—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
Cisco Security Advisory: Cisco Policy Suite Privilege Escalation Vulnerability
Advisory ID: cisco-sa-20170517-cps
Revision: 1.0
For Public Release: 2017 May 17 16:00 GMT
Last Updated: 2017 May 17 16:00 GMT
CVE ID(s): CVE-2017-6623
CVSS Score v(3): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+———————————————————————
Summary
=======
A vulnerability in a script file that is installed as part of the Cisco Policy Suite (CPS) Software distribution for the CPS appliance could allow an authenticated, local attacker to escalate their privilege level to root.
The vulnerability is due to incorrect sudoers permissions on the script file. An attacker could exploit this vulnerability by authenticating to the device and providing crafted user input at the CLI, using this script file to escalate their privilege level and execute commands as root. A successful exploit could allow the attacker to acquire root-level privileges and take full control of the appliance. The user has to be logged-in to the device with valid credentials for a specific set of users.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170517-cps [“https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170517-cps”]
—–BEGIN PGP SIGNATURE—–
iQKBBAEBAgBrBQJZHHQiZBxDaXNjbyBTeXN0ZW1zIFByb2R1Y3QgU2VjdXJpdHkg
SW5jaWRlbnQgUmVzcG9uc2UgVGVhbSAoQ2lzY28gUFNJUlQga2V5IDIwMTYtMjAx
NykgPHBzaXJ0QGNpc2NvLmNvbT4ACgkQrz2APcQAkHm5gBAA4054vwpO4jMJelTk
2TNNUyrw8GnvdjJDipscxwO7L0Cjb4CuRbJZNpqy2vbeOsfPur8NokQ8DyLPFcC4
IGn+HMpufETAVT3gmHAp1asw4qhoDnXx9kpPrgKZ4KTw0TrmSSL4GtIf+BwyR3Bw
bNeE/gux8dVVNUhT+HDQ5IXeneeK0gLxChPYI3snX8eZ6JCu7VHMIqygvnLey9uS
0G451oaKZinUZbeXDfMx9OxE58Umm1J7skN43ig6dG9bZbGCbfcINKJZbbLO7Zhz
YjqvAOIWdUtvezo3S7xC9p8ylEb02zrjnQiVgaOrTb/+OLwUv33z7WXj9f94nsDE
3JVexH5+GDqHrG9mR5o3sK3RFhXJALsP8HGntA4b5BIcj1uCGAEGz+F4YnvXTNLR
0P6E+qRJW236DxIpRWhCVW29qeBt8aJ8qBwn7QeSGQp8Toi8+yH5MPfLrPvrwn0w
FAMka7EQ3KlfGmz+sTbhpegI2H6c6o0pJp1G+rCJAmE8+A2XUJB/sBXhn6mVl8Xh
nK9h63KHdCvIVpnU3TW8Jn59mXopyNbsxXMqoetBzFax/xuk1F7w8RGu8ANWTOgL
yr2GSUDDT12D8e4cqEkl8djeN+v6j/SFwgY02s3XNGHgOUu9vlhvk/dAqI2S9sf1
ucV6raBuPS5kcsUHTQ4BoMIIdvs=
=+o8F
—–END PGP SIGNATURE—–
_______________________________________________
cust-security-announce mailing list
cust-security-announce@cisco.com
To unsubscribe, send the command “unsubscribe” in the subject of your message to cust-security-announce-leave@cisco.com