CVE-2017-12312

An untrusted search path (aka DLL Preloading) vulnerability in the Cisco Immunet antimalware installer could allow an authenticated, local attacker to execute arbitrary code via DLL hijacking if a local user with administrative privileges executes the installer in the current working directory where a crafted DLL has been placed by an attacker. The vulnerability is due to incomplete input validation of path and file names of a DLL file before it is loaded. An attacker could exploit this vulnerability by creating a malicious DLL file and installing it in a specific system directory. A successful exploit could allow the attacker to execute commands on the underlying Microsoft Windows host with privileges equivalent to the SYSTEM account. An attacker would need valid user credentials to exploit this vulnerability. Cisco Bug IDs: CSCvf23928.

CVSS v3 6.7 MEDIUM
CVSS v2.0 7.2 HIGH

6.7^/10

CVSS v3 : MEDIUM

Vector : AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability : 0.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.2^/10

CVSS v2.0 : HIGH

Vector : AV:L/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 3.9 / Impact : 10.0

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://www.securityfocus.com/bid/101930	Third Party Advisory VDB Entry
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171115-iami	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:cisco:advanced_malware_protection_for_endpoints:3.1.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2017-11-16 07:29

Updated : 2024-02-28 16:04

NVD link : CVE-2017-12312

Mitre link : CVE-2017-12312

CVE.ORG link : CVE-2017-12312

JSON object : View

Products Affected

cisco

advanced_malware_protection_for_endpoints

CWE

CWE-20

Improper Input Validation

CWE-426

Untrusted Search Path

{"id": "CVE-2017-12312", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.2, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.8}]}, "published": "2017-11-16T07:29:00.633", "references": [{"url": "http://www.securityfocus.com/bid/101930", "tags": ["Third Party Advisory", "VDB Entry"], "source": "ykramarz@cisco.com"}, {"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171115-iami", "tags": ["Vendor Advisory"], "source": "ykramarz@cisco.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-426"}]}, {"type": "Secondary", "source": "ykramarz@cisco.com", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "An untrusted search path (aka DLL Preloading) vulnerability in the Cisco Immunet antimalware installer could allow an authenticated, local attacker to execute arbitrary code via DLL hijacking if a local user with administrative privileges executes the installer in the current working directory where a crafted DLL has been placed by an attacker. The vulnerability is due to incomplete input validation of path and file names of a DLL file before it is loaded. An attacker could exploit this vulnerability by creating a malicious DLL file and installing it in a specific system directory. A successful exploit could allow the attacker to execute commands on the underlying Microsoft Windows host with privileges equivalent to the SYSTEM account. An attacker would need valid user credentials to exploit this vulnerability. Cisco Bug IDs: CSCvf23928."}, {"lang": "es", "value": "Una vulnerabilidad de ruta de b\u00fasqueda no fiable (tambi\u00e9n conocida como precarga de DLL) en el instalador antimalware Cisco Immunet podr\u00eda permitir que un atacante local autenticado ejecute c\u00f3digo arbitrario mediante el secuestro de DLL si un usuario local con privilegios administrativos ejecuta el instalador en el directorio de trabajo actual en donde un atacante ha situado un DLL manipulado. La vulnerabilidad se debe a una validaci\u00f3n incompleta de los nombres de ruta y archivo de un archivo DLL antes de que se carguen. Un atacante podr\u00eda explotar esta vulnerabilidad creando un archivo DLL malicioso e instal\u00e1ndolo en un directorio del sistema espec\u00edfico. Un exploit con \u00e9xito podr\u00eda permitir que el atacante ejecute comandos en el host subyacente de Microsoft Windows con privilegios equivalentes a los de una cuenta SYSTEM. Un atacante necesitar\u00eda credenciales de usuario v\u00e1lidas para explotar esta vulnerabilidad. Cisco Bug IDs: CSCvf23928."}], "lastModified": "2019-10-09T23:22:55.777", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cisco:advanced_malware_protection_for_endpoints:3.1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8DEF67CE-61F8-4C09-AF2B-E51C78108C59"}], "operator": "OR"}]}], "sourceIdentifier": "ykramarz@cisco.com"}