PT-2017-12497 · Cisco · Firepower 4100 Series Next-Generation Firewalls+18

Published

2017-11-29

·

Updated

2019-10-09

·

CVE-2017-12329

CVSS v3.1

6.3

Medium

VectorAV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Name of the Vulnerable Software and Affected Versions Cisco Firepower Extensible Operating System (FXOS) and NX-OS System Software (affected versions not specified) Firepower 4100 Series Next-Generation Firewall (affected versions not specified) Firepower 9300 Security Appliance (affected versions not specified) Multilayer Director Switches (affected versions not specified) Nexus 1000V Series Switches (affected versions not specified) Nexus 2000 Series Fabric Extenders (affected versions not specified) Nexus 3000 Series Switches (affected versions not specified) Nexus 3500 Platform Switches (affected versions not specified) Nexus 5000 Series Switches (affected versions not specified) Nexus 5500 Platform Switches (affected versions not specified) Nexus 5600 Platform Switches (affected versions not specified) Nexus 6000 Series Switches (affected versions not specified) Nexus 7000 Series Switches (affected versions not specified) Nexus 7700 Series Switches (affected versions not specified) Nexus 9000 Series Switches in standalone NX-OS mode (affected versions not specified) Nexus 9500 R-Series Line Cards and Fabric Modules (affected versions not specified) Unified Computing System Manager (affected versions not specified)
Description A vulnerability in the CLI of Cisco Firepower Extensible Operating System (FXOS) and NX-OS System Software could allow an authenticated, local attacker to perform a command injection attack. The vulnerability is due to insufficient input validation of command arguments to the CLI parser. An attacker could exploit this vulnerability by injecting crafted command arguments into a vulnerable CLI command. An exploit could allow the attacker to execute arbitrary commands at the user's privilege level. On products that support multiple virtual device contexts (VDCs), this vulnerability could allow the attacker to execute commands at the user's privilege level outside the user's environment.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-77

Related Identifiers

CVE-2017-12329

Affected Products

Cisco Firepower Extensible Operating System
Cisco Nexus
Firepower 4100 Series Next-Generation Firewalls
Firepower 9300 Security Appliance
Multilayer Director Switches
Nx-Os System
Nexus 1000V Series Switches
Nexus 2000 Series Fabric Extenders
Nexus 3000 Series Switches
Nexus 3500 Platform Switches
Nexus 5000 Series Switches
Nexus 5500 Platform Switches
Nexus 5600 Platform Switches
Nexus 6000 Series Switches
Nexus 7000 Series Switches
Nexus 7700 Series Switches
Nexus 9000 Series Switches
Nexus 9500 R-Series Line Cards/Fabric Modules
Unified Computing System Manager