Vulnerability CVE-2017-3752


Published: 2017-08-09

Description:
An industry-wide vulnerability has been identified in the implementation of the Open Shortest Path First (OSPF) routing protocol used on some Lenovo switches. Exploitation of these implementation flaws may result in attackers being able to erase or alter the routing tables of one or many routers, switches, or other devices that support OSPF within a routing domain.

Vendor: Lenovo
Product: G8272 firmware 
Version: 8.4.3.0;
Product: G8332 firmware 
Version: 8.4.3.0;
Product: Fabric en4093r 10gb firmware 
Version: 8.4.3.0;
Product: G8296 firmware 
Version: 8.4.3.0;
Product: G8052 firmware 
Version: 8.4.3.0;
Product: G8264cs firmware 
Version: 8.4.3.0;
Product: Fabric cn4093 10gb firmware 
Version: 8.4.3.0;
Product: G8124e firmware 
Version: 8.4.3.0;
Product: G8264 firmware 
Version: 8.4.3.0;
Product: Si4091 firmware 
Version: 8.4.3.0;
Vendor: IBM
Product: G8264t firmware 
Version: 7.9.19.0;
Product: G8264 firmware 
Version: 7.9.19.0;
Product: G8052 firmware 
Version: 7.9.19.0;
Product: G8316 firmware 
Version: 7.9.19.0;
Product: Fabric cn4093 10gb firmware 
Version: 7.8.16.0;
Product: En2092 1gb firmware 
Version: 7.8.16.0;
Product: Fabric en4093/en4093r 10gb firmware 
Version: 7.8.16.0;
Product: G8264cs firmware 
Version: 7.8.16.0;
Product: Virtual fabric 10gb 
Version: 7.8.12.0;
Product: G8332 firmware 
Version: 7.7.25.0;
Product: G8124 firmware 
Version: 7.11.9.0;
Product: G8124e firmware 
Version: 7.11.9.0;
Product: Layer 2/3 copper firmware 
Version: 5.3.10.0;
Product: 1g l2-7 slb 
Version: 21.0.24.0;
Product: 1 
Version: 10g_firmware;

CVSS2 => (AV:A/AC:M/Au:N/C:N/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
4.9/10
5.5/10
Exploit range
Attack complexity
Authentication
Adjacent network
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
Partial

 References:
http://www.securityfocus.com/bid/99995
https://support.lenovo.com/us/en/product_security/LEN-14078

Related CVE
CVE-2018-1757
IBM Security Identity Governance and Intelligence 5.2.3.2 and 5.2.4 could allow an attacker to obtain sensitive information due to missing authentication in IGI for the survey application. IBM X-Force ID: 148601.
CVE-2018-1756
IBM Security Identity Governance and Intelligence 5.2.3.2 and 5.2.4 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, information in the back-end database. IBM X-For...
CVE-2018-1567
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow remote attackers to execute arbitrary Java code through the SOAP connector with a serialized object from untrusted sources. IBM X-Force ID: 143024.
CVE-2017-1115
IBM Campaign 9.1, 9.1.2, and 10 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM X-Force ID: 121...
CVE-2017-1114
IBM Campaign 9.1, 9.1.2, and 10 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a tr...
CVE-2016-0373
IBM UrbanCode Deploy 6.0 through 6.2.2.1 could allow an authenticated user to read sensitive information due to UCD REST endpoints not properly authorizing users when determining who can read data. IBM X-Force ID: 112119.
CVE-2016-0234
IBM OpenPages GRC Platform 7.1, 7.2, and 7.3 could allow a local user to obtain sensitive information when a previous user has logged out of the system but neglected to close their browser. IBM X-Force ID: 110303.
CVE-2016-0205
A vulnerability has been identified in IBM Cloud Orchestrator 2.3, 2.3.0.1, 2.4, and 2.4.0.1 that could allow an attacker after authentication to enumerate valid users of the system. IBM X-Force ID: 109394.

Copyright 2018, cxsecurity.com

 

Back to Top