SB2017110207 - Privilege escalation in Cisco Identity Services Engine
Published: November 2, 2017
Security Bulletin ID
SB2017110207
CSH Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Privilege escalation (CVE-ID: CVE-2017-12261)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The weakness exists in the restricted shell of the Cisco Identity Services Engine (ISE) that is accessible via SSH due to incomplete input validation of the user input for CLI commands issued at the restricted shell. A local attacker can use valid user credentials and run arbitrary CLI commands with elevated privileges.
Remediation
Install update from vendor's website.