Lucene search

[email protected]CVE-2017-12332

HistoryNov 30, 2017 - 9:29 a.m.

CVE-2017-12332

2017-11-3009:29:00

CWE-434

[email protected]

web.nvd.nist.gov

cisco

nx-os

system software

vulnerability

patch installation

authenticated

local attacker

file write

arbitrary locations

insufficient restrictions

crafted patch image

exploit

administrator credentials

multilayer director switches

nexus 2000 series fabric extenders

nexus 5000 series switches

nexus 5500 platform switches

nexus 5600 platform switches

nexus 6000 series switches

nexus 7000 series switches

nexus 7700 series switches

unified computing system manager

cve-2017-12332

nvd

cscvf16513

cscvf23794

cscvf23832

4.4 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

4.6 Medium

AI Score

Confidence

High

4.9 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

COMPLETE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:N/I:C/A:N

0.0004 Low

EPSS

Percentile

5.2%

JSON

A vulnerability in Cisco NX-OS System Software patch installation could allow an authenticated, local attacker to write a file to arbitrary locations. The vulnerability is due to insufficient restrictions in the patch installation process. An attacker could exploit this vulnerability by installing a crafted patch image on an affected device. The vulnerable operation occurs prior to patch activation. An exploit could allow the attacker to write arbitrary files on an affected system as root. The attacker would need valid administrator credentials to perform this exploit. This vulnerability affects the following products running Cisco NX-OS System Software: Multilayer Director Switches, Nexus 2000 Series Fabric Extenders, Nexus 5000 Series Switches, Nexus 5500 Platform Switches, Nexus 5600 Platform Switches, Nexus 6000 Series Switches, Nexus 7000 Series Switches, Nexus 7700 Series Switches, Unified Computing System Manager. Cisco Bug IDs: CSCvf16513, CSCvf23794, CSCvf23832.

Affected configurations

NVD

Node

ciscounified_computing_systemMatch7.0\(0\)hsk\(0.357\)

Node

cisconx-osMatch8.1\(0\)bd\(0.20\)

cisconx-osMatch8.1\(1\)

CPENameOperatorVersion
cisco:unified_computing_systemcisco unified computing systemeq7.0\(0\)hsk\(0.357\)

CPE	Name	Operator	Version
cisco:unified_computing_system	cisco unified computing system	eq	7.0\(0\)hsk\(0.357\)

CNA Affected

[
  {
    "product": "Cisco NX-OS",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "Cisco NX-OS"
      }
    ]
  }
]

References

www.securityfocus.com/bid/102160

www.securitytracker.com/id/1039931

tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-nxos1

4.4 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

4.6 Medium

AI Score

Confidence

High

4.9 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

COMPLETE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:N/I:C/A:N

0.0004 Low

EPSS

Percentile

5.2%

JSON

Related for CVE-2017-12332

prion1 cisco1 cvelist1 nvd1