#VU7980 OS command injection in Virtual Network Function Element Manager - CVE-2017-6710
Published: August 17, 2017
Vulnerability identifier: #VU7980
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2017-6710
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Virtual Network Function Element Manager
Virtual Network Function Element Manager
Software vendor:
Cisco Systems, Inc
Cisco Systems, Inc
Description
The vulnerability allows a remote authenticated attacker to gain elevated privileges on the target system.
The weakness exists in the Cisco Virtual Network Function (VNF) Element Manager due to improper command settings. A remote attacker can use this settings to elevate privileges and run commands in the context of the root user on the server.
Successful exploitation of the vulnerability may result in system compromise.
The weakness exists in the Cisco Virtual Network Function (VNF) Element Manager due to improper command settings. A remote attacker can use this settings to elevate privileges and run commands in the context of the root user on the server.
Successful exploitation of the vulnerability may result in system compromise.
Remediation
The vulnerability is addressed in the following versions: USP_5.5.0.1148, USP_5.5.0.1143, USP_5.5.0.1139, USP_5.5.0.1136, USP_5.5.0.1126, USP_5.5.0.1124, USP_5.5.0.1122, USP_5.5.0.1118, USP_5.5.0.1115, USP_5.5.0.1114, USP_5.5.0.1108, USP_5.5.0.1106, USP_5.5.0.1103, USP_5.5.0.1098, USP_5.5.0.1094, USP_5.5.0.1089.