[c-nsp] Cisco Security Advisory: Cisco Application-Hosting Framework Arbitrary File Creation Vulnerability

psirt at cisco.com psirt at cisco.com
Wed Mar 22 12:15:34 EDT 2017


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Advisory: Cisco Application-Hosting Framework Arbitrary File Creation Vulnerability

Advisory ID: cisco-sa-20170322-caf2

Revision: 1.0

For Public Release: 2017 March 22 16:00 GMT

Last Updated: 2017 March 22 16:00 GMT

CVE ID(s): CVE-2017-3852

CVSS Score v(3): 8.1 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

+---------------------------------------------------------------------

Summary
=======
A vulnerability in the Cisco application-hosting framework (CAF) component of the Cisco IOx application environment could allow an authenticated, remote attacker to write or modify arbitrary files in the virtual instance running on the affected device.

The vulnerability is due to insufficient input validation of user-supplied application packages. An attacker who can upload a malicious package within Cisco IOx could exploit the vulnerability to modify arbitrary files. The impacts of a successful exploit are limited to the scope of the virtual instance and do not impact the router that is hosting Cisco IOx.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-caf2 ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-caf2"]

-----BEGIN PGP SIGNATURE-----

iQKBBAEBAgBrBQJY0qMVZBxDaXNjbyBTeXN0ZW1zIFByb2R1Y3QgU2VjdXJpdHkg
SW5jaWRlbnQgUmVzcG9uc2UgVGVhbSAoQ2lzY28gUFNJUlQga2V5IDIwMTYtMjAx
NykgPHBzaXJ0QGNpc2NvLmNvbT4ACgkQrz2APcQAkHkNGBAAjNLFdOzumuxD/0ls
+4wX3o9KQ2DwDtkG0uy+2H/6xt6DH8cUx/K5wPmd43fZ3aqBesuHWHa9ARtaKvzH
BI39aZPWppzWwuw9ackMFzKHUbjaqry2tNAZhRrB7zlIBNW8cP3JI9Go0Y4k82vc
X5oWsCqEGhzqkdXbFIIvOEkyLhti6sGPzFzJdiv3v4eegPaAeS5IqoiucV+mkpXV
qPrs1A9wMkR/sZ1st+seQc0v9XF6IuEUbbEamtNBLwxMQdeKHBnUCqFcr7o1TLVI
WlMAiH0/+wxSwFxWo+fhNSJJKRqyou6JJ7RFkqNyllfjA1yi1c/hzalv9HL9gb8f
cpbq2rWrZjV/sFZB+xHZHGcdZGitqzNy8CVbxyiagz9BVf79j0g0TaVoAO9IvJFI
O6I1hGDY1kbhqS30+ufOMNv3CAc56cmTE2a+6nlUdsTsYleEzbHk4jQUQqpMcGLO
dVajwC00F/9lkWUDhMV+Fv7axwDqFEkDK4R0+EuSjI9w+wtTp4k4SrlAqMZOZjCc
X78sbuP6xtZWWGgu/U2Z10n37qBo4Pv0Mu93ZAgy+prNu9C8acOOafubzzh25nOC
B4I1W0KnWkJggfR5gp9fpBOKOvqo0WaItu5r8p0RX6iw0mC6A+snIP5lZKoq577s
RBf/NXB5gghGmYog5Cq6qnYFVvc=
=rzMN
-----END PGP SIGNATURE-----




More information about the cisco-nsp mailing list