Command injection in Cisco StarOS - CVE-2018-0115
Published: January 22, 2018
Vulnerability identifier: #VU10119
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-0115
CWE-ID: CWE-77
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Cisco StarOS
Cisco StarOS
Detailed vulnerability description
The vulnerability allows an adjacent attacker to execute arbitrary commands on the target system.
The weakness exists in the CLI of the Cisco StarOS operating system for Cisco ASR 5000 Series routers due to insufficient validation of user-supplied input. An adjacent attacker can use valid administrator credentials to inject malicious command arguments into a vulnerable CLI command and execute arbitrary commands with root privileges
Successful exploitation of the vulnerability may result in system compromise.
The weakness exists in the CLI of the Cisco StarOS operating system for Cisco ASR 5000 Series routers due to insufficient validation of user-supplied input. An adjacent attacker can use valid administrator credentials to inject malicious command arguments into a vulnerable CLI command and execute arbitrary commands with root privileges
Successful exploitation of the vulnerability may result in system compromise.
How to mitigate CVE-2018-0115
Install update from vendor's website.