Lucene search

K
ciscoCiscoCISCO-SA-20150630-CVE-2015-4232
HistoryJun 30, 2015 - 5:48 p.m.

Cisco Nexus Devices NX-OS Software Command-Line Interpreter Local Privilege Escalation Vulnerability

2015-06-3017:48:55
tools.cisco.com
10

CVSS2

4.6

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

EPSS

0

Percentile

5.1%

A local privilege escalation vulnerability in the command-line interpreter of Cisco Nexus devices could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system with user privileges.

The vulnerability exists due to insufficient input sanitization of parameters passed to the tar command on the command-line interpreter of an affected device. An attacker could leverage this behavior to execute arbitrary commands on the underlying operating system with the privileges of the user authenticated to the device.

Cisco has confirmed the vulnerability and released software updates.

To exploit this vulnerability, an attacker must have local access and be able to authenticate to the targeted device. These requirements could limit the possibility of a successful exploit.

Cisco would like to thank Jens Krabbenhoeft for discovering and reporting this vulnerability.

Affected configurations

Vulners
Node
cisconx_osMatch6.2
OR
cisconx_osMatch6.2\(10\)
VendorProductVersionCPE
cisconx_os6.2cpe:2.3:o:cisco:nx_os:6.2:*:*:*:*:*:*:*
cisconx_os6.2(10)cpe:2.3:o:cisco:nx_os:6.2\(10\):*:*:*:*:*:*:*

CVSS2

4.6

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

EPSS

0

Percentile

5.1%

Related for CISCO-SA-20150630-CVE-2015-4232