SB2018011910 - Command execution in Cisco StarOS
Published: January 19, 2018
Security Bulletin ID
SB2018011910
CSH Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Adjecent network
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Command injection (CVE-ID: CVE-2018-0115)
CWE-ID: CWE-77 - Command injection
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows an adjacent attacker to execute arbitrary commands on the target system.
The weakness exists in the CLI of the Cisco StarOS operating system for Cisco ASR 5000 Series routers due to insufficient validation of user-supplied input. An adjacent attacker can use valid administrator credentials to inject malicious command arguments into a vulnerable CLI command and execute arbitrary commands with root privileges
Successful exploitation of the vulnerability may result in system compromise.
Remediation
Install update from vendor's website.