====================================================================

                             CERT-Renater

                 Note d'Information No. 2018/VULN188
_____________________________________________________________________

DATE                : 17/05/2018

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Cisco Enterprise NFV Infrastructure
                        Software versions prior to 3.7.1.

=====================================================================
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180516-nfvis
_____________________________________________________________________

Cisco Security Advisory: Cisco Enterprise NFV Infrastructure Software
Linux Shell Access Vulnerability

Advisory ID: cisco-sa-20180516-nfvis

Revision: 1.0

For Public Release: 2018 May 16 16:00 GMT

Last Updated: 2018 May 16 16:00 GMT

CVE ID(s): CVE-2018-0279

CVSS Score v(3): 6.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

+---------------------------------------------------------------------

Summary

=======

A vulnerability in the Secure Copy Protocol (SCP) server of Cisco
Enterprise NFV Infrastructure Software (NFVIS) could allow an
authenticated, remote attacker to access the shell of the underlying
Linux operating system on the affected device.

The vulnerability is due to improper input validation of command
arguments. An attacker could exploit this vulnerability by using crafted
arguments when opening a connection to the affected device. An exploit
could allow the attacker  to gain shell access with a non-root user
account to the underlying Linux operating system on the affected device.

Due to the system design, access to the Linux shell could allow
execution of additional attacks that may have a significant impact on
the affected system.

Cisco has released software updates that address this vulnerability.
There are no workarounds that address this vulnerability.

This advisory is available at the following link:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180516-nfvis
["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180516-nfvis"]


==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================