SB2016100527 - Arbitrary Command Execution in Cisco Firepower Threat Management
Published: October 5, 2016 Updated: October 7, 2016
Security Bulletin ID
SB2016100527
CSH Severity
High
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Arbitrary Command Execution (CVE-ID: CVE-2016-6433)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber
The vulnerability allows a remote authenticated user to execute arbitrary commands on the target system.
The weakness exists due to insufficient input validation. Sending a specially crafted parameters to the web application an authenticated attacker can access the affected system and execute arbitrary commands.
Successful exploitation of the vulnerability results in arbitrary commands execution on the vulnerable system.
The weakness exists due to insufficient input validation. Sending a specially crafted parameters to the web application an authenticated attacker can access the affected system and execute arbitrary commands.
Successful exploitation of the vulnerability results in arbitrary commands execution on the vulnerable system.
Remediation
Install update from vendor's website.