Security restrictions bypass in Cisco Ultra Services Framework - CVE-2017-6711
Published: July 6, 2017
Vulnerability identifier: #VU7344
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2017-6711
CWE-ID: CWE-287
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Cisco Ultra Services Framework
Cisco Ultra Services Framework
Detailed vulnerability description
The vulnerability allows a remote unauthenticated attacker to bypass security restrictions.
The vulnerability exists in the Ultra Automation Service (UAS) of the Cisco Ultra Services Framework due to an insecure default configuration of the Apache ZooKeeper service. A remote attacker can use orchestrator network to bypass security restrictions, gain access to ZooKeeper data nodes (znodes) and influence the behavior of the system's high-availability feature.
Successful exploitation of the vulnerability may result in unauthorized access to the affected device.
The vulnerability exists in the Ultra Automation Service (UAS) of the Cisco Ultra Services Framework due to an insecure default configuration of the Apache ZooKeeper service. A remote attacker can use orchestrator network to bypass security restrictions, gain access to ZooKeeper data nodes (znodes) and influence the behavior of the system's high-availability feature.
Successful exploitation of the vulnerability may result in unauthorized access to the affected device.
How to mitigate CVE-2017-6711
The vulnerability is addressed in the following versions:
5.0.3, 5.1.
5.0.3, 5.1.