CVE-2017-12243
published 2017-11-02CVE-2017-12243: A vulnerability in the Cisco Unified Computing System (UCS) Manager, Cisco Firepower 4100 Series Next-Generation Firewall (NGFW), and Cisco Firepower 9300…
PriorityP268high7.8CVSS 3.0
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
77.07%
99.5th percentile
A vulnerability in the Cisco Unified Computing System (UCS) Manager, Cisco Firepower 4100 Series Next-Generation Firewall (NGFW), and Cisco Firepower 9300 Security Appliance could allow an authenticated, local attacker to obtain root shell privileges on the device, aka Command Injection. The vulnerability is due to improper validation of string input in the shell application. An attacker could exploit this vulnerability through the use of malicious commands. A successful exploit could allow the attacker to obtain root shell privileges on the device. Cisco Bug IDs: CSCvf20741, CSCvf60078.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | ucs_manager_cisco_firepower_4100_series_ngfw_and_cisco_firepower_9300_security_a | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP/HTTPS GET requests to the /settings/ping endpoint containing URL-encoded shell metacharacters (e.g., %3b, %3B — semicolons) in the ping_ip_addr or ping_num parameters, indicating command injection attempts. ↗
- →Detect SSH sessions to Cisco UCS Platform Emulator (default credentials ucspe/ucspe) issuing 'show sel %x' or format-string payloads (e.g., 'show sel %62c%28$n'), which indicate exploitation of the format string vulnerability. ↗
- →Alert on SSH login attempts using the default credentials ucspe/ucspe to Cisco UCS Platform Emulator devices, as these are the default credentials leveraged in the authenticated RCE exploit chain. ↗
- →Look for processes spawned as uid=0(root) from the UCS Manager shell application or SSH session, particularly following 'show sel' commands, as successful exploitation results in root shell access. ↗
- ·The unauthenticated HTTP command injection vector targets Cisco UCS Platform Emulator 3.1(2ePE1) specifically; the CVE as filed by Cisco covers authenticated local command injection on UCS Manager, Firepower 4100, and Firepower 9300 — the exploit-db PoC may represent a broader or emulator-specific attack surface. ↗
- ·The Cisco advisory describes the vulnerability as requiring an authenticated, local attacker; however, the exploit-db PoC demonstrates unauthenticated remote exploitation via the /settings/ping HTTP endpoint on the emulator, suggesting the emulator exposes a wider attack surface than production hardware. ↗
- ·Cisco Bug IDs CSCvf20741 and CSCvf60078 track this vulnerability; patch status should be verified against both IDs for UCS Manager and Firepower platforms respectively. ↗
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vendor_cisco6.7MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Cisco
Cisco UCS Manager, Cisco Firepower 4100 Series NGFW, and Cisco Firepower 9300 Security Appliance Command Injection Vulnerability
vendor_cisco·2017-11-01·CVSS 6.7
CVE-2017-12243 [MEDIUM] CWE-78 Cisco UCS Manager, Cisco Firepower 4100 Series NGFW, and Cisco Firepower 9300 Security Appliance Command Injection Vulnerability
Cisco UCS Manager, Cisco Firepower 4100 Series NGFW, and Cisco Firepower 9300 Security Appliance Command Injection Vulnerability
A vulnerability in the Cisco Unified Computing System (UCS) Manager, Cisco Firepower 4100 Series Next-Generation Firewall (NGFW), and Cisco Firepower 9300 Security Appliance could allow an authenticated, local attacker to obtain root shell privileges on the device.
The vulnerability is due to improper validation of string input in the shell application. An attacker could exploit this vulnerability through the use of malicious commands. A successful exploit could allow the attacker to obtain root shell privileges on the device.
There are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://sec.cloudapps.cisc
Cisco
Cisco UCS Manager, Cisco Firepower 4100 Series NGFW, and Cisco Firepower 9300 Security Appliance Command Injection Vulnerability
vendor_cisco·CVSS 3.0
CVE-2017-12243 Cisco UCS Manager, Cisco Firepower 4100 Series NGFW, and Cisco Firepower 9300 Security Appliance Command Injection Vulnerability
CVE-2017-12243: Cisco UCS Manager, Cisco Firepower 4100 Series NGFW, and Cisco Firepower 9300 Security Appliance Command Injection Vulnerability
A vulnerability in the Cisco Unified Computing System (UCS) Manager, Cisco Firepower 4100 Series Next-Generation Firewall (NGFW), and Cisco Firepower 9300 Security Appliance could allow an authenticated, local attacker to obtain root shell privileges on the device. The vulnerability is due to improper validation of string input in the shell application. An attacker could exploit this vulnerability through the use of malicious commands. A successful exploit could allow the attacker to obtain root shell privileges on the device. There are no
CVSS: 3.0
CWE: CWE-78, CWE-78
Bug IDs: CSCvf20741, CSCvf60078
GHSA
GHSA-742f-jwrq-hgqc: A vulnerability in the Cisco Unified Computing System (UCS) Manager, Cisco Firepower 4100 Series Next-Generation Firewall (NGFW), and Cisco Firepower
ghsa_unreviewed·2022-05-13
CVE-2017-12243 [HIGH] CWE-78 GHSA-742f-jwrq-hgqc: A vulnerability in the Cisco Unified Computing System (UCS) Manager, Cisco Firepower 4100 Series Next-Generation Firewall (NGFW), and Cisco Firepower
A vulnerability in the Cisco Unified Computing System (UCS) Manager, Cisco Firepower 4100 Series Next-Generation Firewall (NGFW), and Cisco Firepower 9300 Security Appliance could allow an authenticated, local attacker to obtain root shell privileges on the device, aka Command Injection. The vulnerability is due to improper validation of string input in the shell application. An attacker could exploit this vulnerability through the use of malicious commands. A successful exploit could allow the attacker to obtain root shell privileges on the device. Cisco Bug IDs: CSCvf20741, CSCvf60078.
No detection rules found.
No writeups or analysis indexed.
http://www.securityfocus.com/bid/101652http://www.securitytracker.com/id/1039719https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171101-arcehttp://www.securityfocus.com/bid/101652http://www.securitytracker.com/id/1039719https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171101-arce
2017-11-02
Published