Details of VAR-201807-0999

ID

VAR-201807-0999

CVE

CVE-2018-0344

TITLE

Cisco SD-WAN Solution Command injection vulnerability

Trust: 1.4

sources: JVNDB: JVNDB-2018-008406 // CNNVD: CNNVD-201807-1308

DESCRIPTION

A vulnerability in the vManage dashboard for the configuration and management service of the Cisco SD-WAN Solution could allow an authenticated, remote attacker to inject and execute arbitrary commands with vmanage user privileges on an affected system. The vulnerability is due to insufficient input validation of data parameters for certain fields in the affected solution. An attacker could exploit this vulnerability by configuring a malicious username on the login page of the affected solution. A successful exploit could allow the attacker to inject and execute arbitrary commands with vmanage user privileges on an affected system. This vulnerability affects the following Cisco products if they are running a release of the Cisco SD-WAN Solution prior to Release 18.3.0: vBond Orchestrator Software, vEdge 100 Series Routers, vEdge 1000 Series Routers, vEdge 2000 Series Routers, vEdge 5000 Series Routers, vEdge Cloud Router Platform, vManage Network Management Software, vSmart Controller Software. Cisco Bug IDs: CSCvi69974. Cisco SD-WAN Solution Contains a command injection vulnerability. Vendors have confirmed this vulnerability Bug ID CSCvi69974 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. CiscovBondOrchestratorSoftware and others are products of Cisco. CiscovBondOrchestratorSoftware is a set of secure network extension management software. The vEdge100SeriesRouters is a 100 Series router product. SD-WANSolution is a set of network expansion solutions running in it

Trust: 2.52

sources: NVD: CVE-2018-0344 // JVNDB: JVNDB-2018-008406 // CNVD: CNVD-2018-14079 // BID: 104868 // VULHUB: VHN-118546

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2018-14079

AFFECTED PRODUCTS

vendor:	cisco	model:	vedge-pro	scope:	eq	version:	-	Trust: 1.6
vendor:	cisco	model:	vsmart controller	scope:	eq	version:	-	Trust: 1.6
vendor:	cisco	model:	vbond orchestrator	scope:	eq	version:	-	Trust: 1.6
vendor:	cisco	model:	vmanage network management	scope:	eq	version:	-	Trust: 1.6
vendor:	cisco	model:	vedge-plus	scope:	eq	version:	-	Trust: 1.6
vendor:	cisco	model:	vedge-1000	scope:	lt	version:	18.3.0	Trust: 1.0
vendor:	cisco	model:	vedge-2000	scope:	lt	version:	18.3.0	Trust: 1.0
vendor:	cisco	model:	vedge-5000	scope:	lt	version:	18.3.0	Trust: 1.0
vendor:	cisco	model:	vedge-100	scope:	lt	version:	18.3.0	Trust: 1.0
vendor:	cisco	model:	vedge 100wm	scope:	lt	version:	18.3.0	Trust: 1.0
vendor:	cisco	model:	vedge 100b	scope:	lt	version:	18.3.0	Trust: 1.0
vendor:	cisco	model:	vedge 100m	scope:	lt	version:	18.3.0	Trust: 1.0
vendor:	cisco	model:	vedge series routers	scope:	eq	version:	1000	Trust: 0.9
vendor:	cisco	model:	vbond orchestrator	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	vedge 100	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	vedge 1000	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	vedge 100b	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	vedge 100m	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	vedge 100wm	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	vedge 2000	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	vedge 5000	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	vedge-plus	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	vedge-pro	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	vmanage network management	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	vsmart controller	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	vbond orchestrator software	scope:	-	version:	-	Trust: 0.6
vendor:	cisco	model:	vmanage network management software	scope:	-	version:	-	Trust: 0.6
vendor:	cisco	model:	vsmart controller software	scope:	-	version:	-	Trust: 0.6
vendor:	cisco	model:	vedge cloud router platform	scope:	-	version:	-	Trust: 0.6
vendor:	cisco	model:	vedge series routers	scope:	eq	version:	5000	Trust: 0.6
vendor:	cisco	model:	vedge series routers	scope:	eq	version:	2000	Trust: 0.6
vendor:	cisco	model:	vedge series routers	scope:	eq	version:	100	Trust: 0.6
vendor:	cisco	model:	vsmart controller	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	vmanage network management	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	vedge cloud router	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	vedge	scope:	eq	version:	50000	Trust: 0.3
vendor:	cisco	model:	vedge	scope:	eq	version:	20000	Trust: 0.3
vendor:	cisco	model:	vedge	scope:	eq	version:	10000	Trust: 0.3
vendor:	cisco	model:	vbond orchestrator	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	sd-wan	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	sd-wan	scope:	ne	version:	18.3	Trust: 0.3

sources: CNVD: CNVD-2018-14079 // BID: 104868 // JVNDB: JVNDB-2018-008406 // CNNVD: CNNVD-201807-1308 // NVD: CVE-2018-0344

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-0344
value:	HIGH
Trust: 1.0
NVD:	CVE-2018-0344
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2018-14079
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201807-1308
value:	HIGH
Trust: 0.6
VULHUB:	VHN-118546
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-0344
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2018-14079
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-118546
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-0344
baseSeverity:	HIGH
baseScore:	7.2
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2018-14079 // VULHUB: VHN-118546 // JVNDB: JVNDB-2018-008406 // CNNVD: CNNVD-201807-1308 // NVD: CVE-2018-0344

PROBLEMTYPE DATA

problemtype:

CWE-77

Trust: 1.9

sources: VULHUB: VHN-118546 // JVNDB: JVNDB-2018-008406 // NVD: CVE-2018-0344

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201807-1308

TYPE

command injection

Trust: 0.6

sources: CNNVD: CNNVD-201807-1308

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-008406

PATCH

title:	cisco-sa-20180718-sd-wan-cmd-inject	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-sd-wan-cmd-inject	Trust: 0.8
title:	Patch for CiscoSD-WANSolution Remote Command Injection Vulnerability (CNVD-2018-14079)	url:	https://www.cnvd.org.cn/patchInfo/show/135525	Trust: 0.6
title:	Cisco SD-WAN Solution Fixes for command injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=82209	Trust: 0.6

sources: CNVD: CNVD-2018-14079 // JVNDB: JVNDB-2018-008406 // CNNVD: CNNVD-201807-1308

EXTERNAL IDS

db:	NVD	id:	CVE-2018-0344	Trust: 3.4
db:	BID	id:	104868	Trust: 2.6
db:	JVNDB	id:	JVNDB-2018-008406	Trust: 0.8
db:	CNNVD	id:	CNNVD-201807-1308	Trust: 0.7
db:	CNVD	id:	CNVD-2018-14079	Trust: 0.6
db:	VULHUB	id:	VHN-118546	Trust: 0.1

sources: CNVD: CNVD-2018-14079 // VULHUB: VHN-118546 // BID: 104868 // JVNDB: JVNDB-2018-008406 // CNNVD: CNNVD-201807-1308 // NVD: CVE-2018-0344

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20180718-sd-wan-cmd-inject	Trust: 2.0
url:	http://www.securityfocus.com/bid/104868	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2018-0344	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-0344	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3

sources: CNVD: CNVD-2018-14079 // VULHUB: VHN-118546 // BID: 104868 // JVNDB: JVNDB-2018-008406 // CNNVD: CNNVD-201807-1308 // NVD: CVE-2018-0344

CREDITS

Cisco

Trust: 0.3

sources: BID: 104868

SOURCES

db:	CNVD	id:	CNVD-2018-14079
db:	VULHUB	id:	VHN-118546
db:	BID	id:	104868
db:	JVNDB	id:	JVNDB-2018-008406
db:	CNNVD	id:	CNNVD-201807-1308
db:	NVD	id:	CVE-2018-0344

LAST UPDATE DATE

2024-11-23T22:00:26.780000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2018-14079	date:	2018-07-27T00:00:00
db:	VULHUB	id:	VHN-118546	date:	2019-10-09T00:00:00
db:	BID	id:	104868	date:	2018-07-18T00:00:00
db:	JVNDB	id:	JVNDB-2018-008406	date:	2018-10-16T00:00:00
db:	CNNVD	id:	CNNVD-201807-1308	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2018-0344	date:	2024-11-21T03:38:01.440

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2018-14079	date:	2018-07-27T00:00:00
db:	VULHUB	id:	VHN-118546	date:	2018-07-18T00:00:00
db:	BID	id:	104868	date:	2018-07-18T00:00:00
db:	JVNDB	id:	JVNDB-2018-008406	date:	2018-10-16T00:00:00
db:	CNNVD	id:	CNNVD-201807-1308	date:	2018-07-19T00:00:00
db:	NVD	id:	CVE-2018-0344	date:	2018-07-18T23:29:00.337