CVE-2018-0221
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A vulnerability in specific CLI commands for the Cisco Identity Services Engine (ISE) could allow an authenticated, local attacker to perform command injection to the underlying operating system or cause a hang or disconnect of the user session. The attacker needs valid administrator credentials for the device. The vulnerability is due to incomplete input validation of user input for certain CLI ISE configuration commands. An attacker could exploit this vulnerability by authenticating as an administrative user, issuing a specific CLI command, and entering crafted, malicious user input for the command parameters. An exploit could allow the attacker to perform command injection to the lower-level Linux operating system. It is also possible the attacker could cause the ISE user interface for this management session to hang or disconnect. Cisco Bug IDs: CSCvg95479.
Una vulnerabilidad en determinados comandos de la interfaz de línea de comandos (CLI) para Cisco Identity Services Engine (ISE) podría permitir que un atacante local autenticado inyecte comandos en el sistema operativo subyacente o hacer que la sesión del usuario se cuelgue o se desconecte. El atacante necesitaría tener credenciales de administrador válidos para el dispositivo. La vulnerabilidad se debe a la validación insuficiente de la entrada de datos por parte del usuario para determinados comandos de configuración de CLI de ISE. Un atacante podría explotar esta vulnerabilidad autenticándose como un usuario administrativo, enviando un comando CLI específico e introduciendo valores de entrada del usuario maliciosos y manipulados para los parámetros de los comandos. Si se explota esta vulnerabilidad, el atacante podría realizar una inyección de comandos en el sistema operativo Linux de nivel inferior. El atacante también podría hacer que se desconecte o cuelgue la interfaz de usuario de ISE para esta sesión de administración. Cisco Bug IDs: CSCvg95479.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-11-27 CVE Reserved
- 2018-03-08 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| http://www.securityfocus.com/bid/103347 | Third Party Advisory | |
| http://www.securitytracker.com/id/1040471 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180307-ise6 | 2019-10-09 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Cisco Search vendor "Cisco" | Identity Services Engine Search vendor "Cisco" for product "Identity Services Engine" | 2.0\(0.249\) Search vendor "Cisco" for product "Identity Services Engine" and version "2.0\(0.249\)" | - |
Affected
| ||||||
| Cisco Search vendor "Cisco" | Identity Services Engine Search vendor "Cisco" for product "Identity Services Engine" | 2.1\(0.474\) Search vendor "Cisco" for product "Identity Services Engine" and version "2.1\(0.474\)" | - |
Affected
| ||||||
| Cisco Search vendor "Cisco" | Identity Services Engine Search vendor "Cisco" for product "Identity Services Engine" | 2.2\(0.470\) Search vendor "Cisco" for product "Identity Services Engine" and version "2.2\(0.470\)" | - |
Affected
| ||||||
| Cisco Search vendor "Cisco" | Identity Services Engine Search vendor "Cisco" for product "Identity Services Engine" | 2.2\(0.903\) Search vendor "Cisco" for product "Identity Services Engine" and version "2.2\(0.903\)" | - |
Affected
| ||||||
| Cisco Search vendor "Cisco" | Identity Services Engine Search vendor "Cisco" for product "Identity Services Engine" | 2.3\(0.298\) Search vendor "Cisco" for product "Identity Services Engine" and version "2.3\(0.298\)" | - |
Affected
| ||||||
| Cisco Search vendor "Cisco" | Identity Services Engine Search vendor "Cisco" for product "Identity Services Engine" | 2.4\(0.192\) Search vendor "Cisco" for product "Identity Services Engine" and version "2.4\(0.192\)" | - |
Affected
| ||||||