Lucene search

CiscoCVE-2017-12243

HistoryNov 02, 2017 - 4:29 p.m.

CVE-2017-12243

2017-11-0216:29:00

CWE-78

cisco

web.nvd.nist.gov

cisco

ucs

manager

firepower

ngfw

4100

9300

command injection

vulnerability

cisco bug

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.4

Confidence

High

EPSS

0.956

Percentile

99.4%

JSON

A vulnerability in the Cisco Unified Computing System (UCS) Manager, Cisco Firepower 4100 Series Next-Generation Firewall (NGFW), and Cisco Firepower 9300 Security Appliance could allow an authenticated, local attacker to obtain root shell privileges on the device, aka Command Injection. The vulnerability is due to improper validation of string input in the shell application. An attacker could exploit this vulnerability through the use of malicious commands. A successful exploit could allow the attacker to obtain root shell privileges on the device. Cisco Bug IDs: CSCvf20741, CSCvf60078.

Affected configurations

Nvd

Node

ciscounified_computing_system_manager_firmwareMatch-

AND

ciscounified_computing_system_managerMatch-

Node

ciscofirepower_9300_security_appliance_firmwareMatch-

AND

ciscofirepower_9300_security_applianceMatch-

Node

ciscofirepower_4100_next-generation_firewall_firmwareMatch-

AND

ciscofirepower_4110_next-generation_firewallMatch-

ciscofirepower_4120_next-generation_firewallMatch-

ciscofirepower_4140_next-generation_firewallMatch-

ciscofirepower_4150_next-generation_firewallMatch-

VendorProductVersionCPE
ciscounified_computing_system_manager_firmware-cpe:2.3:o:cisco:unified_computing_system_manager_firmware:-:*:*:*:*:*:*:*
ciscounified_computing_system_manager-cpe:2.3:h:cisco:unified_computing_system_manager:-:*:*:*:*:*:*:*
ciscofirepower_9300_security_appliance_firmware-cpe:2.3:o:cisco:firepower_9300_security_appliance_firmware:-:*:*:*:*:*:*:*
ciscofirepower_9300_security_appliance-cpe:2.3:h:cisco:firepower_9300_security_appliance:-:*:*:*:*:*:*:*
ciscofirepower_4100_next-generation_firewall_firmware-cpe:2.3:o:cisco:firepower_4100_next-generation_firewall_firmware:-:*:*:*:*:*:*:*
ciscofirepower_4110_next-generation_firewall-cpe:2.3:h:cisco:firepower_4110_next-generation_firewall:-:*:*:*:*:*:*:*
ciscofirepower_4120_next-generation_firewall-cpe:2.3:h:cisco:firepower_4120_next-generation_firewall:-:*:*:*:*:*:*:*
ciscofirepower_4140_next-generation_firewall-cpe:2.3:h:cisco:firepower_4140_next-generation_firewall:-:*:*:*:*:*:*:*
ciscofirepower_4150_next-generation_firewall-cpe:2.3:h:cisco:firepower_4150_next-generation_firewall:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cisco	unified_computing_system_manager_firmware	-	cpe:2.3:o:cisco:unified_computing_system_manager_firmware:-:::::::*
cisco	unified_computing_system_manager	-	cpe:2.3:h:cisco:unified_computing_system_manager:-:::::::*
cisco	firepower_9300_security_appliance_firmware	-	cpe:2.3:o:cisco:firepower_9300_security_appliance_firmware:-:::::::*
cisco	firepower_9300_security_appliance	-	cpe:2.3:h:cisco:firepower_9300_security_appliance:-:::::::*
cisco	firepower_4100_next-generation_firewall_firmware	-	cpe:2.3:o:cisco:firepower_4100_next-generation_firewall_firmware:-:::::::*
cisco	firepower_4110_next-generation_firewall	-	cpe:2.3:h:cisco:firepower_4110_next-generation_firewall:-:::::::*
cisco	firepower_4120_next-generation_firewall	-	cpe:2.3:h:cisco:firepower_4120_next-generation_firewall:-:::::::*
cisco	firepower_4140_next-generation_firewall	-	cpe:2.3:h:cisco:firepower_4140_next-generation_firewall:-:::::::*
cisco	firepower_4150_next-generation_firewall	-	cpe:2.3:h:cisco:firepower_4150_next-generation_firewall:-:::::::*

CNA Affected

[
  {
    "product": "Cisco UCS Manager, Cisco Firepower 4100 Series NGFW, and Cisco Firepower 9300 Security Appliance",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "Cisco UCS Manager, Cisco Firepower 4100 Series NGFW, and Cisco Firepower 9300 Security Appliance"
      }
    ]
  }
]

References

www.securityfocus.com/bid/101652

www.securitytracker.com/id/1039719

tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171101-arce

Social References

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.4

Confidence

High

EPSS

0.956

Percentile

99.4%

JSON

Related for CVE-2017-12243