Cisco IOS XE prior CSCvb09542 CLI Parser Argument os command injection

Summaryinfo

A vulnerability, which was classified as critical, was found in Cisco IOS XE. Impacted is an unknown function of the component CLI Parser. Executing a manipulation as part of Argument can lead to os command injection. This vulnerability is handled as CVE-2018-0194. It is possible to launch the attack on the local host. There is not any exploit available. You should upgrade the affected component.

Detailsinfo

A vulnerability classified as critical was found in Cisco IOS XE (Router Operating System). This vulnerability affects some unknown functionality of the component CLI Parser. The manipulation as part of a Argument leads to a os command injection vulnerability. The CWE definition for the vulnerability is CWE-78. The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:

Multiple vulnerabilities in the CLI parser of Cisco IOS XE Software could allow an authenticated, local attacker to inject arbitrary commands into the CLI of the affected software, which could allow the attacker to gain access to the underlying Linux shell of an affected device and execute commands with root privileges on the device. The vulnerabilities exist because the affected software does not sufficiently sanitize command arguments before passing commands to the Linux shell for execution. An attacker could exploit these vulnerabilities by submitting a malicious CLI command to the affected software. A successful exploit could allow the attacker to break from the CLI of the affected software, which could allow the attacker to gain access to the underlying Linux shell on an affected device and execute arbitrary commands with root privileges on the device. Cisco Bug IDs: CSCuz03145, CSCuz56419, CSCva31971, CSCvb09542.

The bug was discovered 03/28/2018. The weakness was released 04/02/2018 with Cisco as cisco-sa-20180328-cmdinj as confirmed advisory (Website). The advisory is shared for download at tools.cisco.com. This vulnerability was named CVE-2018-0194. The attack needs to be approached locally. A single authentication is required for exploitation. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1202.

The vulnerability was handled as a non-public zero-day exploit for at least 5 days. During that time the estimated underground price was around $25k-$100k. The commercial vulnerability scanner Qualys is able to test this issue with plugin 316231 (Cisco IOS XE Software CLI Command Injection Vulnerabilities(cisco-sa-20180328-cmdinj)).

Upgrading to version CSCvb09542 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at SecurityFocus (BID 103547†). Entries connected to this vulnerability are available at VDB-115182, VDB-115185 and VDB-115190. Once again VulDB remains the best source for vulnerability data.

Productinfo

Type

• Router Operating System

Vendor

• Cisco

Name

• IOS XE

License

• commercial

Website

• Vendor: https://www.cisco.com/

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion