Details of VAR-201711-0334

ID

VAR-201711-0334

CVE

CVE-2017-12339

TITLE

Cisco NX-OS Command injection vulnerability in system software

Trust: 0.8

sources: JVNDB: JVNDB-2017-010558

DESCRIPTION

A vulnerability in the CLI of Cisco NX-OS System Software could allow an authenticated, local attacker to perform a command injection attack. The vulnerability is due to insufficient input validation of command arguments to the CLI parser. An attacker could exploit this vulnerability by injecting crafted command arguments into a vulnerable CLI command. An exploit could allow the attacker to execute arbitrary commands at the user's privilege level. On products that support multiple virtual device contexts (VDCs), this vulnerability could allow the attacker to execute commands at the user's privilege level outside the user's environment. This vulnerability affects the following products running Cisco NX-OS System Software: Multilayer Director Switches, Nexus 2000 Series Fabric Extenders, Nexus 3000 Series Switches, Nexus 5000 Series Switches, Nexus 5500 Platform Switches, Nexus 5600 Platform Switches, Nexus 6000 Series Switches, Nexus 7000 Series Switches, Nexus 7700 Series Switches, Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode, Nexus 9000 Series Switches in standalone NX-OS mode, and Nexus 9500 R-Series Line Cards and Fabric Modules. Cisco Bug IDs: CSCve99925, CSCvf15164, CSCvf15167, CSCvf15170, CSCvf15173. Vendors have confirmed this vulnerability Bug ID CSCve99925 , CSCvf15164 , CSCvf15167 , CSCvf15170 ,and CSCvf15173 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Cisco MultilayerDirectorSwitches, etc. are products of Cisco. Cisco MultilayerDirectorSwitches is a switch product. Nexus2000 SeriesFabricExtenders is a Nexus2000 Series Array Extender. NX-OSSystemSoftware is a set of operating systems used in it. The CLI is one of the command line programs

Trust: 2.61

sources: NVD: CVE-2017-12339 // JVNDB: JVNDB-2017-010558 // CNVD: CNVD-2017-36139 // BID: 102198 // VULHUB: VHN-102851 // VULMON: CVE-2017-12339

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2017-36139

AFFECTED PRODUCTS

vendor:	cisco	model:	nx-os	scope:	eq	version:	8.0\(1\)	Trust: 1.6
vendor:	cisco	model:	lan switch software	scope:	eq	version:	12.2\(1.107\)	Trust: 1.6
vendor:	cisco	model:	nx-os	scope:	eq	version:	8.1\(0\)bd\(0.20\)	Trust: 1.6
vendor:	cisco	model:	nx-os	scope:	eq	version:	7.0\(0\)hsk\(0.357\)	Trust: 1.6
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	70000	Trust: 0.9
vendor:	cisco	model:	nx-os	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	nexus series switche	scope:	eq	version:	3000	Trust: 0.6
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	5000	Trust: 0.6
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	6000	Trust: 0.6
vendor:	cisco	model:	nexus series switches in nx-os mode	scope:	eq	version:	9000	Trust: 0.6
vendor:	cisco	model:	nexus series switches in application centric infrastructure mode	scope:	eq	version:	9000	Trust: 0.6
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	7700	Trust: 0.6
vendor:	cisco	model:	nexus platform switches	scope:	eq	version:	5600	Trust: 0.6
vendor:	cisco	model:	nexus platform switches	scope:	eq	version:	5500	Trust: 0.6
vendor:	cisco	model:	nexus series fabric extenders	scope:	eq	version:	2000	Trust: 0.6
vendor:	cisco	model:	multilayer director switches	scope:	-	version:	-	Trust: 0.6
vendor:	cisco	model:	nexus r-series line cards and fabric modules	scope:	eq	version:	9500	Trust: 0.6
vendor:	cisco	model:	unified computing system manager	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	nx-os software	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	nexus r-series line cards and fabric modules	scope:	eq	version:	95000	Trust: 0.3
vendor:	cisco	model:	nexus series switches in nx-os mode	scope:	eq	version:	90000	Trust: 0.3
vendor:	cisco	model:	nexus series switches standalone nx-os mode	scope:	eq	version:	9000-0	Trust: 0.3
vendor:	cisco	model:	nexus series fabric switches aci mode	scope:	eq	version:	9000-0	Trust: 0.3
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	77000	Trust: 0.3
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	60000	Trust: 0.3
vendor:	cisco	model:	nexus platform switches	scope:	eq	version:	56000	Trust: 0.3
vendor:	cisco	model:	nexus platform switches	scope:	eq	version:	55000	Trust: 0.3
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	50000	Trust: 0.3
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	30000	Trust: 0.3
vendor:	cisco	model:	nexus series fabric extenders	scope:	eq	version:	20000	Trust: 0.3
vendor:	cisco	model:	multilayer director switches	scope:	eq	version:	0	Trust: 0.3

sources: CNVD: CNVD-2017-36139 // BID: 102198 // JVNDB: JVNDB-2017-010558 // CNNVD: CNNVD-201711-1226 // NVD: CVE-2017-12339

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-12339
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-12339
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2017-36139
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201711-1226
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-102851
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2017-12339
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-12339
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2017-36139
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:L/AC:L/AU:S/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.1
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-102851
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-12339
baseSeverity:	MEDIUM
baseScore:	5.7
vectorString:	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	1.5
impactScore:	3.7
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2017-36139 // VULHUB: VHN-102851 // VULMON: CVE-2017-12339 // JVNDB: JVNDB-2017-010558 // CNNVD: CNNVD-201711-1226 // NVD: CVE-2017-12339

PROBLEMTYPE DATA

problemtype:

CWE-77

Trust: 1.9

sources: VULHUB: VHN-102851 // JVNDB: JVNDB-2017-010558 // NVD: CVE-2017-12339

THREAT TYPE

local

Trust: 0.9

sources: BID: 102198 // CNNVD: CNNVD-201711-1226

TYPE

command injection

Trust: 0.6

sources: CNNVD: CNNVD-201711-1226

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-010558

PATCH

title:	cisco-sa-20171129-nxos7	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-nxos7	Trust: 0.8
title:	Patch for multiple Cisco products Cisco NX-OS System Software Command Injection Vulnerability (CNVD-2017-36139)	url:	https://www.cnvd.org.cn/patchInfo/show/107775	Trust: 0.6
title:	Multiple Cisco product Cisco NX-OS System Software Fixes for command injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=76844	Trust: 0.6
title:	Cisco: Cisco NX-OS System Software CLI Command Injection Vulnerability	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-20171129-nxos7	Trust: 0.1

sources: CNVD: CNVD-2017-36139 // VULMON: CVE-2017-12339 // JVNDB: JVNDB-2017-010558 // CNNVD: CNNVD-201711-1226

EXTERNAL IDS

db:	NVD	id:	CVE-2017-12339	Trust: 3.5
db:	BID	id:	102198	Trust: 1.5
db:	SECTRACK	id:	1039938	Trust: 1.2
db:	JVNDB	id:	JVNDB-2017-010558	Trust: 0.8
db:	CNNVD	id:	CNNVD-201711-1226	Trust: 0.7
db:	CNVD	id:	CNVD-2017-36139	Trust: 0.6
db:	VULHUB	id:	VHN-102851	Trust: 0.1
db:	VULMON	id:	CVE-2017-12339	Trust: 0.1

sources: CNVD: CNVD-2017-36139 // VULHUB: VHN-102851 // VULMON: CVE-2017-12339 // BID: 102198 // JVNDB: JVNDB-2017-010558 // CNNVD: CNNVD-201711-1226 // NVD: CVE-2017-12339

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20171129-nxos7	Trust: 2.8
url:	http://www.securityfocus.com/bid/102198	Trust: 1.2
url:	http://www.securitytracker.com/id/1039938	Trust: 1.2
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-12339	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-12339	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/77.html	Trust: 0.1
url:	https://www.rapid7.com/db/vulnerabilities/cisco-nx-os-cisco-sa-20171129-nxos7	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 102198

SOURCES

db:	CNVD	id:	CNVD-2017-36139
db:	VULHUB	id:	VHN-102851
db:	VULMON	id:	CVE-2017-12339
db:	BID	id:	102198
db:	JVNDB	id:	JVNDB-2017-010558
db:	CNNVD	id:	CNNVD-201711-1226
db:	NVD	id:	CVE-2017-12339

LAST UPDATE DATE

2024-11-23T22:45:34.068000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-36139	date:	2017-12-05T00:00:00
db:	VULHUB	id:	VHN-102851	date:	2017-12-17T00:00:00
db:	VULMON	id:	CVE-2017-12339	date:	2017-12-17T00:00:00
db:	BID	id:	102198	date:	2017-12-19T22:38:00
db:	JVNDB	id:	JVNDB-2017-010558	date:	2017-12-19T00:00:00
db:	CNNVD	id:	CNNVD-201711-1226	date:	2017-12-01T00:00:00
db:	NVD	id:	CVE-2017-12339	date:	2024-11-21T03:09:20.263

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2017-36139	date:	2017-12-05T00:00:00
db:	VULHUB	id:	VHN-102851	date:	2017-11-30T00:00:00
db:	VULMON	id:	CVE-2017-12339	date:	2017-11-30T00:00:00
db:	BID	id:	102198	date:	2017-11-29T00:00:00
db:	JVNDB	id:	JVNDB-2017-010558	date:	2017-12-19T00:00:00
db:	CNNVD	id:	CNNVD-201711-1226	date:	2017-12-01T00:00:00
db:	NVD	id:	CVE-2017-12339	date:	2017-11-30T09:29:00.620