Lucene search

CiscoCVE-2017-12331

HistoryNov 30, 2017 - 9:29 a.m.

CVE-2017-12331

2017-11-3009:29:00

CWE-347

cisco

web.nvd.nist.gov

cisco

nx-os

vulnerability

signature verification

software patch

exploit

authentication

local attacker

cisco bug ids

nvd

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

6.7

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

6.3

Confidence

High

EPSS

Percentile

5.1%

JSON

A vulnerability in Cisco NX-OS System Software could allow an authenticated, local attacker to bypass signature verification when loading a software patch. The vulnerability is due to insufficient NX-OS signature verification for software patches. An authenticated, local attacker could exploit this vulnerability to bypass signature verification and load a crafted, unsigned software patch on a targeted device. The attacker would need valid administrator credentials to perform this exploit. This vulnerability affects the following products running Cisco NX-OS System Software: Multilayer Director Switches, Nexus 7000 Series Switches, Nexus 7700 Series Switches, Unified Computing System Manager. Cisco Bug IDs: CSCvf16494, CSCvf23655.

Affected configurations

Nvd

Node

cisconx-osMatch8.1\(1\)

Node

ciscounified_computing_systemMatch7.0\(0\)hsk\(0.357\)

VendorProductVersionCPE
cisconx-os8.1(1)cpe:2.3:o:cisco:nx-os:8.1\(1\):*:*:*:*:*:*:*
ciscounified_computing_system7.0(0)hsk(0.357)cpe:2.3:a:cisco:unified_computing_system:7.0\(0\)hsk\(0.357\):*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cisco	nx-os	8.1(1)	cpe:2.3:o:cisco:nx-os:8.1\(1\):::::::*
cisco	unified_computing_system	7.0(0)hsk(0.357)	cpe:2.3:a:cisco:unified_computing_system:7.0\(0\)hsk\(0.357\):::::::*

CNA Affected

[
  {
    "product": "Cisco NX-OS",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "Cisco NX-OS"
      }
    ]
  }
]

References

www.securityfocus.com/bid/102159

www.securitytracker.com/id/1039930

tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-nxos

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

6.7

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

6.3

Confidence

High

EPSS

Percentile

5.1%

JSON

Related for CVE-2017-12331