Strix
26.1K

CVE-2017-6707

UnknownEPSS 0.79%

Last modified

CVE-2017-6707 is a vulnerability of currently unknown severity. A vulnerability in the CLI command-parsing code of the Cisco StarOS operating system for Cisco ASR 5000 Series 11.0 through 21.0, 5500 Series, and 5700 Series devices and Cisco Virtualized Packet Core (VPC) Software could allow an authenticated, local attacker to break from the StarOS CLI of an affected system and execute arbitrary shell commands as a Linux root user on the system, aka Command Injection. The vulnerability exists because the affected operating system does not sufficiently sanitize commands before inserting them into Linux shell commands. EPSS estimates a 0.79% chance of exploitation in the next 30 days.

Description

A vulnerability in the CLI command-parsing code of the Cisco StarOS operating system for Cisco ASR 5000 Series 11.0 through 21.0, 5500 Series, and 5700 Series devices and Cisco Virtualized Packet Core (VPC) Software could allow an authenticated, local attacker to break from the StarOS CLI of an affected system and execute arbitrary shell commands as a Linux root user on the system, aka Command Injection. The vulnerability exists because the affected operating system does not sufficiently sanitize commands before inserting them into Linux shell commands. An attacker could exploit this vulnerability by submitting a crafted CLI command for execution in a Linux shell command as a root user. Cisco Bug IDs: CSCvc69329, CSCvc72930.

Metrics

EPSS Probability
0.79%

51.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
CiscoStaros11.0_base
CiscoStaros12.0.0
CiscoStaros12.1_base
CiscoStaros12.2\(300\)
CiscoStaros12.2_base
CiscoStaros14.0\(600\)
CiscoStaros14.0.0
CiscoStaros15.0\(912\)
CiscoStaros15.0\(935\)
CiscoStaros15.0\(938\)
CiscoStaros15.0_base
CiscoStaros16.0\(900\)
CiscoStaros16.0.0
CiscoStaros16.1.0
CiscoStaros16.1.1
CiscoStaros16.1.2
CiscoStaros16.5.0
CiscoStaros16.5.2
CiscoStaros17.2.0
CiscoStaros17.2.0.59184
CiscoStaros17.3.0
CiscoStaros17.3.1
CiscoStaros17.3_base
CiscoStaros17.7.0
CiscoStaros18.0.0
CiscoStaros18.0.0.57828
CiscoStaros18.0.0.59167
CiscoStaros18.0.0.59211
CiscoStaros18.0.l0.59219
CiscoStaros18.1.0
CiscoStaros18.1.0.59776
CiscoStaros18.1.0.59780
CiscoStaros18.1_base
CiscoStaros18.3.0
CiscoStaros18.3_base
CiscoStaros18.4.0
CiscoStaros19.0.1
CiscoStaros19.0.m0.60737
CiscoStaros19.0.m0.60828
CiscoStaros19.0.m0.61045
CiscoStaros19.1.0
CiscoStaros19.1.0.61559
CiscoStaros19.2.0
CiscoStaros19.3.0
CiscoStaros20.0.0
CiscoStaros20.0.1.0
CiscoStaros20.0.1.a0
CiscoStaros20.0.1.v0
CiscoStaros20.0.2.3
CiscoStaros20.0.2.3.65026

Showing 50 of 58 affected configurations. See NVD for the full list.

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2017-6707?
A vulnerability in the CLI command-parsing code of the Cisco StarOS operating system for Cisco ASR 5000 Series 11.0 through 21.0, 5500 Series, and 5700 Series devices and Cisco Virtualized Packet Core (VPC) Software could allow an authenticated, local attacker to break from the StarOS CLI of an affected system and execute arbitrary shell commands as a Linux root user on the system, aka Command Injection. The vulnerability exists because the affected operating system does not sufficiently sanitize commands before inserting them into Linux shell commands. An attacker could exploit this vulnerability by submitting a crafted CLI command for execution in a Linux shell command as a root user. Cisco Bug IDs: CSCvc69329, CSCvc72930.
How severe is CVE-2017-6707?
Severity scoring for CVE-2017-6707 is pending analysis. The EPSS model estimates a 0.79% probability of exploitation in the next 30 days.
How do I fix CVE-2017-6707?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2017-6707?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST