漏洞标题
N/A
漏洞描述信息
Cisco IOS XE软件CLI解析器中的多个漏洞可能导致被授权的本地攻击者向受影响软件的CLI注入任意命令,从而使攻击者获得受影响设备的底层Linux壳,并在设备上拥有root权限时执行命令。这些漏洞的存在是因为受影响的软件在将命令传递给Linux壳执行时未充分净化命令参数。攻击者可以通过向受影响软件提交恶意CLI命令来利用这些漏洞。一个成功的漏洞利用可能导致攻击者从受影响软件的CLI中脱离,从而使攻击者获得受影响设备底层Linux壳的访问权限,并在设备上以root权限执行任意命令。Cisco bug IDs: CSCuz03145, CSCuz56419, CSCva31971, CSCvb09542。
CVSS信息
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
漏洞类别
N/A
漏洞标题
N/A
漏洞描述信息
Multiple vulnerabilities in the CLI parser of Cisco IOS XE Software could allow an authenticated, local attacker to inject arbitrary commands into the CLI of the affected software, which could allow the attacker to gain access to the underlying Linux shell of an affected device and execute commands with root privileges on the device. The vulnerabilities exist because the affected software does not sufficiently sanitize command arguments before passing commands to the Linux shell for execution. An attacker could exploit these vulnerabilities by submitting a malicious CLI command to the affected software. A successful exploit could allow the attacker to break from the CLI of the affected software, which could allow the attacker to gain access to the underlying Linux shell on an affected device and execute arbitrary commands with root privileges on the device. Cisco Bug IDs: CSCuz03145, CSCuz56419, CSCva31971, CSCvb09542.
CVSS信息
N/A
漏洞类别
OS命令中使用的特殊元素转义处理不恰当(OS命令注入)
漏洞标题
Cisco IOS XE Software CLI解析器命令注入漏洞
漏洞描述信息
Cisco IOS XE Software是美国思科(Cisco)公司的一套为其网络设备开发的操作系统。CLI parser是其中的一个命令行命令解析器。 Cisco IOS XE Software中的CLI解析器存在命令注入漏洞,该漏洞源于在命令传送到Linux shell之前,程序没有充分的过滤命令参数。本地攻击者可通过向受影响的软件提交恶意的CLI命令利用该漏洞获取底层Linux shell的访问权限并以root权限执行命令。
CVSS信息
N/A
漏洞类别
授权问题