Details of VAR-202103-0544

ID

VAR-202103-0544

CVE

CVE-2021-1384

TITLE

Cisco IOS XE Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2021-004892

DESCRIPTION

A vulnerability in Cisco IOx application hosting environment of Cisco IOS XE Software could allow an authenticated, remote attacker to inject commands into the underlying operating system as the root user. This vulnerability is due to incomplete validation of fields in the application packages loaded onto IOx. An attacker could exploit this vulnerability by creating a crafted application .tar file and loading it onto the device. A successful exploit could allow the attacker to perform command injection into the underlying operating system as the root user. Cisco IOS XE Contains a command injection vulnerability.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Cisco Iox is a secure development environment of the US Cisco (Cisco) that combines Cisco IOS and Linux OS for secure network connection and development of IOT applications

Trust: 2.34

sources: NVD: CVE-2021-1384 // JVNDB: JVNDB-2021-004892 // CNNVD: CNNVD-202103-1413 // VULHUB: VHN-374438 // VULMON: CVE-2021-1384

AFFECTED PRODUCTS

vendor:	cisco	model:	ios xe	scope:	eq	version:	17.5.0	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	gte	version:	16.9.0	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	lt	version:	17.4.2	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	lt	version:	16.6.9	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	lt	version:	17.3.3	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	gte	version:	17.3.2	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	lt	version:	16.9.7	Trust: 1.0
vendor:	cisco	model:	ios xe	scope:	gte	version:	17.4.0	Trust: 1.0
vendor:	シスコシステムズ	model:	cisco ios xe	scope:	eq	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco ios xe	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-004892 // NVD: CVE-2021-1384

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-1384
value:	HIGH
Trust: 1.0
ykramarz@cisco.com:	CVE-2021-1384
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2021-1384
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202103-1413
value:	HIGH
Trust: 0.6
VULHUB:	VHN-374438
value:	HIGH
Trust: 0.1
VULMON:	CVE-2021-1384
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2021-1384
severity:	HIGH
baseScore:	8.5
vectorString:	AV:N/AC:M/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	6.8
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-374438
severity:	HIGH
baseScore:	8.5
vectorString:	AV:N/AC:M/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	6.8
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-1384
baseSeverity:	HIGH
baseScore:	7.2
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	5.9
version:	3.1
Trust: 1.0
ykramarz@cisco.com:	CVE-2021-1384
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	1.2
impactScore:	5.2
version:	3.1
Trust: 1.0
NVD:	CVE-2021-1384
baseSeverity:	HIGH
baseScore:	7.2
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-374438 // VULMON: CVE-2021-1384 // JVNDB: JVNDB-2021-004892 // CNNVD: CNNVD-202103-1413 // NVD: CVE-2021-1384 // NVD: CVE-2021-1384

PROBLEMTYPE DATA

problemtype:	CWE-78	Trust: 1.1
problemtype:	CWE-77	Trust: 1.0
problemtype:	Command injection (CWE-77) [ Other ]	Trust: 0.8

sources: VULHUB: VHN-374438 // JVNDB: JVNDB-2021-004892 // NVD: CVE-2021-1384

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202103-1413

TYPE

command injection

Trust: 0.6

sources: CNNVD: CNNVD-202103-1413

PATCH

title:	cisco-sa-iox-cmdinj-RkSURGHG	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iox-cmdinj-RkSURGHG	Trust: 0.8
title:	Cisco Iox Fixes for command injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=145893	Trust: 0.6
title:	Cisco: Cisco IOx for IOS XE Software Command Injection Vulnerability	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-iox-cmdinj-RkSURGHG	Trust: 0.1

sources: VULMON: CVE-2021-1384 // JVNDB: JVNDB-2021-004892 // CNNVD: CNNVD-202103-1413

EXTERNAL IDS

db:	NVD	id:	CVE-2021-1384	Trust: 2.6
db:	JVNDB	id:	JVNDB-2021-004892	Trust: 0.8
db:	CNNVD	id:	CNNVD-202103-1413	Trust: 0.6
db:	VULHUB	id:	VHN-374438	Trust: 0.1
db:	VULMON	id:	CVE-2021-1384	Trust: 0.1

sources: VULHUB: VHN-374438 // VULMON: CVE-2021-1384 // JVNDB: JVNDB-2021-004892 // CNNVD: CNNVD-202103-1413 // NVD: CVE-2021-1384

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-iox-cmdinj-rksurghg	Trust: 2.4
url:	https://github.com/orangecertcc/security-research/security/advisories/ghsa-h332-fj6p-2232	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2021-1384	Trust: 1.4
url:	https://vigilance.fr/vulnerability/cisco-ios-ios-xe-multiple-vulnerabilities-34940	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/77.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/198700	Trust: 0.1

sources: VULHUB: VHN-374438 // VULMON: CVE-2021-1384 // JVNDB: JVNDB-2021-004892 // CNNVD: CNNVD-202103-1413 // NVD: CVE-2021-1384

SOURCES

db:	VULHUB	id:	VHN-374438
db:	VULMON	id:	CVE-2021-1384
db:	JVNDB	id:	JVNDB-2021-004892
db:	CNNVD	id:	CNNVD-202103-1413
db:	NVD	id:	CVE-2021-1384

LAST UPDATE DATE

2024-08-14T15:33:14.850000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-374438	date:	2022-07-29T00:00:00
db:	VULMON	id:	CVE-2021-1384	date:	2021-03-30T00:00:00
db:	JVNDB	id:	JVNDB-2021-004892	date:	2021-12-01T09:06:00
db:	CNNVD	id:	CNNVD-202103-1413	date:	2022-08-10T00:00:00
db:	NVD	id:	CVE-2021-1384	date:	2023-11-07T03:28:09.423

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-374438	date:	2021-03-24T00:00:00
db:	VULMON	id:	CVE-2021-1384	date:	2021-03-24T00:00:00
db:	JVNDB	id:	JVNDB-2021-004892	date:	2021-12-01T00:00:00
db:	CNNVD	id:	CNNVD-202103-1413	date:	2021-03-24T00:00:00
db:	NVD	id:	CVE-2021-1384	date:	2021-03-24T20:15:13.743