Sign-up

ID

VAR-201711-0327


CVE

CVE-2017-12332


TITLE

Cisco NX-OS System software vulnerable to unrestricted upload of dangerous types of files

Trust: 0.8

sources: JVNDB: JVNDB-2017-010552

DESCRIPTION

A vulnerability in Cisco NX-OS System Software patch installation could allow an authenticated, local attacker to write a file to arbitrary locations. The vulnerability is due to insufficient restrictions in the patch installation process. An attacker could exploit this vulnerability by installing a crafted patch image on an affected device. The vulnerable operation occurs prior to patch activation. An exploit could allow the attacker to write arbitrary files on an affected system as root. The attacker would need valid administrator credentials to perform this exploit. This vulnerability affects the following products running Cisco NX-OS System Software: Multilayer Director Switches, Nexus 2000 Series Fabric Extenders, Nexus 5000 Series Switches, Nexus 5500 Platform Switches, Nexus 5600 Platform Switches, Nexus 6000 Series Switches, Nexus 7000 Series Switches, Nexus 7700 Series Switches, Unified Computing System Manager. Cisco Bug IDs: CSCvf16513, CSCvf23794, CSCvf23832. Cisco NX-OS System software contains a vulnerability related to unlimited uploading of dangerous types of files. Vendors have confirmed this vulnerability Bug ID CSCvf16513 , CSCvf23794 ,and CSCvf23832 It is released as.Information may be tampered with. Cisco MultilayerDirectorSwitches, etc. are products of Cisco. Cisco MultilayerDirectorSwitches is a switch product. UnifiedComputingSystemManager is a set of embedded device management software. Cisco NX-OS System Software is a set of software that runs on the switch. This may aid in further attacks

Trust: 2.52

sources: NVD: CVE-2017-12332 // JVNDB: JVNDB-2017-010552 // CNVD: CNVD-2017-36150 // BID: 102160 // VULHUB: VHN-102844

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2017-36150

AFFECTED PRODUCTS

vendor:ciscomodel:unified computing systemscope:eqversion:7.0\(0\)hsk\(0.357\)

Trust: 1.6

vendor:ciscomodel:nx-osscope:eqversion:8.1\(1\)

Trust: 1.6

vendor:ciscomodel:nx-osscope:eqversion:8.1\(0\)bd\(0.20\)

Trust: 1.6

vendor:ciscomodel:nexus series switchesscope:eqversion:70000

Trust: 0.9

vendor:ciscomodel:nx-osscope: - version: -

Trust: 0.8

vendor:ciscomodel:unified computing systemscope: - version: -

Trust: 0.8

vendor:ciscomodel:nexus series switchesscope:eqversion:5000

Trust: 0.6

vendor:ciscomodel:nexus series switchesscope:eqversion:6000

Trust: 0.6

vendor:ciscomodel:nexus series switchesscope:eqversion:7700

Trust: 0.6

vendor:ciscomodel:nexus platform switchesscope:eqversion:5600

Trust: 0.6

vendor:ciscomodel:nexus platform switchesscope:eqversion:5500

Trust: 0.6

vendor:ciscomodel:nexus series fabric extendersscope:eqversion:2000

Trust: 0.6

vendor:ciscomodel:multilayer director switchesscope: - version: -

Trust: 0.6

vendor:ciscomodel:unified computing system managerscope: - version: -

Trust: 0.6

vendor:ciscomodel:unified computing system managerscope:eqversion:0

Trust: 0.3

vendor:ciscomodel:unified computing system 7.0 hskscope: - version: -

Trust: 0.3

vendor:ciscomodel:nexus series switchesscope:eqversion:77000

Trust: 0.3

vendor:ciscomodel:nexus series switchesscope:eqversion:70008.1(1)

Trust: 0.3

vendor:ciscomodel:nexus series switches 8.1 bdscope:eqversion:7000

Trust: 0.3

vendor:ciscomodel:nexus series switchesscope:eqversion:60000

Trust: 0.3

vendor:ciscomodel:nexus platform switchesscope:eqversion:56000

Trust: 0.3

vendor:ciscomodel:nexus platform switchesscope:eqversion:55000

Trust: 0.3

vendor:ciscomodel:nexus series switchesscope:eqversion:50000

Trust: 0.3

vendor:ciscomodel:nexus series fabric extendersscope:eqversion:20000

Trust: 0.3

vendor:ciscomodel:multilayer director switchesscope:eqversion:0

Trust: 0.3

sources: CNVD: CNVD-2017-36150 // BID: 102160 // JVNDB: JVNDB-2017-010552 // CNNVD: CNNVD-201711-1232 // NVD: CVE-2017-12332

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-12332
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-12332
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2017-36150
value: LOW

Trust: 0.6

CNNVD: CNNVD-201711-1232
value: MEDIUM

Trust: 0.6

VULHUB: VHN-102844
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-12332
severity: MEDIUM
baseScore: 4.9
vectorString: AV:L/AC:L/AU:N/C:N/I:C/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: COMPLETE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2017-36150
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:N/I:P/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-102844
severity: MEDIUM
baseScore: 4.9
vectorString: AV:L/AC:L/AU:N/C:N/I:C/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: COMPLETE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-12332
baseSeverity: MEDIUM
baseScore: 4.4
vectorString: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 0.8
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2017-36150 // VULHUB: VHN-102844 // JVNDB: JVNDB-2017-010552 // CNNVD: CNNVD-201711-1232 // NVD: CVE-2017-12332

PROBLEMTYPE DATA

problemtype:CWE-434

Trust: 1.9

sources: VULHUB: VHN-102844 // JVNDB: JVNDB-2017-010552 // NVD: CVE-2017-12332

THREAT TYPE

local

Trust: 0.9

sources: BID: 102160 // CNNVD: CNNVD-201711-1232

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201711-1232

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-010552

PATCH
title:cisco-sa-20171129-nxos1url:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-nxos1
Trust: 0.8
title:Patches for Cisco\302\256 NX-OSSystemSoftware arbitrary file write vulnerabilities for multiple Cisco productsurl:https://www.cnvd.org.cn/patchInfo/show/107763
Trust: 0.6
title:Multiple Cisco product Cisco NX-OS System Software Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=76850
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2017-36150 // 
            
            
            
            JVNDB: JVNDB-2017-010552 // 
            
            
            
            CNNVD: CNNVD-201711-1232

EXTERNAL IDS
db:NVDid:CVE-2017-12332
Trust: 3.4
db:BIDid:102160
Trust: 1.4
db:SECTRACKid:1039931
Trust: 1.1
db:JVNDBid:JVNDB-2017-010552
Trust: 0.8
db:CNNVDid:CNNVD-201711-1232
Trust: 0.7
db:CNVDid:CNVD-2017-36150
Trust: 0.6
db:VULHUBid:VHN-102844
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2017-36150 // 
            
            
            
            VULHUB: VHN-102844 // 
            
            
            
            BID: 102160 // 
            
            
            
            JVNDB: JVNDB-2017-010552 // 
            
            
            
            CNNVD: CNNVD-201711-1232 // 
            
            
            
            NVD: CVE-2017-12332

REFERENCES
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20171129-nxos1
Trust: 2.6
url:http://www.securityfocus.com/bid/102160
Trust: 1.1
url:http://www.securitytracker.com/id/1039931
Trust: 1.1
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-12332
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-12332
Trust: 0.8
url:http://www.cisco.com/
Trust: 0.3
url:http://www.cisco.com/en/us/products/ps9494/products_sub_category_home.html
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2017-36150 // 
            
            
            
            VULHUB: VHN-102844 // 
            
            
            
            BID: 102160 // 
            
            
            
            JVNDB: JVNDB-2017-010552 // 
            
            
            
            CNNVD: CNNVD-201711-1232 // 
            
            
            
            NVD: CVE-2017-12332

CREDITS
Cisco
Trust: 0.3
sources:
            
            
            BID: 102160

SOURCES
db:CNVDid:CNVD-2017-36150
db:VULHUBid:VHN-102844
db:BIDid:102160
db:JVNDBid:JVNDB-2017-010552
db:CNNVDid:CNNVD-201711-1232
db:NVDid:CVE-2017-12332

LAST UPDATE DATE
2024-11-23T22:48:53.581000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2017-36150date:2017-12-05T00:00:00
db:VULHUBid:VHN-102844date:2017-12-15T00:00:00
db:BIDid:102160date:2017-12-19T22:38:00
db:JVNDBid:JVNDB-2017-010552date:2017-12-19T00:00:00
db:CNNVDid:CNNVD-201711-1232date:2017-12-01T00:00:00
db:NVDid:CVE-2017-12332date:2024-11-21T03:09:19.357

SOURCES RELEASE DATE
db:CNVDid:CNVD-2017-36150date:2017-12-05T00:00:00
db:VULHUBid:VHN-102844date:2017-11-30T00:00:00
db:BIDid:102160date:2017-11-29T00:00:00
db:JVNDBid:JVNDB-2017-010552date:2017-12-19T00:00:00
db:CNNVDid:CNNVD-201711-1232date:2017-12-01T00:00:00
db:NVDid:CVE-2017-12332date:2017-11-30T09:29:00.400