====================================================================


                             CERT-Renater

                 Note d'Information No. 2018/VULN270
_____________________________________________________________________

DATE                : 06/09/2018

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Cisco Integrated Management
                            Controller (IMC) Software.

=====================================================================
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-cimc-injection
_____________________________________________________________________

Cisco Security Advisory: Cisco Integrated Management Controller Command
Injection Vulnerability

Advisory ID: cisco-sa-20180905-cimc-injection

Revision: 1.0

For Public Release: 2018 September 5 16:00 GMT

Last Updated: 2018 September 5 16:00 GMT

CVE ID(s): CVE-2018-0430, CVE-2018-0431

CVSS Score v(3): 8.8 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

+---------------------------------------------------------------------

Summary

=======

A vulnerability in the web-based management interface of Cisco
Integrated Management Controller (IMC) Software could allow an
authenticated, remote attacker to inject and execute arbitrary commands
with root privileges on an affected device.

The vulnerability is due to insufficient validation of command input by
the affected software. An attacker could exploit this vulnerability by
sending crafted commands to the web-based management interface of the
affected software. A successful exploit could allow the attacker to
inject and execute arbitrary, system-level commands with root privileges
on an affected device.

Cisco has released software updates that address this vulnerability.
There are no workarounds that address this vulnerability.

This advisory is available at the following link:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-cimc-injection
["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-cimc-injection"]

=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================