SB2017062211 - Two vulnerabilities in Cisco IOS XR

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2017062211

SB2017062211 - Two vulnerabilities in Cisco IOS XR

Published: June 22, 2017

Security Bulletin ID SB2017062211
Severity
Low
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Local access
Highest impact Code execution

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Command injection (CVE-ID: CVE-2017-6719)

The vulnerability allows a local authenticated attacker to execute arbitrary commands on the host operating system.

The vulnerability exists in the CLI of Cisco IOS XR Software due to insufficient input validation. A local attacker can send a specially crafted input to a command in a specific group and execute arbitrary commands with root privileges.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.


2) Privilege escalation (CVE-ID: CVE-2017-6718)

The vulnerability allows a local authenticated attacker to gain elevated privileges on the target system.

The vulnerability exists in the CLI of Cisco IOS XR Software due to incorrect permission settings on binary files. A local attacker can send specially crafted commands to the affected device, overwrite binaries on the filesystem and gain root privileges.

Successful exploitation of the vulnerability results in privileges escalation.


Remediation

Install update from vendor's website.

References