CVE-2016-6450

Name of the Vulnerable Software and Affected Versions Cisco IOS XE Software versions 3.7(0) through 16.4.1 Cisco IOS XE Software versions Denali-16.1.3 through Denali-16.3.1

Description A vulnerability in the package unbundle utility of Cisco IOS XE Software could allow an authenticated, local attacker to gain write access to some files in the underlying operating system. This is due to insufficient validation of files submitted to the affected installation utility. An attacker could exploit this vulnerability by uploading a crafted file to an affected system and running the installation utility command, potentially allowing them to override write-accessible files and compromise system integrity. The attacker must have sufficient privileges, specifically privilege 15 in a default configuration, to exploit this vulnerability.

Recommendations For Cisco IOS XE Software versions 3.7(0) through 16.4.1, update to version 16.5(0.29) or later. For Cisco IOS XE Software versions Denali-16.1.3 through Denali-16.3.1, update to version 16.3(1.22) or later. As a temporary workaround, consider restricting access to the installation utility command to minimize the risk of exploitation.