Details of VAR-201711-0333

ID

VAR-201711-0333

CVE

CVE-2017-12338

TITLE

Cisco NX-OS System software input validation vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-010557

DESCRIPTION

A vulnerability in the CLI of Cisco NX-OS System Software could allow an authenticated, local attacker to read the contents of arbitrary files. The vulnerability is due to insufficient input validation for a specific CLI command. An attacker could exploit this vulnerability by issuing a crafted command on the CLI. An exploit could allow the attacker unauthorized access to read arbitrary files on the underlying local file system. On products that support multiple virtual device contexts (VDCs), this vulnerability could allow an attacker to read files from any VDC. This vulnerability affects the following products running Cisco NX-OS System Software: Multilayer Director Switches, Nexus 2000 Series Fabric Extenders, Nexus 3000 Series Switches, Nexus 5000 Series Switches, Nexus 5500 Platform Switches, Nexus 5600 Platform Switches, Nexus 6000 Series Switches, Nexus 7000 Series Switches, Nexus 7700 Series Switches, Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode, Nexus 9000 Series Switches in standalone NX-OS mode, Nexus 9500 R-Series Line Cards and Fabric Modules, Unified Computing System Manager. Cisco Bug IDs: CSCve51707, CSCve93961, CSCve93964, CSCve93965, CSCve93968, CSCve93974, CSCve93976. Vendors have confirmed this vulnerability Bug ID CSCve51707 , CSCve93961 , CSCve93964 , CSCve93965 , CSCve93968 , CSCve93974 ,and CSCve93976 It is released as.Information may be obtained. Cisco MultilayerDirectorSwitches, etc. are products of Cisco. Cisco MultilayerDirectorSwitches is a switch product. Nexus2000 SeriesFabricExtenders is a Nexus2000 Series Array Extender. NX-OSSystemSoftware is a set of operating systems used in it. The CLI is one of the command line programs. This may aid in further attacks

Trust: 2.52

sources: NVD: CVE-2017-12338 // JVNDB: JVNDB-2017-010557 // CNVD: CNVD-2017-36137 // BID: 102260 // VULHUB: VHN-102850

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2017-36137

AFFECTED PRODUCTS

vendor:	cisco	model:	nx-os	scope:	eq	version:	8.1\(0\)bd\(0.20\)	Trust: 1.6
vendor:	cisco	model:	lan switch software	scope:	eq	version:	12.2\(1.107\)	Trust: 1.6
vendor:	cisco	model:	nx-os	scope:	eq	version:	8.0\(1\)	Trust: 1.6
vendor:	cisco	model:	unified computing system	scope:	eq	version:	7.0\(0\)hsk\(0.357\)	Trust: 1.6
vendor:	cisco	model:	nx-os	scope:	eq	version:	8.1\(1\)	Trust: 1.6
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	70000	Trust: 0.9
vendor:	cisco	model:	nx-os	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	unified computing system	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	nexus series switche	scope:	eq	version:	3000	Trust: 0.6
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	5000	Trust: 0.6
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	6000	Trust: 0.6
vendor:	cisco	model:	nexus series switches in nx-os mode	scope:	eq	version:	9000	Trust: 0.6
vendor:	cisco	model:	nexus series switches in application centric infrastructure mode	scope:	eq	version:	9000	Trust: 0.6
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	7700	Trust: 0.6
vendor:	cisco	model:	nexus platform switches	scope:	eq	version:	5600	Trust: 0.6
vendor:	cisco	model:	nexus platform switches	scope:	eq	version:	5500	Trust: 0.6
vendor:	cisco	model:	nexus series fabric extenders	scope:	eq	version:	2000	Trust: 0.6
vendor:	cisco	model:	multilayer director switches	scope:	-	version:	-	Trust: 0.6
vendor:	cisco	model:	unified computing system manager	scope:	-	version:	-	Trust: 0.6
vendor:	cisco	model:	nexus r-series line cards and fabric modules	scope:	eq	version:	9500	Trust: 0.6
vendor:	cisco	model:	unified computing system manager	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	nx-os software	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	nexus r-series line cards and fabric modules	scope:	eq	version:	95000	Trust: 0.3
vendor:	cisco	model:	nexus series switches standalone nx-os mode	scope:	eq	version:	9000-0	Trust: 0.3
vendor:	cisco	model:	nexus series fabric switches aci mode	scope:	eq	version:	9000-0	Trust: 0.3
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	77000	Trust: 0.3
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	60000	Trust: 0.3
vendor:	cisco	model:	nexus platform switches	scope:	eq	version:	56000	Trust: 0.3
vendor:	cisco	model:	nexus platform switches	scope:	eq	version:	55000	Trust: 0.3
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	50000	Trust: 0.3
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	30000	Trust: 0.3
vendor:	cisco	model:	nexus series fabric extenders	scope:	eq	version:	20000	Trust: 0.3
vendor:	cisco	model:	multilayer director switches	scope:	eq	version:	0	Trust: 0.3

sources: CNVD: CNVD-2017-36137 // BID: 102260 // JVNDB: JVNDB-2017-010557 // CNNVD: CNNVD-201711-1227 // NVD: CVE-2017-12338

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-12338
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-12338
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2017-36137
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201711-1227
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-102850
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2017-12338
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2017-36137
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:S/C:C/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.1
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-102850
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-12338
baseSeverity:	MEDIUM
baseScore:	6.0
vectorString:	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	1.5
impactScore:	4.0
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2017-36137 // VULHUB: VHN-102850 // JVNDB: JVNDB-2017-010557 // CNNVD: CNNVD-201711-1227 // NVD: CVE-2017-12338

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.9

sources: VULHUB: VHN-102850 // JVNDB: JVNDB-2017-010557 // NVD: CVE-2017-12338

THREAT TYPE

local

Trust: 0.9

sources: BID: 102260 // CNNVD: CNNVD-201711-1227

TYPE

Input Validation Error

Trust: 0.9

sources: BID: 102260 // CNNVD: CNNVD-201711-1227

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-010557

PATCH

title:	cisco-sa-20171129-nxos6	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-nxos6	Trust: 0.8
title:	Patches for Cisco\302\256 NX-OSSystemSoftware arbitrary file read vulnerability for multiple Cisco products	url:	https://www.cnvd.org.cn/patchInfo/show/107771	Trust: 0.6
title:	Multiple Cisco product Cisco NX-OS System Software Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=76845	Trust: 0.6

sources: CNVD: CNVD-2017-36137 // JVNDB: JVNDB-2017-010557 // CNNVD: CNNVD-201711-1227

EXTERNAL IDS

db:	NVD	id:	CVE-2017-12338	Trust: 3.4
db:	SECTRACK	id:	1039937	Trust: 1.7
db:	JVNDB	id:	JVNDB-2017-010557	Trust: 0.8
db:	CNNVD	id:	CNNVD-201711-1227	Trust: 0.7
db:	CNVD	id:	CNVD-2017-36137	Trust: 0.6
db:	BID	id:	102260	Trust: 0.4
db:	VULHUB	id:	VHN-102850	Trust: 0.1

sources: CNVD: CNVD-2017-36137 // VULHUB: VHN-102850 // BID: 102260 // JVNDB: JVNDB-2017-010557 // CNNVD: CNNVD-201711-1227 // NVD: CVE-2017-12338

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20171129-nxos6	Trust: 2.6
url:	http://www.securitytracker.com/id/1039937	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-12338	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-12338	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3

sources: CNVD: CNVD-2017-36137 // VULHUB: VHN-102850 // BID: 102260 // JVNDB: JVNDB-2017-010557 // CNNVD: CNNVD-201711-1227 // NVD: CVE-2017-12338

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 102260

SOURCES

db:	CNVD	id:	CNVD-2017-36137
db:	VULHUB	id:	VHN-102850
db:	BID	id:	102260
db:	JVNDB	id:	JVNDB-2017-010557
db:	CNNVD	id:	CNNVD-201711-1227
db:	NVD	id:	CVE-2017-12338

LAST UPDATE DATE

2024-11-23T22:56:03.946000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-36137	date:	2017-12-05T00:00:00
db:	VULHUB	id:	VHN-102850	date:	2019-10-09T00:00:00
db:	BID	id:	102260	date:	2017-11-29T00:00:00
db:	JVNDB	id:	JVNDB-2017-010557	date:	2017-12-19T00:00:00
db:	CNNVD	id:	CNNVD-201711-1227	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2017-12338	date:	2024-11-21T03:09:20.140

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2017-36137	date:	2017-12-05T00:00:00
db:	VULHUB	id:	VHN-102850	date:	2017-11-30T00:00:00
db:	BID	id:	102260	date:	2017-11-29T00:00:00
db:	JVNDB	id:	JVNDB-2017-010557	date:	2017-12-19T00:00:00
db:	CNNVD	id:	CNNVD-201711-1227	date:	2017-12-01T00:00:00
db:	NVD	id:	CVE-2017-12338	date:	2017-11-30T09:29:00.573