cbcvebase.
CVE-2017-3858
published 2017-03-22

CVE-2017-3858: A vulnerability in the web framework of Cisco IOS XE Software could allow an authenticated, remote attacker to inject arbitrary commands that are executed with…

PriorityP260high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EPSS
3.13%
86.2th percentile
A vulnerability in the web framework of Cisco IOS XE Software could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient input validation of HTTP parameters supplied by the user. An attacker could exploit this vulnerability by authenticating to the device and submitting crafted input to the affected web page parameter. The user must be authenticated to access the affected parameter. A successful exploit could allow the attacker to execute commands with root privileges. This vulnerability affects Cisco devices running Cisco IOS XE Software Release 16.2.1, if the HTTP Server feature is enabled for the device. The newly redesigned, web-based administration interface was introduced in the Denali 16.2 Release of Cisco IOS XE Software. The web-based administration interface in earlier releases of Cisco IOS XE Software is not affected by this vulnerability. Cisco Bug IDs: CSCuy83069.

Affected

3 ranges
VendorProductVersion rangeFixed in
ciscoios_xe
ciscoios_xe
ciscoios_xe

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is exploitable only when the HTTP Server feature is enabled on Cisco IOS XE devices running Release 16.2.1; detection should focus on HTTP requests with crafted/injected parameters to the web administration interface.
  • The attack vector is authenticated HTTP parameter injection targeting the redesigned web-based administration interface introduced in Denali 16.2; earlier IOS XE web interfaces are not affected and can be used to scope detection.
  • Monitor for authenticated HTTP requests containing shell metacharacters or command-injection payloads in HTTP parameters submitted to the IOS XE web management interface, as exploitation requires crafted input to a specific web page parameter.
  • ·Exploitation requires the attacker to be authenticated; unauthenticated access to the affected parameter is not possible, so detection should correlate successful authentication events with subsequent suspicious HTTP parameter activity.
  • ·There are no workarounds available; the only mitigation is applying Cisco's software update, or disabling the HTTP Server feature on affected IOS XE 16.2.1 devices.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vendor_cisco8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.