Lucene search

CiscoCVE-2017-6634

HistoryMay 22, 2017 - 1:29 a.m.

CVE-2017-6634

2017-05-2201:29:00

CWE-352

cisco

web.nvd.nist.gov

cisco

industrial ethernet

switches

vulnerability

csrf

attack

device manager

cisco bug ids

cscvc88811

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

8.8

Confidence

High

EPSS

0.001

Percentile

46.7%

JSON

A vulnerability in the Device Manager web interface of Cisco Industrial Ethernet 1000 Series Switches 1.3 could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against a user of an affected system. The vulnerability is due to insufficient CSRF protection by the Device Manager web interface. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link or visit an attacker-controlled website. A successful exploit could allow the attacker to submit arbitrary requests to an affected device via the Device Manager web interface and with the privileges of the user. Cisco Bug IDs: CSCvc88811.

Affected configurations

Nvd

Node

ciscoindustrial_ethernet_1000_series_firmwareMatch1.3_base

AND

ciscoie-1000-4p2s-lmMatch-

ciscoie-1000-4t1t-lmMatch-

ciscoie-1000-6t2t-lmMatch-

ciscoie-1000-8p2s-lmMatch-

VendorProductVersionCPE
ciscoindustrial_ethernet_1000_series_firmware1.3_basecpe:2.3:o:cisco:industrial_ethernet_1000_series_firmware:1.3_base:*:*:*:*:*:*:*
ciscoie-1000-4p2s-lm-cpe:2.3:h:cisco:ie-1000-4p2s-lm:-:*:*:*:*:*:*:*
ciscoie-1000-4t1t-lm-cpe:2.3:h:cisco:ie-1000-4t1t-lm:-:*:*:*:*:*:*:*
ciscoie-1000-6t2t-lm-cpe:2.3:h:cisco:ie-1000-6t2t-lm:-:*:*:*:*:*:*:*
ciscoie-1000-8p2s-lm-cpe:2.3:h:cisco:ie-1000-8p2s-lm:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cisco	industrial_ethernet_1000_series_firmware	1.3_base	cpe:2.3:o:cisco:industrial_ethernet_1000_series_firmware:1.3_base:::::::*
cisco	ie-1000-4p2s-lm	-	cpe:2.3:h:cisco:ie-1000-4p2s-lm:-:::::::*
cisco	ie-1000-4t1t-lm	-	cpe:2.3:h:cisco:ie-1000-4t1t-lm:-:::::::*
cisco	ie-1000-6t2t-lm	-	cpe:2.3:h:cisco:ie-1000-6t2t-lm:-:::::::*
cisco	ie-1000-8p2s-lm	-	cpe:2.3:h:cisco:ie-1000-8p2s-lm:-:::::::*

CNA Affected

[
  {
    "product": "Cisco Industrial Ethernet 1000 Series Switches",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "Cisco Industrial Ethernet 1000 Series Switches"
      }
    ]
  }
]

References

www.securityfocus.com/bid/98524

www.securitytracker.com/id/1038517

tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170517-ie1000csrf

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

8.8

Confidence

High

EPSS

0.001

Percentile

46.7%

JSON

Related for CVE-2017-6634