Vigil@nce - Cisco Nexus 7000: context escape via a Python script
September 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can run a Python script on a Cisco Nexus 7000 device,
in order to delete files.
– Impacted products: Cisco Nexus, NX-OS.
– Severity: 2/4.
– Creation date: 01/07/2015.
DESCRIPTION OF THE VULNERABILITY
The Cisco Nexus 7000 product offers a shell interface.
One can run Python scripts via this interface. However, when some
"virtual device contexts" are configured, the separation of
contexts is incomplete as far as the Python interpreter is
concerned, and a script can remove files in another context than
the script’s one.
An attacker can therefore run a Python script on a Cisco Nexus
7000 device, in order to delete files.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Cisco-Nexus-7000-context-escape-via-a-Python-script-17280