Details of VAR-201806-1010

ID

VAR-201806-1010

CVE

CVE-2018-0330

TITLE

Cisco NX-OS Vulnerability related to authorization, authority, and access control in software

Trust: 0.8

sources: JVNDB: JVNDB-2018-006896

DESCRIPTION

A vulnerability in the NX-API management application programming interface (API) in devices running, or based on, Cisco NX-OS Software could allow an authenticated, remote attacker to execute commands with elevated privileges. The vulnerability is due to a failure to properly validate certain parameters included within an NX-API request. An attacker that can successfully authenticate to the NX-API could submit a request designed to bypass NX-OS role assignment. A successful exploit could allow the attacker to execute commands with elevated privileges. This vulnerability affects the following if configured to use the NX-API feature: MDS 9000 Series Multilayer Switches, Nexus 2000 Series Switches, Nexus 3000 Series Switches, Nexus 3500 Platform Switches, Nexus 5500 Platform Switches, Nexus 5600 Platform Switches, Nexus 6000 Series Switches, Nexus 7000 Series Switches, Nexus 7700 Series Switches, Nexus 9000 Series Switches in standalone NX-OS mode. Cisco Bug IDs: CSCvc73177, CSCve40903, CSCve40911. Cisco NX-OS The software contains vulnerabilities related to authorization, permissions, and access control. Vendors have confirmed this vulnerability Bug ID CSCvc73177 , CSCve40903 , CSCve40911 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. CiscoMDS9000SeriesMultilayerSwitches and so on are different series of switch devices from Cisco. NX-OSSoftware is the data center-level operating system software used by a set of switches running on it. The NX-APImanagementAPI is one of the application programming interfaces for managing NX-API. A privilege elevation vulnerability exists in NX-OS Software's NX-APImanagementAPI in several Cisco products

Trust: 2.25

sources: NVD: CVE-2018-0330 // JVNDB: JVNDB-2018-006896 // CNVD: CNVD-2018-12389 // VULHUB: VHN-118532

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2018-12389

AFFECTED PRODUCTS

vendor:	cisco	model:	nx-os	scope:	lt	version:	7.3.2d1	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	gte	version:	7.0\(3\)i4	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	lt	version:	7.3\(3\)n1\(1\)	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	eq	version:	6.2	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	eq	version:	5.2	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	lt	version:	8.1\(1a\)	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	gte	version:	6.0	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	eq	version:	7.2	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	eq	version:	6.0	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	lt	version:	8.1.2	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	gte	version:	8.1	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	lt	version:	7.0\(3\)i3	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	eq	version:	7.0	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	gte	version:	7.3	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	eq	version:	8.2	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	lt	version:	7.0\(3\)i7\(1\)	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	eq	version:	7.1	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	eq	version:	8.0	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	nexus series switche	scope:	eq	version:	3000	Trust: 0.6
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	7000	Trust: 0.6
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	6000	Trust: 0.6
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	7700	Trust: 0.6
vendor:	cisco	model:	nexus platform switches	scope:	eq	version:	5600	Trust: 0.6
vendor:	cisco	model:	nexus platform switches	scope:	eq	version:	5500	Trust: 0.6
vendor:	cisco	model:	nexus platform switches	scope:	eq	version:	3500	Trust: 0.6
vendor:	cisco	model:	mds series multilayer switches	scope:	eq	version:	9000	Trust: 0.6
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	9000	Trust: 0.6
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	2000	Trust: 0.6
vendor:	cisco	model:	nx-os	scope:	eq	version:	5.2\(1\)sv3\(1.10\)	Trust: 0.6
vendor:	cisco	model:	nx-os	scope:	eq	version:	5.2\(4\)	Trust: 0.6
vendor:	cisco	model:	nx-os	scope:	eq	version:	5.2\(5\)	Trust: 0.6
vendor:	cisco	model:	nx-os	scope:	eq	version:	5.2\(1\)sv3\(1.5a\)	Trust: 0.6
vendor:	cisco	model:	nx-os	scope:	eq	version:	6.2\(6b\)	Trust: 0.6
vendor:	cisco	model:	nx-os	scope:	eq	version:	5.2\(3\)	Trust: 0.6
vendor:	cisco	model:	nx-os	scope:	eq	version:	5.2\(1\)sv3\(1.6\)	Trust: 0.6
vendor:	cisco	model:	nx-os	scope:	eq	version:	5.2\(3a\)	Trust: 0.6
vendor:	cisco	model:	nx-os	scope:	eq	version:	5.2\(1\)sv3\(1.3\)	Trust: 0.6
vendor:	cisco	model:	nx-os	scope:	eq	version:	5.2\(1\)sv3\(1.5b\)	Trust: 0.6

sources: CNVD: CNVD-2018-12389 // JVNDB: JVNDB-2018-006896 // CNNVD: CNNVD-201806-1045 // NVD: CVE-2018-0330

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-0330
value:	HIGH
Trust: 1.0
NVD:	CVE-2018-0330
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2018-12389
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201806-1045
value:	HIGH
Trust: 0.6
VULHUB:	VHN-118532
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-0330
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2018-12389
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-118532
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-0330
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2018-12389 // VULHUB: VHN-118532 // JVNDB: JVNDB-2018-006896 // CNNVD: CNNVD-201806-1045 // NVD: CVE-2018-0330

PROBLEMTYPE DATA

problemtype:	CWE-264	Trust: 1.9
problemtype:	CWE-78	Trust: 1.1

sources: VULHUB: VHN-118532 // JVNDB: JVNDB-2018-006896 // NVD: CVE-2018-0330

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201806-1045

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201806-1045

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-006896

PATCH

title:	cisco-sa-20180620-nxos-nxapi	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nxos-nxapi	Trust: 0.8
title:	Patches for several Cisco products NX-OSSoftwareNX-APImanagementAPI privilege escalation vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/133287	Trust: 0.6
title:	Multiple Cisco product NX-OS Software NX-API management API Fixes for permission permissions and access control vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=81110	Trust: 0.6

sources: CNVD: CNVD-2018-12389 // JVNDB: JVNDB-2018-006896 // CNNVD: CNNVD-201806-1045

EXTERNAL IDS

db:	NVD	id:	CVE-2018-0330	Trust: 3.1
db:	SECTRACK	id:	1041169	Trust: 1.7
db:	JVNDB	id:	JVNDB-2018-006896	Trust: 0.8
db:	CNNVD	id:	CNNVD-201806-1045	Trust: 0.7
db:	CNVD	id:	CNVD-2018-12389	Trust: 0.6
db:	VULHUB	id:	VHN-118532	Trust: 0.1

sources: CNVD: CNVD-2018-12389 // VULHUB: VHN-118532 // JVNDB: JVNDB-2018-006896 // CNNVD: CNNVD-201806-1045 // NVD: CVE-2018-0330

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20180620-nxos-nxapi	Trust: 2.3
url:	http://www.securitytracker.com/id/1041169	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-0330	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-0330	Trust: 0.8

sources: CNVD: CNVD-2018-12389 // VULHUB: VHN-118532 // JVNDB: JVNDB-2018-006896 // CNNVD: CNNVD-201806-1045 // NVD: CVE-2018-0330

SOURCES

db:	CNVD	id:	CNVD-2018-12389
db:	VULHUB	id:	VHN-118532
db:	JVNDB	id:	JVNDB-2018-006896
db:	CNNVD	id:	CNNVD-201806-1045
db:	NVD	id:	CVE-2018-0330

LAST UPDATE DATE

2024-11-23T21:38:49.169000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2018-12389	date:	2018-06-30T00:00:00
db:	VULHUB	id:	VHN-118532	date:	2019-10-09T00:00:00
db:	JVNDB	id:	JVNDB-2018-006896	date:	2018-09-04T00:00:00
db:	CNNVD	id:	CNNVD-201806-1045	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2018-0330	date:	2024-11-21T03:37:59.583

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2018-12389	date:	2018-06-30T00:00:00
db:	VULHUB	id:	VHN-118532	date:	2018-06-20T00:00:00
db:	JVNDB	id:	JVNDB-2018-006896	date:	2018-09-04T00:00:00
db:	CNNVD	id:	CNNVD-201806-1045	date:	2018-06-21T00:00:00
db:	NVD	id:	CVE-2018-0330	date:	2018-06-20T21:29:00.767