製品・ソフトウェアに関する情報

JVN脆弱性詳細

Cisco Enterprise NFV Infrastructure ソフトウェアにおける入力確認に関する脆弱性

Title	Cisco Enterprise NFV Infrastructure ソフトウェアにおける入力確認に関する脆弱性
Summary	Cisco Enterprise NFV Infrastructure ソフトウェア (NFVIS) には、入力確認に関する脆弱性が存在します。ベンダは、本脆弱性を Bug ID CSCvh25026 として公開しています。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	May 16, 2018, midnight
Registration Date	July 6, 2018, 5:54 p.m.
Last Update	July 6, 2018, 5:54 p.m.

Affected System

シスコシステムズ

Cisco Enterprise NFV Infrastructure ソフトウェア 3.6.3 およびそれ以前

Cisco Enterprise NFV Infrastructure ソフトウェア 3.7.1

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2018-0279	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0279
National Vulnerability Database (NVD)
2	CVE-2018-0279	https://nvd.nist.gov/vuln/detail/CVE-2018-0279

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-20	https://jvndb.jvn.jp/ja/cwe/CWE-20.html

ベンダー情報

No	Name	URL
Cisco Security Advisory
1	cisco-sa-20180516-nfvis	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180516-nfvis

Change Log

No	Changed Details	Date of change
1	[2018年07月06日] 掲載	July 6, 2018, 5:54 p.m.

NVD Vulnerability Information

CVE-2018-0279

Summary	A vulnerability in the Secure Copy Protocol (SCP) server of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, remote attacker to access the shell of the underlying Linux operating system on the affected device. The vulnerability is due to improper input validation of command arguments. An attacker could exploit this vulnerability by using crafted arguments when opening a connection to the affected device. An exploit could allow the attacker to gain shell access with a non-root user account to the underlying Linux operating system on the affected device. Due to the system design, access to the Linux shell could allow execution of additional attacks that may have a significant impact on the affected system. This vulnerability affects Cisco devices that are running release 3.7.1, 3.6.3, or earlier releases of Cisco Enterprise NFV Infrastructure Software (NFVIS) when access to the SCP server is allowed on the affected device. Cisco NFVIS Releases 3.5.x and 3.6.x do allow access to the SCP server by default, while Cisco NFVIS Release 3.7.1 does not. Cisco Bug IDs: CSCvh25026.
Publication Date	May 17, 2018, 12:29 p.m.
Registration Date	March 1, 2021, 6:36 p.m.
Last Update	Nov. 21, 2024, 12:37 p.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:cisco:enterprise_nfv_infrastructure_software::::::::				3.6.3
cpe:2.3:a:cisco:enterprise_nfv_infrastructure_software:3.7.1:::::::*

Related information, measures and tools

No	URL	タグ
1	http://www.securityfocus.com/bid/104243	Third Party Advisory VDB Entry
2	http://www.securityfocus.com/bid/104243	Third Party Advisory VDB Entry
3	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180516-nfvis	Vendor Advisory
4	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180516-nfvis	Vendor Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-78	OSコマンド・インジェクション	https://cwe.mitre.org/data/definitions/78.html