Vulnerability CVE-2017-3752


Published: 2017-08-09

Description:
An industry-wide vulnerability has been identified in the implementation of the Open Shortest Path First (OSPF) routing protocol used on some Lenovo switches. Exploitation of these implementation flaws may result in attackers being able to erase or alter the routing tables of one or many routers, switches, or other devices that support OSPF within a routing domain.

Vendor: Lenovo
Product: G8272 firmware 
Version: 8.4.3.0;
Product: G8332 firmware 
Version: 8.4.3.0;
Product: Fabric en4093r 10gb firmware 
Version: 8.4.3.0;
Product: G8296 firmware 
Version: 8.4.3.0;
Product: G8052 firmware 
Version: 8.4.3.0;
Product: G8264cs firmware 
Version: 8.4.3.0;
Product: Fabric cn4093 10gb firmware 
Version: 8.4.3.0;
Product: G8124e firmware 
Version: 8.4.3.0;
Product: G8264 firmware 
Version: 8.4.3.0;
Product: Si4091 firmware 
Version: 8.4.3.0;
Vendor: IBM
Product: G8264t firmware 
Version: 7.9.19.0;
Product: G8264 firmware 
Version: 7.9.19.0;
Product: G8052 firmware 
Version: 7.9.19.0;
Product: G8316 firmware 
Version: 7.9.19.0;
Product: Fabric cn4093 10gb firmware 
Version: 7.8.16.0;
Product: En2092 1gb firmware 
Version: 7.8.16.0;
Product: Fabric en4093/en4093r 10gb firmware 
Version: 7.8.16.0;
Product: G8264cs firmware 
Version: 7.8.16.0;
Product: Virtual fabric 10gb 
Version: 7.8.12.0;
Product: G8332 firmware 
Version: 7.7.25.0;
Product: G8124 firmware 
Version: 7.11.9.0;
Product: G8124e firmware 
Version: 7.11.9.0;
Product: Layer 2/3 copper firmware 
Version: 5.3.10.0;
Product: 1g l2-7 slb 
Version: 21.0.24.0;
Product: 1 
Version: 10g_firmware;

CVSS2 => (AV:A/AC:M/Au:N/C:N/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
4.9/10
5.5/10
Exploit range
Attack complexity
Authentication
Adjacent network
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
Partial

 References:
http://www.securityfocus.com/bid/99995
https://support.lenovo.com/us/en/product_security/LEN-14078

Related CVE
CVE-2018-1547
IBM Robotic Process Automation with Automation Anywhere 10.0 could allow a remote attacker to execute arbitrary code on the system, caused by improper output encoding in an CSV export. By persuading a victim to download the CSV export, to open it in ...
CVE-2018-1514
IBM Robotic Process Automation with Automation Anywhere 10.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 1416...
CVE-2017-1476
IBM Security Access Manager Appliance 7.0.0, 8.0.0 through 8.0.1.6, and 9.0.0 through 9.0.3.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could ex...
CVE-2017-1474
IBM Security Access Manager Appliance 7.0.0, 8.0.0 through 8.0.1.6, and 9.0.0 through 9.0.3.1 discloses sensitive information to unauthorized users. The information can be used to mount further attacks on the system. IBM X-Force ID: 128606.
CVE-2018-1496
IBM Content Navigator 2.0.3, 3.0.0, 3.0.1, 3.0.2, and 3.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to creden...
CVE-2018-1495
IBM FlashSystem V840 and V900 products could allow an authenticated attacker with specialized access to overwrite arbitrary files which could cause a denial of service. IBM X-Force ID: 141148.
CVE-2018-1376
IBM Security Guardium Big Data Intelligence (SonarG) 3.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentia...
CVE-2018-1375
IBM Security Guardium Big Data Intelligence (SonarG) 3.1 does not renew a session variable after a successful authentication which could lead to session fixation/hijacking vulnerability. This could force a user to utilize a cookie that may be known t...

Copyright 2018, cxsecurity.com

 

Back to Top