Security restrictions bypass in Cisco IOS/IOS XE - CVE-2018-0123
Published: February 8, 2018
Vulnerability identifier: #VU10414
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-0123
CWE-ID: CWE-20
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Cisco IOS/IOS XE
Cisco IOS/IOS XE
Detailed vulnerability description
The vulnerability allows a local attacker to bypass security restrictions and modify data on the target system.
The weakness exists in the diagnostic shell for Cisco IOS and IOS XE Software due to lack of proper input validation for certain diagnostic shell commands. A local attacker can authenticate to the device, enter the diagnostic shell, provide a specially crafted input to commands at the local diagnostic shell CLI and overwrite system files that should be restricted.
The weakness exists in the diagnostic shell for Cisco IOS and IOS XE Software due to lack of proper input validation for certain diagnostic shell commands. A local attacker can authenticate to the device, enter the diagnostic shell, provide a specially crafted input to commands at the local diagnostic shell CLI and overwrite system files that should be restricted.
How to mitigate CVE-2018-0123
Update to version 16.8(0.99).