Details of VAR-201711-0335

ID

VAR-201711-0335

CVE

CVE-2017-12340

TITLE

Cisco NX-OS Vulnerability related to access control in system software

Trust: 0.8

sources: JVNDB: JVNDB-2017-010559

DESCRIPTION

A vulnerability in Cisco NX-OS System Software running on Cisco MDS Multilayer Director Switches, Cisco Nexus 7000 Series Switches, and Cisco Nexus 7700 Series Switches could allow an authenticated, local attacker to access the Bash shell of an affected device's operating system, even if the Bash shell is disabled on the system. The vulnerability is due to insufficient sanitization of user-supplied parameters that are passed to certain functions of the Python scripting sandbox of the affected system. An attacker could exploit this vulnerability to escape the scripting sandbox and enter the Bash shell of the operating system with the privileges of the authenticated user for the affected system. To exploit this vulnerability, the attacker must have local access to the affected system and be authenticated to the affected system with administrative or Python execution privileges. Cisco Bug IDs: CSCvd86513. Cisco NX-OS System software contains an access control vulnerability. Vendors have confirmed this vulnerability Bug ID CSCvd86513 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. NX-OSSystemSoftware is a set of operating systems used in it. An attacker can exploit this issue to bypass the security mechanism and gain unauthorized access. This may lead to further attacks

Trust: 2.52

sources: NVD: CVE-2017-12340 // JVNDB: JVNDB-2017-010559 // CNVD: CNVD-2017-36140 // BID: 102069 // VULHUB: VHN-102853

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2017-36140

AFFECTED PRODUCTS

vendor:	cisco	model:	nx-os	scope:	eq	version:	8.1\(0.70\)s0	Trust: 1.6
vendor:	cisco	model:	nx-os	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	7700	Trust: 0.6
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	70000	Trust: 0.6
vendor:	cisco	model:	mds multilayer director switches	scope:	-	version:	-	Trust: 0.6
vendor:	cisco	model:	nx-os for nexus series	scope:	eq	version:	77000	Trust: 0.3
vendor:	cisco	model:	nx-os for nexus series	scope:	eq	version:	70000	Trust: 0.3
vendor:	cisco	model:	nx-os	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	multilayer director switches	scope:	eq	version:	0	Trust: 0.3

sources: CNVD: CNVD-2017-36140 // BID: 102069 // JVNDB: JVNDB-2017-010559 // CNNVD: CNNVD-201711-1225 // NVD: CVE-2017-12340

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-12340
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-12340
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2017-36140
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201711-1225
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-102853
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-12340
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2017-36140
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-102853
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-12340
baseSeverity:	MEDIUM
baseScore:	4.2
vectorString:	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	0.8
impactScore:	3.4
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2017-36140 // VULHUB: VHN-102853 // JVNDB: JVNDB-2017-010559 // CNNVD: CNNVD-201711-1225 // NVD: CVE-2017-12340

PROBLEMTYPE DATA

problemtype:	CWE-284	Trust: 1.9
problemtype:	CWE-116	Trust: 1.1

sources: VULHUB: VHN-102853 // JVNDB: JVNDB-2017-010559 // NVD: CVE-2017-12340

THREAT TYPE

local

Trust: 0.9

sources: BID: 102069 // CNNVD: CNNVD-201711-1225

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201711-1225

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-010559

PATCH

title:	cisco-sa-20171129-switch	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-switch	Trust: 0.8
title:	Patches for Cisco Cisco NX-OS System Software Unauthorized Access Vulnerabilities	url:	https://www.cnvd.org.cn/patchInfo/show/107777	Trust: 0.6
title:	Multiple Cisco product Cisco NX-OS System Software Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=76843	Trust: 0.6

sources: CNVD: CNVD-2017-36140 // JVNDB: JVNDB-2017-010559 // CNNVD: CNNVD-201711-1225

EXTERNAL IDS

db:	NVD	id:	CVE-2017-12340	Trust: 3.4
db:	BID	id:	102069	Trust: 2.0
db:	JVNDB	id:	JVNDB-2017-010559	Trust: 0.8
db:	CNNVD	id:	CNNVD-201711-1225	Trust: 0.7
db:	CNVD	id:	CNVD-2017-36140	Trust: 0.6
db:	VULHUB	id:	VHN-102853	Trust: 0.1

sources: CNVD: CNVD-2017-36140 // VULHUB: VHN-102853 // BID: 102069 // JVNDB: JVNDB-2017-010559 // CNNVD: CNNVD-201711-1225 // NVD: CVE-2017-12340

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20171129-switch	Trust: 2.6
url:	http://www.securityfocus.com/bid/102069	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-12340	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-12340	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3

sources: CNVD: CNVD-2017-36140 // VULHUB: VHN-102853 // BID: 102069 // JVNDB: JVNDB-2017-010559 // CNNVD: CNNVD-201711-1225 // NVD: CVE-2017-12340

CREDITS

The vendor has reported this issue.

Trust: 0.3

sources: BID: 102069

SOURCES

db:	CNVD	id:	CNVD-2017-36140
db:	VULHUB	id:	VHN-102853
db:	BID	id:	102069
db:	JVNDB	id:	JVNDB-2017-010559
db:	CNNVD	id:	CNNVD-201711-1225
db:	NVD	id:	CVE-2017-12340

LAST UPDATE DATE

2024-11-23T23:02:19.666000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-36140	date:	2017-12-05T00:00:00
db:	VULHUB	id:	VHN-102853	date:	2019-10-03T00:00:00
db:	BID	id:	102069	date:	2017-12-19T22:37:00
db:	JVNDB	id:	JVNDB-2017-010559	date:	2017-12-19T00:00:00
db:	CNNVD	id:	CNNVD-201711-1225	date:	2019-10-23T00:00:00
db:	NVD	id:	CVE-2017-12340	date:	2024-11-21T03:09:20.383

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2017-36140	date:	2017-12-05T00:00:00
db:	VULHUB	id:	VHN-102853	date:	2017-11-30T00:00:00
db:	BID	id:	102069	date:	2017-11-29T00:00:00
db:	JVNDB	id:	JVNDB-2017-010559	date:	2017-12-19T00:00:00
db:	CNNVD	id:	CNNVD-201711-1225	date:	2017-12-01T00:00:00
db:	NVD	id:	CVE-2017-12340	date:	2017-11-30T09:29:00.650