Vulnerability-Lookup

CNVD-2016-08201

Vulnerability from cnvd - Published: 2016-09-27

Title

Cisco IOS和IOS XE Software iox命令注入漏洞

Description

Cisco IOS和IOS XE都是美国思科（Cisco）公司为其网络设备开发的操作系统。iox是其中的一个端到端的提供应用程序托管功能的应用支持系统组件。 Cisco IOS和IOS XE Software中的iox命令存在命令注入漏洞。攻击者可借助特制的iox命令行选项利用该漏洞在用户操作系统上执行任意IOx Linux命令。

Severity

中

Formal description

目前厂商暂未发布修复措施解决此安全问题，建议使用此软件的用户随时关注厂商主页或参考网址以获取解决办法： http://www.cisco.com/

Reference

http://www.securityfocus.com/bid/93091 http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160921-iox

Impacted products

Name
['Cisco IOS <=15.6', 'Cisco IOS XE <=3.18']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "93091"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2016-6414"
    }
  },
  "description": "Cisco IOS\u548cIOS XE\u90fd\u662f\u7f8e\u56fd\u601d\u79d1\uff08Cisco\uff09\u516c\u53f8\u4e3a\u5176\u7f51\u7edc\u8bbe\u5907\u5f00\u53d1\u7684\u64cd\u4f5c\u7cfb\u7edf\u3002iox\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u7aef\u5230\u7aef\u7684\u63d0\u4f9b\u5e94\u7528\u7a0b\u5e8f\u6258\u7ba1\u529f\u80fd\u7684\u5e94\u7528\u652f\u6301\u7cfb\u7edf\u7ec4\u4ef6\u3002\r\n\r\nCisco IOS\u548cIOS XE Software\u4e2d\u7684iox\u547d\u4ee4\u5b58\u5728\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u501f\u52a9\u7279\u5236\u7684iox\u547d\u4ee4\u884c\u9009\u9879\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u7528\u6237\u64cd\u4f5c\u7cfb\u7edf\u4e0a\u6267\u884c\u4efb\u610fIOx Linux\u547d\u4ee4\u3002",
  "discovererName": "Cisco",
  "formalWay": "\u76ee\u524d\u5382\u5546\u6682\u672a\u53d1\u5e03\u4fee\u590d\u63aa\u65bd\u89e3\u51b3\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u5efa\u8bae\u4f7f\u7528\u6b64\u8f6f\u4ef6\u7684\u7528\u6237\u968f\u65f6\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u6216\u53c2\u8003\u7f51\u5740\u4ee5\u83b7\u53d6\u89e3\u51b3\u529e\u6cd5\uff1a\r\nhttp://www.cisco.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2016-08201",
  "openTime": "2016-09-27",
  "products": {
    "product": [
      "Cisco IOS \u003c=15.6",
      "Cisco IOS XE \u003c=3.18"
    ]
  },
  "referenceLink": "http://www.securityfocus.com/bid/93091\r\nhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160921-iox",
  "serverity": "\u4e2d",
  "submitTime": "2016-09-26",
  "title": "Cisco IOS\u548cIOS XE Software iox\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e"
}

CVE-2016-6414 (GCVE-0-2016-6414)

Vulnerability from cvelistv5 – Published: 2016-09-22 22:00 – Updated: 2024-08-06 01:29

Summary

iox in Cisco IOS, possibly 15.6 and earlier, and IOS XE, possibly 3.18 and earlier, allows local users to execute arbitrary IOx Linux commands on the guest OS via crafted iox command-line options, aka Bug ID CSCuz59223.

Severity ?

No CVSS data available.

CWE

Assigner

cisco

References

URL

Tags

	http://www.securitytracker.com/id/1036876	vdb-entryx_refsource_SECTRACK
	http://www.securityfocus.com/bid/93091	vdb-entryx_refsource_BID
	http://tools.cisco.com/security/center/content/Ci…	vendor-advisoryx_refsource_CISCO

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T01:29:20.073Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "1036876",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1036876"
          },
          {
            "name": "93091",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/93091"
          },
          {
            "name": "20160921 Cisco IOS and IOS XE iox Command Injection Vulnerability",
            "tags": [
              "vendor-advisory",
              "x_refsource_CISCO",
              "x_transferred"
            ],
            "url": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160921-iox"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-09-21T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "iox in Cisco IOS, possibly 15.6 and earlier, and IOS XE, possibly 3.18 and earlier, allows local users to execute arbitrary IOx Linux commands on the guest OS via crafted iox command-line options, aka Bug ID CSCuz59223."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-07-29T09:57:01.000Z",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "name": "1036876",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1036876"
        },
        {
          "name": "93091",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/93091"
        },
        {
          "name": "20160921 Cisco IOS and IOS XE iox Command Injection Vulnerability",
          "tags": [
            "vendor-advisory",
            "x_refsource_CISCO"
          ],
          "url": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160921-iox"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@cisco.com",
          "ID": "CVE-2016-6414",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "iox in Cisco IOS, possibly 15.6 and earlier, and IOS XE, possibly 3.18 and earlier, allows local users to execute arbitrary IOx Linux commands on the guest OS via crafted iox command-line options, aka Bug ID CSCuz59223."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "1036876",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1036876"
            },
            {
              "name": "93091",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/93091"
            },
            {
              "name": "20160921 Cisco IOS and IOS XE iox Command Injection Vulnerability",
              "refsource": "CISCO",
              "url": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160921-iox"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2016-6414",
    "datePublished": "2016-09-22T22:00:00.000Z",
    "dateReserved": "2016-07-26T00:00:00.000Z",
    "dateUpdated": "2024-08-06T01:29:20.073Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2016-08201

CVE-2016-6414 (GCVE-0-2016-6414)

Tags

Sightings

Nomenclature