CVE-2014-7990

Name of the Vulnerable Software and Affected Versions Cisco IOS XE versions 3.5E and earlier

Description A vulnerability exists due to improper parsing of the challenge response in the request system shell command. This allows an authenticated, local attacker with administrative privilege to access the underlying Linux root shell by entering a crafted challenge response. The vulnerability can be exploited if the service internal command is configured, which is not recommended. To exploit this vulnerability, an attacker must authenticate and have local access to the targeted device.

Recommendations For Cisco IOS XE versions 3.5E and earlier, consider disabling the request system shell command until a patch is available, as software updates are not currently available. Additionally, avoid configuring the service internal command to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.