Guest

Preview Tool

Cisco Bug: CSCvs10005 - Cisco Remote PHY Device Software Command Injection Vulnerability

Last Modified

Mar 04, 2020

Products (1)

  • Cisco Remote PHY Shelves

Known Affected Releases

7.3

Description (partial)

Symptom:
A vulnerability in Cisco Remote PHY Device Software could allow an authenticated, local attacker to execute commands on the underlying Linux shell of an affected device with root privileges.

The vulnerability exists because the affected software does not properly sanitize user-supplied input. An attacker who has valid administrator access to an affected device could exploit this vulnerability by supplying certain CLI commands with crafted arguments. A successful exploit could allow the attacker to run arbitrary commands as the root user, which could result in a complete system compromise.

Cisco has released software updates that address the vulnerability described in this advisory. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rphy-cmdinject-DpEjeTgF

Conditions:
At the time of publication, this vulnerability affected the following Cisco software releases with default configuration:

* Remote PHY 120: earlier than Release 7.7
* Remote PHY 220: all releases
* Remote PHY Shelf 7200: all releases

At the time of publication, Cisco Remote PHY 120 Software releases 7.7 and later contained the fix for this vulnerability.

At the time of publication, Cisco had not released updates that address this vulnerability for Cisco Remote PHY 220 Software or Cisco Remote PHY Shelf 7200 Software.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.