CVE-2018-0194— Cisco IOS XE Software CLI解析器操作系统命令注入漏洞

N/A

Multiple vulnerabilities in the CLI parser of Cisco IOS XE Software could allow an authenticated, local attacker to inject arbitrary commands into the CLI of the affected software, which could allow the attacker to gain access to the underlying Linux shell of an affected device and execute commands with root privileges on the device. The vulnerabilities exist because the affected software does not sufficiently sanitize command arguments before passing commands to the Linux shell for execution. An attacker could exploit these vulnerabilities by submitting a malicious CLI command to the affected software. A successful exploit could allow the attacker to break from the CLI of the affected software, which could allow the attacker to gain access to the underlying Linux shell on an affected device and execute arbitrary commands with root privileges on the device. Cisco Bug IDs: CSCuz03145, CSCuz56419, CSCva31971, CSCvb09542.

N/A

OS命令中使用的特殊元素转义处理不恰当(OS命令注入)

Cisco IOS XE Software CLI解析器操作系统命令注入漏洞

Cisco IOS XE Software是美国思科（Cisco）公司的一套为其网络设备开发的操作系统。CLI parser是其中的一个命令行命令解析器。 Cisco IOS XE Software中的CLI解析器存在操作系统命令注入漏洞，该漏洞源于程序在将命令传递到Linux shell之前，没有充分的过滤命令参数。本地攻击者可通过向受影响的软件提交恶意的CLI命令利用该漏洞访问底层Linux shell并以root权限执行命令。

N/A

N/A