Cisco Nexus 1000V License Installation Command Injection Vulnerability

2013-07-0921:36:20

tools.cisco.com

CVSS2

6.8

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:S/C:C/I:C/A:C

EPSS

Percentile

15.7%

JSON

A vulnerability in the license installation module of Cisco Nexus 1000V could allow an authenticated, local attacker to execute arbitrary shell commands.

The vulnerability is due to a failure of the install license command to properly validate user-supplied input. An attacker could exploit this vulnerability by providing crafted arguments to the install license command.

Cisco has confirmed the vulnerability in a security notice and released software updates.

Only users who could access a device and authenticate with sufficient privileges to execute the vulnerable command could exploit this vulnerability. The access requirement greatly limits the sources of potential attacks.

Affected configurations

Vulners

Node

cisconx_osMatch4.2\(1\)sv1

cisconx_osMatch4.2\(1\)sv1\(5.1a\)

VendorProductVersionCPE
cisconx_os4.2(1)sv1cpe:2.3:o:cisco:nx_os:4.2\(1\)sv1:*:*:*:*:*:*:*
cisconx_os4.2(1)sv1(5.1a)cpe:2.3:o:cisco:nx_os:4.2\(1\)sv1\(5.1a\):*:*:*:*:*:*:*