Arbitrary commands execution in Cisco Prime Infrastructure
| Risk | Critical |
| Patch available | NO |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2016-1442 |
| CWE-ID | CWE-78 CWE-426 CWE-942 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Cisco Prime Infrastructure Server applications / Remote management servers, RDP, SSH |
| Vendor | Cisco Systems, Inc |
Security Bulletin
This security bulletin contains one critical risk vulnerability.
1) Arbitrary commands execution
EUVDB-ID: #VU106
Risk: Critical
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Red]
CVE-ID: CVE-2016-1442
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary commands on the target system.
The vulnerability exists due to improper user input validation. A remote unauthenticated attacker can cause arbitrary commands execution by inserting crafting input into the affected fields of the web interface.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Patch for this vulnerability is avaliable through the Cisco Bug Search Tool.
Cisco plans to release a software update in the third quarter of 2016. The expected fixed software version will be 3.1.1.
Cisco Prime Infrastructure: 3.1.0
CPE2.3 External linkshttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160706-pi
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
