CVE-2018-0274

Name of the Vulnerable Software and Affected Versions: Cisco Network Services Orchestrator (NSO) versions 4.1 through 4.1.6.0 Cisco Network Services Orchestrator (NSO) versions 4.2 through 4.2.4.0 Cisco Network Services Orchestrator (NSO) versions 4.3 through 4.3.3.0 Cisco Network Services Orchestrator (NSO) versions 4.4 through 4.4.2.0

Description: A vulnerability in the CLI parser of Cisco Network Services Orchestrator (NSO) could allow an authenticated, remote attacker to execute arbitrary shell commands with the privileges of the root user. The issue is due to insufficient input validation, which could be exploited by injecting malicious arguments into vulnerable commands. A successful exploit could allow the attacker to execute arbitrary commands with root privileges on the affected system.

Recommendations: For versions 4.1 through 4.1.6.0, update to a fixed version to prevent exploitation of the vulnerability. For versions 4.2 through 4.2.4.0, update to a fixed version to prevent exploitation of the vulnerability. For versions 4.3 through 4.3.3.0, update to a fixed version to prevent exploitation of the vulnerability. For versions 4.4 through 4.4.2.0, update to a fixed version to prevent exploitation of the vulnerability. As a temporary workaround, consider restricting access to the CLI parser to minimize the risk of exploitation.