#VU7978 Privilege escalation in Policy Suite - CVE-2017-6781
Published: August 17, 2017
Vulnerability identifier: #VU7978
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-6781
CWE-ID: CWE-264
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Policy Suite
Policy Suite
Software vendor:
Cisco Systems, Inc
Cisco Systems, Inc
Description
The vulnerability allows a local, authenticated attacker to gain elevated privileges on the target system.
The weakness exists in the management of shell user accounts for Cisco Policy Suite (CPS) Software for CPS appliances due to incorrect role-based access control (RBAC) for shell user accounts. A local attacker can authenticate to an affected appliance and provide a specially crafted data via the CLI to gain elevated privileges.
The weakness exists in the management of shell user accounts for Cisco Policy Suite (CPS) Software for CPS appliances due to incorrect role-based access control (RBAC) for shell user accounts. A local attacker can authenticate to an affected appliance and provide a specially crafted data via the CLI to gain elevated privileges.
Remediation
Install update from vendor's website.