#VU13247 Improper input validation in Cisco Voice Operating System - CVE-2017-6779

Cybersecurity Help s.r.o.

Published: 2018-06-06 | Updated: 2018-06-08

Vulnerability identifier: #VU13247

Vulnerability risk: Low

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-6779

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Cisco Voice Operating System
Operating systems & Components / Operating system

Vendor: Cisco Systems, Inc

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists in local file management for certain system log files due to a certain system log file does not have a maximum size restriction. A remote unauthenticated attacker can send specially crafted remote connection requests, increase the size of a system log file so that it consumes most of the disk space and cause the applications functions could operate abnormally.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Cisco Voice Operating System: All versions

External links
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-diskdos

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Denial of service in Cisco Voice Operating System