | cisco | model: | nx-os | scope: | eq | version: | 8.1\(0\)bd\(0.20\) | Trust: 1.6 |
| vendor: | cisco | model: | nx-os | scope: | eq | version: | 8.0\(1\) | Trust: 1.6 |
| vendor: | cisco | model: | nx-os | scope: | eq | version: | 7.3\(2\)d1\(0.21\) | Trust: 1.6 |
| vendor: | cisco | model: | nx-os | scope: | eq | version: | 6.0\(2\)a8\(3\) | Trust: 1.6 |
| vendor: | cisco | model: | nx-os | scope: | eq | version: | 7.0\(3\)i4\(6\) | Trust: 1.6 |
| vendor: | cisco | model: | nx-os | scope: | eq | version: | 8.1\(0.70\)s0 | Trust: 1.6 |
| vendor: | cisco | model: | nx-os | scope: | eq | version: | 7.0\(0\)hsk\(0.357\) | Trust: 1.6 |
| vendor: | cisco | model: | nx-os | scope: | - | version: | - | Trust: 1.4 |
CVSS
SEVERITY | CVSSV2 | CVSSV3 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|
PROBLEMTYPE DATA
| problemtype: | CWE-20 | Trust: 1.9 |
THREAT TYPE
local
Trust: 0.6
TYPE
input validation error
Trust: 0.6
CONFIGURATIONS
PATCH
| title: | cisco-sa-20171018-ppe | url: | https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171018-ppe | Trust: 0.8 |
| title: | Patch for Cisco NX-OSPython Scripting Engine Privilege Escalation Vulnerability | url: | https://www.cnvd.org.cn/patchInfo/show/106410 | Trust: 0.6 |
| title: | Multiple Cisco product NX-OS Software Python scripting Subsystem security vulnerabilities | url: | http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=75858 | Trust: 0.6 |
EXTERNAL IDS
| db: | NVD | id: | CVE-2017-12301 | Trust: 3.1 |
| db: | SECTRACK | id: | 1039622 | Trust: 1.7 |
| db: | JVNDB | id: | JVNDB-2017-009476 | Trust: 0.8 |
| db: | CNNVD | id: | CNNVD-201710-875 | Trust: 0.7 |
| db: | CNVD | id: | CNVD-2017-34579 | Trust: 0.6 |
| db: | VULHUB | id: | VHN-102810 | Trust: 0.1 |
REFERENCES
| url: | https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20171018-ppe | Trust: 1.7 |
| url: | http://www.securitytracker.com/id/1039622 | Trust: 1.7 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2017-12301 | Trust: 1.4 |
| url: | http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-12301 | Trust: 0.8 |
SOURCES
| db: | CNVD | id: | CNVD-2017-34579 |
| db: | VULHUB | id: | VHN-102810 |
| db: | JVNDB | id: | JVNDB-2017-009476 |
| db: | CNNVD | id: | CNNVD-201710-875 |
| db: | NVD | id: | CVE-2017-12301 |
LAST UPDATE DATE
2024-11-23T22:56:04.695000+00:00
SOURCES UPDATE DATE
| db: | CNVD | id: | CNVD-2017-34579 | date: | 2017-11-20T00:00:00 |
| db: | VULHUB | id: | VHN-102810 | date: | 2019-10-09T00:00:00 |
| db: | JVNDB | id: | JVNDB-2017-009476 | date: | 2017-11-13T00:00:00 |
| db: | CNNVD | id: | CNNVD-201710-875 | date: | 2019-10-17T00:00:00 |
| db: | NVD | id: | CVE-2017-12301 | date: | 2024-11-21T03:09:15.857 |
SOURCES RELEASE DATE
| db: | CNVD | id: | CNVD-2017-34579 | date: | 2017-11-20T00:00:00 |
| db: | VULHUB | id: | VHN-102810 | date: | 2017-10-19T00:00:00 |
| db: | JVNDB | id: | JVNDB-2017-009476 | date: | 2017-11-13T00:00:00 |
| db: | CNNVD | id: | CNNVD-201710-875 | date: | 2017-10-24T00:00:00 |
| db: | NVD | id: | CVE-2017-12301 | date: | 2017-10-19T08:29:00.733 |