Sign-up

ID

VAR-201607-0451


CVE

CVE-2016-1408


TITLE

Cisco Prime Infrastructure and Evolved Programmable Network Manager Vulnerable to arbitrary command execution

Trust: 0.8

sources: JVNDB: JVNDB-2016-003418

DESCRIPTION

Cisco Prime Infrastructure 1.2 through 3.1 and Evolved Programmable Network Manager (EPNM) 1.2 and 2.0 allow remote authenticated users to execute arbitrary commands or upload files via a crafted HTTP request, aka Bug ID CSCuz01488. Cisco Prime Infrastructure software is prone to a remote code-execution vulnerability. An attacker can exploit this issue to execute arbitrary code on the affected system. This may aid in further attacks. This issue being tracked by Cisco Bug ID's CSCuz01488 and CSCuz01495. Cisco Prime Infrastructure software versions 1.2 through version 3.1 are vulnerable. PI is a set of wireless management solutions through Cisco Prime LAN Management Solution (LMS) and Cisco Prime Network Control System (NCS) technologies; EPNM is a set of network management solutions. A security vulnerability exists in the web interface of Cisco PI and EPNM

Trust: 1.98

sources: NVD: CVE-2016-1408 // JVNDB: JVNDB-2016-003418 // BID: 91506 // VULHUB: VHN-90227

AFFECTED PRODUCTS

vendor:ciscomodel:prime infrastructurescope:eqversion:1.2.1

Trust: 1.6

vendor:ciscomodel:evolved programmable network managerscope:eqversion:1.2.1.3

Trust: 1.6

vendor:ciscomodel:evolved programmable network managerscope:eqversion:1.2.300

Trust: 1.6

vendor:ciscomodel:evolved programmable network managerscope:eqversion:1.2.500

Trust: 1.6

vendor:ciscomodel:evolved programmable network managerscope:eqversion:1.2.0

Trust: 1.6

vendor:ciscomodel:evolved programmable network managerscope:eqversion:1.2.400

Trust: 1.6

vendor:ciscomodel:evolved programmable network managerscope:eqversion:1.2.200

Trust: 1.0

vendor:ciscomodel:prime infrastructurescope:eqversion:1.4.2

Trust: 1.0

vendor:ciscomodel:prime infrastructurescope:eqversion:1.2

Trust: 1.0

vendor:ciscomodel:prime infrastructurescope:eqversion:2.2

Trust: 1.0

vendor:ciscomodel:prime infrastructurescope:eqversion:1.3.0.20

Trust: 1.0

vendor:ciscomodel:prime infrastructurescope:eqversion:3.0

Trust: 1.0

vendor:ciscomodel:prime infrastructurescope:eqversion:1.4

Trust: 1.0

vendor:ciscomodel:prime infrastructurescope:eqversion:1.4.0.45

Trust: 1.0

vendor:ciscomodel:prime infrastructurescope:eqversion:2.0

Trust: 1.0

vendor:ciscomodel:prime infrastructurescope:eqversion:1.3

Trust: 1.0

vendor:ciscomodel:prime infrastructurescope:eqversion:2.1.0

Trust: 1.0

vendor:ciscomodel:prime infrastructurescope:eqversion:2.2\(2\)

Trust: 1.0

vendor:ciscomodel:prime infrastructurescope:eqversion:3.1

Trust: 1.0

vendor:ciscomodel:prime infrastructurescope:eqversion:1.2.0.103

Trust: 1.0

vendor:ciscomodel:prime infrastructurescope:eqversion:1.4.1

Trust: 1.0

vendor:ciscomodel:evolved programmable network managerscope:eqversion:1.2

Trust: 0.8

vendor:ciscomodel:evolved programmable network managerscope:eqversion:2.0

Trust: 0.8

vendor:ciscomodel:prime infrastructurescope:eqversion:1.2 to 3.1

Trust: 0.8

vendor:ciscomodel:prime infrastructurescope:eqversion:1.4.0

Trust: 0.6

vendor:ciscomodel:prime infrastructurescope:eqversion:1.3.0

Trust: 0.6

vendor:ciscomodel:prime infrastructurescope:eqversion:1.2.0

Trust: 0.6

vendor:ciscomodel:prime infrastructurescope:eqversion:2.0.0

Trust: 0.6

sources: JVNDB: JVNDB-2016-003418 // NVD: CVE-2016-1408 // CNNVD: CNNVD-201606-653

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2016-1408
value: HIGH

Trust: 1.8

CNNVD: CNNVD-201606-653
value: HIGH

Trust: 0.6

VULHUB: VHN-90227
value: MEDIUM

Trust: 0.1

NVD:
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: FALSE
obtainAllPrivilege: FALSE
obtainUserPrivilege: FALSE
obtainOtherPrivilege: FALSE
userInteractionRequired: FALSE
version: 2.0

Trust: 1.0

NVD: CVE-2016-1408
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-90227
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

NVD:
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.0

NVD: CVE-2016-1408
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-90227 // JVNDB: JVNDB-2016-003418 // NVD: CVE-2016-1408 // CNNVD: CNNVD-201606-653

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.9

sources: VULHUB: VHN-90227 // JVNDB: JVNDB-2016-003418 // NVD: CVE-2016-1408

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201606-653

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-201606-653

CONFIGURATIONS

sources:
            
            
            NVD: CVE-2016-1408

PATCH
title:cisco-sa-20160629-pi-epnmurl:http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20160629-pi-epnm
Trust: 0.8
title:Cisco Prime Infrastructure  and Cisco Evolved Programmable Network Manager Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=62562
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2016-003418 // 
            
            
            
            CNNVD: CNNVD-201606-653

EXTERNAL IDS
db:NVDid:CVE-2016-1408
Trust: 2.8
db:BIDid:91506
Trust: 2.0
db:SECTRACKid:1036197
Trust: 1.7
db:JVNDBid:JVNDB-2016-003418
Trust: 0.8
db:CNNVDid:CNNVD-201606-653
Trust: 0.7
db:VULHUBid:VHN-90227
Trust: 0.1
sources:
            
            
            VULHUB: VHN-90227 // 
            
            
            
            BID: 91506 // 
            
            
            
            JVNDB: JVNDB-2016-003418 // 
            
            
            
            NVD: CVE-2016-1408 // 
            
            
            
            CNNVD: CNNVD-201606-653

REFERENCES
url:http://www.securityfocus.com/bid/91506
Trust: 1.7
url:http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20160629-pi-epnm
Trust: 1.7
url:http://www.securitytracker.com/id/1036197
Trust: 1.7
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-1408
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-1408
Trust: 0.8
sources:
            
            
            VULHUB: VHN-90227 // 
            
            
            
            JVNDB: JVNDB-2016-003418 // 
            
            
            
            NVD: CVE-2016-1408 // 
            
            
            
            CNNVD: CNNVD-201606-653

CREDITS
This vulnerability was found and reported to Cisco by Daniel Jensen from Security-Assessment.com.
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201606-653

SOURCES
db:VULHUBid:VHN-90227
db:BIDid:91506
db:JVNDBid:JVNDB-2016-003418
db:NVDid:CVE-2016-1408
db:CNNVDid:CNNVD-201606-653

LAST UPDATE DATE
2023-12-18T12:37:46.812000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-90227date:2019-07-29T00:00:00
db:BIDid:91506date:2016-06-29T00:00:00
db:JVNDBid:JVNDB-2016-003418date:2016-07-06T00:00:00
db:NVDid:CVE-2016-1408date:2019-07-29T17:47:15.557
db:CNNVDid:CNNVD-201606-653date:2019-07-30T00:00:00

SOURCES RELEASE DATE
db:VULHUBid:VHN-90227date:2016-07-02T00:00:00
db:BIDid:91506date:2016-06-29T00:00:00
db:JVNDBid:JVNDB-2016-003418date:2016-07-06T00:00:00
db:NVDid:CVE-2016-1408date:2016-07-02T14:59:07.430
db:CNNVDid:CNNVD-201606-653date:2016-06-30T00:00:00