OS Command Injection in Cisco Systems, Inc products - CVE-2016-6414
Published: September 22, 2016 / Updated: April 5, 2018
Vulnerability identifier: #VU628
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2016-6414
CWE-ID: CWE-78
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Cisco IOS
Cisco IOS XR
Cisco IOS XE
Cisco IOS
Cisco IOS XR
Cisco IOS XE
Detailed vulnerability description
The vulnerability allows a local authenticated user to gain elevated privileges and perform command injection on the target system.
The weakness is caused by improper input validation. Using of specially crafted iox command line parameters allows attackers to cause an input validation flaw and execute arbitrary commands on the IOx Linux guest operating system (GOS).
Successful exploitation of the vulnerability may lead to privilege escalation and command injection on the vulnerable system.
The weakness is caused by improper input validation. Using of specially crafted iox command line parameters allows attackers to cause an input validation flaw and execute arbitrary commands on the IOx Linux guest operating system (GOS).
Successful exploitation of the vulnerability may lead to privilege escalation and command injection on the vulnerable system.
How to mitigate CVE-2016-6414
Install update from vendor's website.