Detections
Analytics
Cisco ASR StarOS Multiple CLI Command Injection Vulnerabilities (cisco-sa-20180117-staros / cisco-sa-20180307-staros / cisco-sa-20180307-staros1)
medium Nessus Plugin ID 107095
Language:
Synopsis
The remote device is affected by multiple command injection vulnerabilities.Description
According to its self-reported version and model number, the remote Cisco ASR device is affected by multiple command injection vulnerabilities due to improper validation of user input. An authenticated local attacker, using command arguments, could potentially execute arbitrary commands with root privileges.Solution
Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvf93332, CSCvg29441, or CSCvg38807.See Also
http://www.nessus.org/u?5aae5b06
http://www.nessus.org/u?a2d6f9a1
http://www.nessus.org/u?0c6ab9fa
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf93332
Plugin Details
Severity: Medium
ID: 107095
File Name: cisco-sa-20180117-staros.nasl
Version: 1.6
Type: local
Family: CISCO
Published: 3/2/2018
Updated: 7/6/2018
Configuration: Enable paranoid mode
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 5.9
CVSS v2
Risk Factor: High
Base Score: 7.2
Temporal Score: 5.3
Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS v3
Risk Factor: Medium
Base Score: 6.7
Temporal Score: 5.8
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/h:cisco:asr_5000, cpe:/a:cisco:asr_5000_series_software, cpe:/o:cisco:staros
Required KB Items: Settings/ParanoidReport, Host/Cisco/ASR/Model, Host/Cisco/StarOS
Exploit Ease: No known exploits are available
Patch Publication Date: 1/17/2018
Vulnerability Publication Date: 1/17/2018
Reference Information
CVE: CVE-2018-0115, CVE-2018-0217, CVE-2018-0224
CISCO-SA: cisco-sa-20180117-staros, cisco-sa-20180307-staros, cisco-sa-20180307-staros1
CISCO-BUG-ID: CSCvf93332, CSCvg29441, CSCvg38807