#VU7341 OS command injection in Cisco Ultra Services Framework
Vulnerability identifier: #VU7341
Vulnerability risk: High
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-78
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Cisco Ultra Services Framework
Server applications /
Frameworks for developing and running applications
Vendor: Cisco Systems, Inc
Description
The vulnerability allows a remote unauthenticated attacker to execute arbitrary shell commands.
The vulnerability exists in the AutoIT service of Cisco Ultra Services Framework Staging Server due to improper shell invocations. A remote attacker can use specially crafted CLI commands to execute Linux shell commands with root privileges.
Successful exploitation of the vulnerability may result in system compromise.
Mitigation
The vulnerability is addressed in the following versions:
5.0.3, 5.1.
Vulnerable software versions
Cisco Ultra Services Framework: All versions
External links
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-usf3
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
