Sign-up

ID

VAR-201803-1600


CVE

CVE-2018-0221


TITLE

Cisco Identity Services Engine In OS Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-002551

DESCRIPTION

A vulnerability in specific CLI commands for the Cisco Identity Services Engine (ISE) could allow an authenticated, local attacker to perform command injection to the underlying operating system or cause a hang or disconnect of the user session. The attacker needs valid administrator credentials for the device. The vulnerability is due to incomplete input validation of user input for certain CLI ISE configuration commands. An attacker could exploit this vulnerability by authenticating as an administrative user, issuing a specific CLI command, and entering crafted, malicious user input for the command parameters. An exploit could allow the attacker to perform command injection to the lower-level Linux operating system. It is also possible the attacker could cause the ISE user interface for this management session to hang or disconnect. Cisco Bug IDs: CSCvg95479. Vendors have confirmed this vulnerability Bug ID CSCvg95479 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. An attacker may exploit this issue to inject and execute arbitrary commands within the context of the affected application; this may aid in further attacks. The platform monitors the network by collecting real-time information on the network, users and devices, and formulating and implementing corresponding policies

Trust: 1.98

sources: NVD: CVE-2018-0221 // JVNDB: JVNDB-2018-002551 // BID: 103347 // VULHUB: VHN-118423

AFFECTED PRODUCTS

vendor:ciscomodel:identity services enginescope:eqversion:2.1\(0.474\)

Trust: 1.6

vendor:ciscomodel:identity services enginescope:eqversion:2.2\(0.470\)

Trust: 1.6

vendor:ciscomodel:identity services enginescope:eqversion:2.0\(0.249\)

Trust: 1.6

vendor:ciscomodel:identity services enginescope:eqversion:2.4\(0.192\)

Trust: 1.6

vendor:ciscomodel:identity services enginescope:eqversion:2.3\(0.298\)

Trust: 1.6

vendor:ciscomodel:identity services enginescope:eqversion:2.2\(0.903\)

Trust: 1.6

vendor:ciscomodel:identity services enginescope: - version: -

Trust: 0.8

vendor:ciscomodel:identity services engine series appliancesscope:eqversion:33002.4(0.192)

Trust: 0.3

vendor:ciscomodel:identity services engine series appliancesscope:eqversion:33002.2(0.903)

Trust: 0.3

vendor:ciscomodel:identity services engine series appliancesscope:eqversion:33002.2(0.470)

Trust: 0.3

vendor:ciscomodel:identity services enginescope:eqversion:0

Trust: 0.3

sources: BID: 103347 // JVNDB: JVNDB-2018-002551 // CNNVD: CNNVD-201803-246 // NVD: CVE-2018-0221

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-0221
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-0221
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201803-246
value: MEDIUM

Trust: 0.6

VULHUB: VHN-118423
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2018-0221
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-118423
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-0221
baseSeverity: MEDIUM
baseScore: 6.7
vectorString: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 0.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-118423 // JVNDB: JVNDB-2018-002551 // CNNVD: CNNVD-201803-246 // NVD: CVE-2018-0221

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.9

sources: VULHUB: VHN-118423 // JVNDB: JVNDB-2018-002551 // NVD: CVE-2018-0221

THREAT TYPE

local

Trust: 0.9

sources: BID: 103347 // CNNVD: CNNVD-201803-246

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201803-246

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-002551

PATCH
title:cisco-sa-20180307-ise6url:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180307-ise6
Trust: 0.8
title:Cisco Identity Services Engine Fixes for command injection vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=78980
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-002551 // 
            
            
            
            CNNVD: CNNVD-201803-246

EXTERNAL IDS
db:NVDid:CVE-2018-0221
Trust: 2.8
db:BIDid:103347
Trust: 2.0
db:SECTRACKid:1040471
Trust: 1.7
db:JVNDBid:JVNDB-2018-002551
Trust: 0.8
db:CNNVDid:CNNVD-201803-246
Trust: 0.6
db:VULHUBid:VHN-118423
Trust: 0.1
sources:
            
            
            VULHUB: VHN-118423 // 
            
            
            
            BID: 103347 // 
            
            
            
            JVNDB: JVNDB-2018-002551 // 
            
            
            
            CNNVD: CNNVD-201803-246 // 
            
            
            
            NVD: CVE-2018-0221

REFERENCES
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20180307-ise6
Trust: 2.0
url:http://www.securityfocus.com/bid/103347
Trust: 1.7
url:http://www.securitytracker.com/id/1040471
Trust: 1.7
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-0221
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-0221
Trust: 0.8
url:http://www.cisco.com/
Trust: 0.3
sources:
            
            
            VULHUB: VHN-118423 // 
            
            
            
            BID: 103347 // 
            
            
            
            JVNDB: JVNDB-2018-002551 // 
            
            
            
            CNNVD: CNNVD-201803-246 // 
            
            
            
            NVD: CVE-2018-0221

CREDITS
Cisco
Trust: 0.3
sources:
            
            
            BID: 103347

SOURCES
db:VULHUBid:VHN-118423
db:BIDid:103347
db:JVNDBid:JVNDB-2018-002551
db:CNNVDid:CNNVD-201803-246
db:NVDid:CVE-2018-0221

LAST UPDATE DATE
2024-11-23T22:00:39.531000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-118423date:2019-10-09T00:00:00
db:BIDid:103347date:2018-03-07T00:00:00
db:JVNDBid:JVNDB-2018-002551date:2018-04-18T00:00:00
db:CNNVDid:CNNVD-201803-246date:2019-10-17T00:00:00
db:NVDid:CVE-2018-0221date:2024-11-21T03:37:45.760

SOURCES RELEASE DATE
db:VULHUBid:VHN-118423date:2018-03-08T00:00:00
db:BIDid:103347date:2018-03-07T00:00:00
db:JVNDBid:JVNDB-2018-002551date:2018-04-18T00:00:00
db:CNNVDid:CNNVD-201803-246date:2018-03-09T00:00:00
db:NVDid:CVE-2018-0221date:2018-03-08T07:29:01.160