SB2017090710 - Two vulnerabilities in Cisco ASR 920 Series Routers
Published: September 7, 2017
Security Bulletin ID
SB2017090710
Severity
Low
Patch available
YES
Number of vulnerabilities
2
Exploitation vector
Local access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Command injection (CVE-ID: CVE-2017-6796)
The vulnerability allows a local attacker to execute arbitrary commands on the affected device.The weakness exists due to improper input validation of the platform usb modem command in the CLI. A local attacker can modify the platform usb modem command in the CLI to inject and execute arbitrary commands.
Successful exploitation of the vulnerability nay result in system compromise.
2) Improper input validation (CVE-ID: CVE-2017-6795)
The vulnerability allows a local attacker to overwrite arbitrary files on the affected device.The weakness exists in the USB-modem code due to improper input validation of the platform usb modem command in the CLI. A local attacker can modify the platform usb modem command in the CLI to overwrite arbitrary files.
Remediation
Install update from vendor's website.