Vulnerability CVE-2017-3752


Published: 2017-08-09

Description:
An industry-wide vulnerability has been identified in the implementation of the Open Shortest Path First (OSPF) routing protocol used on some Lenovo switches. Exploitation of these implementation flaws may result in attackers being able to erase or alter the routing tables of one or many routers, switches, or other devices that support OSPF within a routing domain.

Vendor: Lenovo
Product: G8272 firmware 
Version: 8.4.3.0;
Product: G8332 firmware 
Version: 8.4.3.0;
Product: Fabric en4093r 10gb firmware 
Version: 8.4.3.0;
Product: G8296 firmware 
Version: 8.4.3.0;
Product: G8052 firmware 
Version: 8.4.3.0;
Product: G8264cs firmware 
Version: 8.4.3.0;
Product: Fabric cn4093 10gb firmware 
Version: 8.4.3.0;
Product: G8124e firmware 
Version: 8.4.3.0;
Product: G8264 firmware 
Version: 8.4.3.0;
Product: Si4091 firmware 
Version: 8.4.3.0;
Vendor: IBM
Product: G8264t firmware 
Version: 7.9.19.0;
Product: G8264 firmware 
Version: 7.9.19.0;
Product: G8052 firmware 
Version: 7.9.19.0;
Product: G8316 firmware 
Version: 7.9.19.0;
Product: Fabric cn4093 10gb firmware 
Version: 7.8.16.0;
Product: En2092 1gb firmware 
Version: 7.8.16.0;
Product: Fabric en4093/en4093r 10gb firmware 
Version: 7.8.16.0;
Product: G8264cs firmware 
Version: 7.8.16.0;
Product: Virtual fabric 10gb 
Version: 7.8.12.0;
Product: G8332 firmware 
Version: 7.7.25.0;
Product: G8124 firmware 
Version: 7.11.9.0;
Product: G8124e firmware 
Version: 7.11.9.0;
Product: Layer 2/3 copper firmware 
Version: 5.3.10.0;
Product: 1g l2-7 slb 
Version: 21.0.24.0;
Product: 1 
Version: 10g_firmware;

CVSS2 => (AV:A/AC:M/Au:N/C:N/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
4.9/10
5.5/10
Exploit range
Attack complexity
Authentication
Adjacent network
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
Partial

 References:
http://www.securityfocus.com/bid/99995
https://support.lenovo.com/us/en/product_security/LEN-14078

Related CVE
CVE-2017-1746
IBM Jazz for Service Management (IBM Tivoli Components 1.1.3) is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 135...
CVE-2017-1696
IBM QRadar 7.2 and 7.3 could allow a remote authenticated attacker to execute arbitrary commands on the system. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system. IBM X-Fo...
CVE-2017-1423
IBM WebSphere Portal 8.5 and 9.0 exposes backend server URLs that are configured for usage by the Web Application Bridge component. IBM X-Force ID: 127476.
CVE-2017-1494
IBM Business Process Manager 8.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a t...
CVE-2017-1727
IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 discloses sensitive information in error messages that could aid an attacker in further attacks against the system. IBM X-Force ID: 134869.
CVE-2017-1699
IBM MQ Managed File Transfer Agent 8.0 and 9.0 sets insecure permissions on certain files it creates. A local attacker could exploit this vulnerability to modify or delete data contained in the files with an unknown impact. IBM X-Force ID: 134391.
CVE-2017-1673
IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials dis...
CVE-2017-1672
IBM Tivoli Key Lifecycle Manager 2.6 and 2.7 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 133639.

Copyright 2018, cxsecurity.com

 

Back to Top