Details of VAR-201711-0330

ID

VAR-201711-0330

CVE

CVE-2017-12335

TITLE

Cisco NX-OS Command injection vulnerability in system software

Trust: 0.8

sources: JVNDB: JVNDB-2017-010555

DESCRIPTION

A vulnerability in the CLI of Cisco NX-OS System Software could allow an authenticated, local attacker to perform a command injection attack. The vulnerability is due to insufficient input validation of command arguments. An attacker could exploit this vulnerability by injecting crafted command arguments into a vulnerable CLI command and gain unauthorized access to the underlying operating system of the device. An exploit could allow the attacker to execute arbitrary commands at the user's privilege level. On products that support multiple virtual device contexts (VDCs), this vulnerability could allow an attacker to execute commands at the user's privilege level outside the user's environment. This vulnerability affects the following products running Cisco NX-OS System Software: Multilayer Director Switches, Nexus 2000 Series Fabric Extenders, Nexus 3000 Series Switches, Nexus 5000 Series Switches, Nexus 5500 Platform Switches, Nexus 5600 Platform Switches, Nexus 6000 Series Switches, Nexus 7000 Series Switches, Nexus 7700 Series Switches, Nexus 9000 Series Switches in standalone NX-OS mode, Nexus 9500 R-Series Line Cards and Fabric Modules, Unified Computing System Manager. Cisco Bug IDs: CSCvf14923, CSCvf14926, CSCvg04095. Vendors have confirmed this vulnerability Bug ID CSCvf14923 , CSCvf14926 ,and CSCvg04095 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Cisco MultilayerDirectorSwitches, etc. are products of Cisco. Cisco MultilayerDirectorSwitches is a switch product. Nexus2000 SeriesFabricExtenders is a Nexus2000 Series Array Extender. NX-OSSystemSoftware is a set of operating systems used in it. The CLI is one of the command line programs

Trust: 2.52

sources: NVD: CVE-2017-12335 // JVNDB: JVNDB-2017-010555 // CNVD: CNVD-2017-36153 // BID: 102165 // VULHUB: VHN-102847

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2017-36153

AFFECTED PRODUCTS

vendor:	cisco	model:	unified computing system	scope:	eq	version:	7.0\(0\)hsk\(0.357\)	Trust: 1.6
vendor:	cisco	model:	nx-os	scope:	eq	version:	8.1\(1\)	Trust: 1.6
vendor:	cisco	model:	nx-os	scope:	eq	version:	8.1\(0\)bd\(0.20\)	Trust: 1.6
vendor:	cisco	model:	nx-os	scope:	eq	version:	7.0\(0\)hsk\(0.357\)	Trust: 1.6
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	70000	Trust: 0.9
vendor:	cisco	model:	nx-os	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	unified computing system	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	nexus series switche	scope:	eq	version:	3000	Trust: 0.6
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	5000	Trust: 0.6
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	6000	Trust: 0.6
vendor:	cisco	model:	nexus series switches in nx-os mode	scope:	eq	version:	9000	Trust: 0.6
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	7700	Trust: 0.6
vendor:	cisco	model:	nexus platform switches	scope:	eq	version:	5600	Trust: 0.6
vendor:	cisco	model:	nexus platform switches	scope:	eq	version:	5500	Trust: 0.6
vendor:	cisco	model:	nexus series fabric extenders	scope:	eq	version:	2000	Trust: 0.6
vendor:	cisco	model:	multilayer director switches	scope:	-	version:	-	Trust: 0.6
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	90000	Trust: 0.6
vendor:	cisco	model:	nexus r-series line cards and fabric modules	scope:	eq	version:	9500	Trust: 0.6
vendor:	cisco	model:	unified computing system manager	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	unified computing system 7.0 hsk	scope:	-	version:	-	Trust: 0.3
vendor:	cisco	model:	nx-os software	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	nexus r-series line cards and fabric modules	scope:	eq	version:	95000	Trust: 0.3
vendor:	cisco	model:	nexus series switches standalone nx-os mode	scope:	eq	version:	9000-0	Trust: 0.3
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	77000	Trust: 0.3
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	70008.1(1)	Trust: 0.3
vendor:	cisco	model:	nexus series switches 8.1 bd	scope:	eq	version:	7000	Trust: 0.3
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	60000	Trust: 0.3
vendor:	cisco	model:	nexus platform switches	scope:	eq	version:	56000	Trust: 0.3
vendor:	cisco	model:	nexus platform switches	scope:	eq	version:	55000	Trust: 0.3
vendor:	cisco	model:	nexus series switches 7.0 hsk	scope:	eq	version:	5000	Trust: 0.3
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	50000	Trust: 0.3
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	30000	Trust: 0.3
vendor:	cisco	model:	nexus series fabric extenders	scope:	eq	version:	20000	Trust: 0.3
vendor:	cisco	model:	multilayer director switches	scope:	eq	version:	0	Trust: 0.3

sources: CNVD: CNVD-2017-36153 // BID: 102165 // JVNDB: JVNDB-2017-010555 // CNNVD: CNNVD-201711-1229 // NVD: CVE-2017-12335

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-12335
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-12335
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2017-36153
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201711-1229
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-102847
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-12335
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2017-36153
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:L/AC:L/AU:S/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.1
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-102847
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-12335
baseSeverity:	MEDIUM
baseScore:	6.3
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	2.0
impactScore:	3.7
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2017-36153 // VULHUB: VHN-102847 // JVNDB: JVNDB-2017-010555 // CNNVD: CNNVD-201711-1229 // NVD: CVE-2017-12335

PROBLEMTYPE DATA

problemtype:

CWE-77

Trust: 1.9

sources: VULHUB: VHN-102847 // JVNDB: JVNDB-2017-010555 // NVD: CVE-2017-12335

THREAT TYPE

local

Trust: 0.9

sources: BID: 102165 // CNNVD: CNNVD-201711-1229

TYPE

command injection

Trust: 0.6

sources: CNNVD: CNNVD-201711-1229

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-010555

PATCH

title:	cisco-sa-20171129-nxos4	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-nxos4	Trust: 0.8
title:	Patch for multiple Cisco products Cisco NX-OS System Software Command Injection Vulnerability (CNVD-2017-36153)	url:	https://www.cnvd.org.cn/patchInfo/show/107769	Trust: 0.6
title:	Multiple Cisco product Cisco NX-OS System Software Fixes for command injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=76847	Trust: 0.6

sources: CNVD: CNVD-2017-36153 // JVNDB: JVNDB-2017-010555 // CNNVD: CNNVD-201711-1229

EXTERNAL IDS

db:	NVD	id:	CVE-2017-12335	Trust: 3.4
db:	BID	id:	102165	Trust: 2.0
db:	SECTRACK	id:	1039935	Trust: 1.7
db:	JVNDB	id:	JVNDB-2017-010555	Trust: 0.8
db:	CNNVD	id:	CNNVD-201711-1229	Trust: 0.7
db:	CNVD	id:	CNVD-2017-36153	Trust: 0.6
db:	VULHUB	id:	VHN-102847	Trust: 0.1

sources: CNVD: CNVD-2017-36153 // VULHUB: VHN-102847 // BID: 102165 // JVNDB: JVNDB-2017-010555 // CNNVD: CNNVD-201711-1229 // NVD: CVE-2017-12335

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20171129-nxos4	Trust: 2.6
url:	http://www.securityfocus.com/bid/102165	Trust: 1.7
url:	http://www.securitytracker.com/id/1039935	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-12335	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-12335	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3

sources: CNVD: CNVD-2017-36153 // VULHUB: VHN-102847 // BID: 102165 // JVNDB: JVNDB-2017-010555 // CNNVD: CNNVD-201711-1229 // NVD: CVE-2017-12335

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 102165

SOURCES

db:	CNVD	id:	CNVD-2017-36153
db:	VULHUB	id:	VHN-102847
db:	BID	id:	102165
db:	JVNDB	id:	JVNDB-2017-010555
db:	CNNVD	id:	CNNVD-201711-1229
db:	NVD	id:	CVE-2017-12335

LAST UPDATE DATE

2024-11-23T21:53:38.392000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-36153	date:	2017-12-05T00:00:00
db:	VULHUB	id:	VHN-102847	date:	2019-10-03T00:00:00
db:	BID	id:	102165	date:	2017-12-19T21:01:00
db:	JVNDB	id:	JVNDB-2017-010555	date:	2017-12-19T00:00:00
db:	CNNVD	id:	CNNVD-201711-1229	date:	2019-10-23T00:00:00
db:	NVD	id:	CVE-2017-12335	date:	2024-11-21T03:09:19.727

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2017-36153	date:	2017-12-05T00:00:00
db:	VULHUB	id:	VHN-102847	date:	2017-11-30T00:00:00
db:	BID	id:	102165	date:	2017-11-29T00:00:00
db:	JVNDB	id:	JVNDB-2017-010555	date:	2017-12-19T00:00:00
db:	CNNVD	id:	CNNVD-201711-1229	date:	2017-12-01T00:00:00
db:	NVD	id:	CVE-2017-12335	date:	2017-11-30T09:29:00.510