Lucene search

CiscoCVE-2018-0432

HistoryOct 05, 2018 - 2:29 p.m.

CVE-2018-0432

2018-10-0514:29:01

CWE-264

CWE-78

cisco

web.nvd.nist.gov

vulnerability

cisco

sd-wan solution

elevated privileges

nvd

cve-2018-0432

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.8

Confidence

High

EPSS

0.001

Percentile

48.3%

JSON

A vulnerability in the error reporting feature of the Cisco SD-WAN Solution could allow an authenticated, remote attacker to gain elevated privileges on an affected device. The vulnerability is due to a failure to properly validate certain parameters included within the error reporting application configuration. An attacker could exploit this vulnerability by sending a crafted command to the error reporting feature. A successful exploit could allow the attacker to gain root-level privileges and take full control of the device.

Affected configurations

Nvd

Node

ciscovedge_100_firmwareRange<18.3.0

AND

ciscovedge_100Match-

Node

ciscovedge_1000_firmwareRange<18.3.0

AND

ciscovedge_1000Match-

Node

ciscovedge_2000_firmwareRange<18.3.0

AND

ciscovedge_2000Match-

Node

ciscovedge_5000_firmwareRange<18.3.0

AND

ciscovedge_5000Match-

Node

ciscovmanage_network_management_systemMatch-

VendorProductVersionCPE
ciscovedge_100_firmware*cpe:2.3:o:cisco:vedge_100_firmware:*:*:*:*:*:*:*:*
ciscovedge_100-cpe:2.3:h:cisco:vedge_100:-:*:*:*:*:*:*:*
ciscovedge_1000_firmware*cpe:2.3:o:cisco:vedge_1000_firmware:*:*:*:*:*:*:*:*
ciscovedge_1000-cpe:2.3:h:cisco:vedge_1000:-:*:*:*:*:*:*:*
ciscovedge_2000_firmware*cpe:2.3:o:cisco:vedge_2000_firmware:*:*:*:*:*:*:*:*
ciscovedge_2000-cpe:2.3:h:cisco:vedge_2000:-:*:*:*:*:*:*:*
ciscovedge_5000_firmware*cpe:2.3:o:cisco:vedge_5000_firmware:*:*:*:*:*:*:*:*
ciscovedge_5000-cpe:2.3:h:cisco:vedge_5000:-:*:*:*:*:*:*:*
ciscovmanage_network_management_system-cpe:2.3:a:cisco:vmanage_network_management_system:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cisco	vedge_100_firmware	*	cpe:2.3:o:cisco:vedge_100_firmware::::::::
cisco	vedge_100	-	cpe:2.3:h:cisco:vedge_100:-:::::::*
cisco	vedge_1000_firmware	*	cpe:2.3:o:cisco:vedge_1000_firmware::::::::
cisco	vedge_1000	-	cpe:2.3:h:cisco:vedge_1000:-:::::::*
cisco	vedge_2000_firmware	*	cpe:2.3:o:cisco:vedge_2000_firmware::::::::
cisco	vedge_2000	-	cpe:2.3:h:cisco:vedge_2000:-:::::::*
cisco	vedge_5000_firmware	*	cpe:2.3:o:cisco:vedge_5000_firmware::::::::
cisco	vedge_5000	-	cpe:2.3:h:cisco:vedge_5000:-:::::::*
cisco	vmanage_network_management_system	-	cpe:2.3:a:cisco:vmanage_network_management_system:-:::::::*

CNA Affected

[
  {
    "product": "Cisco SD-WAN Solution",
    "vendor": "Cisco",
    "versions": [
      {
        "status": "affected",
        "version": "n/a"
      }
    ]
  }
]

References

www.securityfocus.com/bid/105296

tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-sd-wan-escalation

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.8

Confidence

High

EPSS

0.001

Percentile

48.3%

JSON

Related for CVE-2018-0432