Vigil@nce - Cisco IOS, IOS XE: code execution via iox
November 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can inject shell commands via the iox command of Cisco
IOS and IOS XE, in order to run code.
Impacted products: Cisco Catalyst, IOS by Cisco, IOS XE Cisco,
Cisco Router.
Severity: 2/4.
Creation date: 22/09/2016.
DESCRIPTION OF THE VULNERABILITY
The products Cisco IOS and IOS XE include a command line interface.
One of the available commands is "iox", which can start shell
command on the underlying Linux system. However, it does not
rightly check its arguments.
An attacker can therefore inject shell commands via the iox
command of Cisco IOS and IOS XE, in order to run code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/Cisco-IOS-IOS-XE-code-execution-via-iox-20669