#VU10114 OS command injection in D9800 Network Transport Receiver - CVE-2018-0099
Published: January 19, 2018
Vulnerability identifier: #VU10114
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-0099
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
D9800 Network Transport Receiver
D9800 Network Transport Receiver
Software vendor:
Cisco Systems, Inc
Cisco Systems, Inc
Description
The vulnerability allows a remote authenticated attacker to execute arbitrary commands on the target system.
The weakness exists in the web management GUI of the Cisco D9800 Network Transport Receiver due to insufficient input validation of GUI command arguments. A remote attacker can inject specially crafted arguments into a vulnerable GUI command and execute commands on the underlying BusyBox operating system with elevated privileges.
The weakness exists in the web management GUI of the Cisco D9800 Network Transport Receiver due to insufficient input validation of GUI command arguments. A remote attacker can inject specially crafted arguments into a vulnerable GUI command and execute commands on the underlying BusyBox operating system with elevated privileges.
Remediation
Install update from vendor's website.