SB2017090710 - Two vulnerabilities in Cisco ASR 920 Series Routers
Published: September 7, 2017
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Command injection (CVE-ID: CVE-2017-6796)
CWE-ID: CWE-77 - Command injection
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to execute arbitrary commands on the affected device.
The weakness exists due to improper input validation of the platform usb modem command in the CLI. A local attacker can modify the platform usb modem command in the CLI to inject and execute arbitrary commands.
Successful exploitation of the vulnerability nay result in system compromise.
2) Improper input validation (CVE-ID: CVE-2017-6795)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to overwrite arbitrary files on the affected device.
The weakness exists in the USB-modem code due to improper input validation of the platform usb modem command in the CLI. A local attacker can modify the platform usb modem command in the CLI to overwrite arbitrary files.
Remediation
Install update from vendor's website.