OS command injection in D9800 Network Transport Receiver - CVE-2018-0099
Published: January 19, 2018
Vulnerability identifier: #VU10114
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-0099
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
D9800 Network Transport Receiver
D9800 Network Transport Receiver
Detailed vulnerability description
The vulnerability allows a remote authenticated attacker to execute arbitrary commands on the target system.
The weakness exists in the web management GUI of the Cisco D9800 Network Transport Receiver due to insufficient input validation of GUI command arguments. A remote attacker can inject specially crafted arguments into a vulnerable GUI command and execute commands on the underlying BusyBox operating system with elevated privileges.
The weakness exists in the web management GUI of the Cisco D9800 Network Transport Receiver due to insufficient input validation of GUI command arguments. A remote attacker can inject specially crafted arguments into a vulnerable GUI command and execute commands on the underlying BusyBox operating system with elevated privileges.
How to mitigate CVE-2018-0099
Install update from vendor's website.