—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

Cisco Security Advisory: Cisco NX-OS Software CLI Arbitrary Command Execution Vulnerability

Advisory ID: cisco-sa-20180620-nx-os-cli-execution

Revision: 1.0

For Public Release: 2018 June 20 16:00 GMT

Last Updated: 2018 June 20 16:00 GMT

CVE ID(s): CVE-2018-0306

CVSS Score v(3): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

+———————————————————————

Summary

=======

A vulnerability in the CLI parser of Cisco NX-OS Software could allow an authenticated, local attacker to perform a command-injection attack on an affected device.

The vulnerability is due to insufficient input validation of command arguments. An attacker could exploit this vulnerability by injecting malicious command arguments into a vulnerable CLI command. A successful exploit could allow the attacker to execute arbitrary commands with root privileges on the affected device.

Note: This vulnerability requires that any feature license is uploaded to the device. The vulnerability does not require that the license be used.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nx-os-cli-execution [“https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nx-os-cli-execution”]

This advisory is part of the June 2018 Cisco FXOS and NX-OS Software Security Advisory Collection, which includes 24 Cisco Security Advisories that describe 24 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: June 2018 Cisco FXOS and NX-OS Software Security Advisory Collection [“https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-67770”].

—–BEGIN PGP SIGNATURE—–

iQJ5BAEBAgBjBQJbKnqjXBxDaXNjbyBQcm9kdWN0IFNlY3VyaXR5IEluY2lkZW50
IFJlc3BvbnNlIFRlYW0gKENpc2NvIFBTSVJUIGtleSAyMDE4LTIwMTkpIDxwc2ly
dEBjaXNjby5jb20+AAoJEJa12PPJBfcz160QAJdl0BrJ+Tj8QGEyztGlCLpvwmDL
XWKnRedK4ZvALIklDbrAE6vn9hw4yjeTWpsLMWWK/rUAeMGsalSknUCHDOAgQTkD
kcTCN6ET/BViGIp1V2tgMjDH5y872rFqWkCYFW+2AFFaeZG2dNkCiX3iX83ul8bu
EDRPOb68eBesSAk0qsFsGVkIgjLJ61GCoew4tBXE+cWSinSFMA8NZZ5+G3bq+Sbd
wkk3SvnQ/iS1z0e52ju19AahSFzUzMhvcqT/OR2RZ3adgWwcRCVQqJNtseFD6buK
nwx2Krenc4OiezB9JPmfaseZ+fdqCh5P+sdxZk7n3qdTrJZ2Qxhz6rWzk1yG/aW9
EOQuQnTa2jgZc/ujpdlbLLMoJfSDLlptbLAeUgzQfDwrM/MZykp75VDltRzlmyze
0TAe4XBg4teaURrWfr/lDeoGE3RyRTDQxIsuyi32zx9+uer8phi+ZZkGuV4Nvctg
VFoxgW9gTOVbHhZe+07xQbXr5K1CMWWjCdgiqCqan/QAh3KQP7rfxgSApuoxD3dt
JHZjiViw5u6PWrE9KR3LJiWFdlUIfLykyZLK7ahSGvXLE8HeJ40ZcJaiWBJ8hevY
57BovcQOmQykNfv+Cu4yjoQaUmIHb2MExzQHG2g5o7GE8dTOLpAeo3RcmZL2HKnr
OG5K23M4v7Mcruf2
=RdqO
—–END PGP SIGNATURE—–

_______________________________________________
cust-security-announce mailing list
cust-security-announce@cisco.com
To unsubscribe, send the command “unsubscribe” in the subject of your message to cust-security-announce-leave@cisco.com

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

Cisco Security Advisory: Cisco NX-OS Software CLI Arbitrary Command Execution Vulnerability

Advisory ID: cisco-sa-20180620-nx-os-cli-injection

Revision: 1.0

For Public Release: 2018 June 20 16:00 GMT

Last Updated: 2018 June 20 16:00 GMT

CVE ID(s): CVE-2018-0307

CVSS Score v(3): 8.2 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

+———————————————————————

Summary

=======

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to perform a command-injection attack on an affected device.

The vulnerability is due to insufficient input validation of command arguments. An attacker could exploit this vulnerability by injecting malicious command arguments into a vulnerable CLI command. A successful exploit could allow the attacker, authenticated as a privileged user, to execute arbitrary commands with root privileges.

Note: On products that support multiple virtual device contexts (VDC), this vulnerability could allow an attacker to access files from any VDC.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nx-os-cli-injection [“https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-nx-os-cli-injection”]

This advisory is part of the June 2018 Cisco FXOS and NX-OS Software Security Advisory Collection, which includes 24 Cisco Security Advisories that describe 24 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: June 2018 Cisco FXOS and NX-OS Software Security Advisory Collection [“https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-67770”].

—–BEGIN PGP SIGNATURE—–

iQJ5BAEBAgBjBQJbKnqmXBxDaXNjbyBQcm9kdWN0IFNlY3VyaXR5IEluY2lkZW50
IFJlc3BvbnNlIFRlYW0gKENpc2NvIFBTSVJUIGtleSAyMDE4LTIwMTkpIDxwc2ly
dEBjaXNjby5jb20+AAoJEJa12PPJBfczpsYP+gKsOQhHk8KnHlp3UcjQ/SOsDcHH
AG1fz0dodM+2u2TyvpZn2VyAdrnonmk3w4f2CYaj7awB1oCmyYyeMm6rfVjhODpn
ypEN2QsPLnwdzJiCWopsSig7Jkj0CieI0Q/uZ39Nc7nDVxY7axVsqqtfIRfJzkNH
RSZTgTpsT+eENw/1ncJi3A6tWGh/21H9bs2ni3X6l3ZhvlbqfQEnnpZvgiQHQeHS
326wOL6k/KMBxL9pmBMB8Xg0fRUnRhpIA766Gn1kEJTVOrOrGlozevGFN+/tytuP
bK6QHAA1t27GBNucISxvSc8rzBBMyCP9bToI3kUXkbmrGyUwSucHKXnWM/WLpuRr
t90rFjVlRhKj8Jzu6JstCCdl20x4BxIBtUppfJbV1kvGTH1MlwmCulRJQiujKCOd
rE4KSuW+pkXdEJSc8X4i/7STsU4ahuKWHNfs5Xiwgm559SLzeWtrWjtuVRHX/vGO
+b/JXj/bvJGz3bYHyMsjs25pRC8qzvaUIODF3BX/yW3kWMasaNH8mIe2yik8Gybq
pImxjyNUN7CUAIxwWztCaoRASLm6xufSWChdzUUJGVXQd7S1GI+EYtPPkgYUOI4k
IWZed/ulXwq1b6X7Ls3QofCMIoJeXmyI1nnRovGXPpkRB0yaeDLgxEHv43WQ18l3
i+9A7m5kzvLKcfol
=p5fC
—–END PGP SIGNATURE—–

_______________________________________________
cust-security-announce mailing list
cust-security-announce@cisco.com
To unsubscribe, send the command “unsubscribe” in the subject of your message to cust-security-announce-leave@cisco.com