Reset Search
 

 

Article

VN 2017-004 (CVE-2017-14328, CVE-2017-14332)

« Go Back

Vulnerability Notice

 
Vulnerability Summary
Two specific vulnerabilities have been identified in EXOS which can lead to undesired product behavior and/or unauthorized access to switch configuration.
Thanks to the research team at IDW Security for identifying and reporting these issues to Extreme Networks.
 
  Impact
CVE #Vulnerability TypeAttack
Type
Information
Disclosure
Denial of
Service
Code
Execution
Escalation
of Privileges
Session
Hijacking
CVE-2017-14328Buffer OverflowRemote X   
CVE-2017-14332Session HijackingRemote    X
Products Potentially Affected
  • EXOS versions 15.7.x, 16.x, 21.x, 22.x
Impact Details
CVE-2017-14328
Impact: Denial-of-Service, system reboot
Attack Vector: remote
Affected Platforms: EXOS 15.7.x, 16.x, 21.x, 22.x
CVSS base score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Description: A remote user can force the switch to reboot by sending a single, specially crafted packet to the web server.
 
CVE-2017-14332
Impact: Session hijacking
Attack Vector: remote
Affected Platforms: EXOS 15.7, 16.x, 21.x, 22.x
CVSS base score: 8.1 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Description: A remote user can hijack a session on the switch web server.
Detail: A remote user can hijack a session on the switch web server by using non-trivial methods to determine the SessionIDs used in authentication.
Repair Recommendations
To mitigate impacts of both issues until an upgrade is possible, disable Chalet.
disable web http / disable web https

EXOS v16.2.3.5-patch1-14 resolves CVE-2017-14332 (but not CVE-2017-14328).

Both CVEs are fixed in the following releases:
  • EXOS 16.2.4.5 (Available now)
  • EXOS 21.1.4.4-patch1-3 (Available now)
  • EXOS 22.3.1.4-patch1-4 (Available now)
  • EXOS 22.4.1 (Available now)
Legal Notice
This advisory notice is provided on an “as is” basis and Extreme Networks makes no representations or warranties of any kind, expressly disclaiming the warranties of merchantability or fitness for a particular use. Use of the information provided herein or materials linked from this advisory notice is at your own risk. Extreme Networks reserves the right to change or update this document at any time, and expects to update this document as new information becomes available. The information provided herein is applicable to current Extreme Networks products identified herein and is not intended to be any representation of future functionality or compatibility with any third-party technologies referenced herein. This notice shall not change any contract or agreement that you have entered into with Extreme Networks.

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255