NSFOCUS绿盟科技

首页 -> 安全研究

安全研究

安全漏洞

Cisco FXOS和NX-OS Software本地命令注入漏洞（CVE-2019-1728）

发布日期：2019-05-15
更新日期：2019-05-21

受影响系统：

Cisco NX-OS Software for UCS 6300 Series Fabric Int
Cisco NX-OS Software for UCS 6200 Series Fabric Int
Cisco NX-OS Software for Nexus 9500 R-Series Switch
Cisco NX-OS Software for Nexus 9000 Series Switches
Cisco NX-OS Software for Nexus 9000 Series Switches
Cisco NX-OS Software for Nexus 7700 Series Switches
Cisco NX-OS Software for Nexus 7700 Series Switches
Cisco NX-OS Software for Nexus 7700 Series Switches
Cisco NX-OS Software for Nexus 7700 Series Switches
Cisco NX-OS Software for Nexus 7700 Series Switches
Cisco NX-OS Software for Nexus 7700 Series Switches
Cisco NX-OS Software for Nexus 7000 Series Switches
Cisco NX-OS Software for Nexus 7000 Series Switches
Cisco NX-OS Software for Nexus 7000 Series Switches
Cisco NX-OS Software for Nexus 7000 Series Switches
Cisco NX-OS Software for Nexus 7000 Series Switches
Cisco NX-OS Software for Nexus 7000 Series Switches
Cisco NX-OS Software for Nexus 7000 Series Switches
Cisco NX-OS Software for Nexus 6000 Series Switches
Cisco NX-OS Software for Nexus 5600 Series Switches
Cisco NX-OS Software for Nexus 5500 Series Switches
Cisco NX-OS Software for Nexus 3500 Platform Switch
Cisco NX-OS Software for Nexus 3500 Platform Switch
Cisco NX-OS Software for Nexus 3000 Series Switches
Cisco NX-OS Software for Nexus 3000 Series Switches
Cisco NX-OS Software for MDS 9000 Series Multilayer
Cisco NX-OS Software for MDS 9000 Series Multilayer
Cisco NX-OS Software for MDS 9000 Series Multilayer

不受影响系统：

Cisco NX-OS Software for UCS 6300 Series Fabric Int
Cisco NX-OS Software for UCS 6200 Series Fabric Int
Cisco NX-OS Software for Nexus 9500 R-Series Switch
Cisco NX-OS Software for Nexus 9000 Series Switches
Cisco NX-OS Software for Nexus 7700 Series Switches
Cisco NX-OS Software for Nexus 7700 Series Switches
Cisco NX-OS Software for Nexus 7700 Series Switches
Cisco NX-OS Software for Nexus 7000 Series Switches
Cisco NX-OS Software for Nexus 7000 Series Switches
Cisco NX-OS Software for Nexus 7000 Series Switches
Cisco NX-OS Software for Nexus 6000 Series Switches
Cisco NX-OS Software for Nexus 5600 Series Switches
Cisco NX-OS Software for Nexus 5500 Series Switches
Cisco NX-OS Software for Nexus 3600 Platform Switch
Cisco NX-OS Software for Nexus 3500 Platform Switch
Cisco NX-OS Software for Nexus 3500 Platform Switch
Cisco NX-OS Software for Nexus 3000 Series Switches
Cisco NX-OS Software for MDS 9000 Series Multilayer
Cisco NX-OS Software for MDS 9000 Series Multilayer

描述：

BUGTRAQ  ID: 108391
CVE(CAN) ID: CVE-2019-1728

Cisco NX-OS Software和Cisco FXOS Software都是美国思科（Cisco）公司的产品。Cisco NX-OS Software是一套交换机使用的数据中心级操作系统软件。Cisco FXOS Software是一套运行在思科安全设备中的防火墙软件。
在Cisco FXOS Software和NX-OS Software中，实施CLI诊断命令时存在一个漏洞，允许经过身份验证的本地攻击者在系统启动时使用root权限运行任意命令。
该漏洞产生原因是从文件系统读取持久性配置信息时缺乏对系统文件的正确验证。通过向设备进行身份验证并使用恶意可执行文件覆盖持久性配置存储，攻击者可利用此漏洞，在系统启动时运行任意命令。这些命令将以root用户身份运行。攻击者必须拥有该设备的有效管理凭据。

<*来源：Cisco

  链接：https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-nxos-conf-by
*>

建议：

厂商补丁：

Cisco
-----
Cisco已经为此发布了一个安全公告（cisco-sa-20190515-nxos-conf-bypass）以及相应补丁:
cisco-sa-20190515-nxos-conf-bypass：Cisco FXOS and NX-OS Software Secure Configuration Bypass Vulnerability
链接：https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-nxos-conf-by

补丁下载：

浏览次数：1949
严重程度：0（网友投票）

关于我们: 公司介绍; 公司荣誉; 公司新闻

联系我们: 公司总部; 分支机构; 海外机构

快速链接: 绿盟云; 绿盟威胁情报中心NTI; 技术博客