Reset Search



VN 2017-004 (CVE-2017-14328, CVE-2017-14332)

« Go Back

Vulnerability Notice

Vulnerability Summary
Two specific vulnerabilities have been identified in EXOS which can lead to undesired product behavior and/or unauthorized access to switch configuration.
Thanks to the research team at IDW Security for identifying and reporting these issues to Extreme Networks.
CVE #Vulnerability TypeAttack
Denial of
of Privileges
CVE-2017-14328Buffer OverflowRemote X   
CVE-2017-14332Session HijackingRemote    X
Products Potentially Affected
  • EXOS versions 15.7.x, 16.x, 21.x, 22.x
Impact Details
Impact: Denial-of-Service, system reboot
Attack Vector: remote
Affected Platforms: EXOS 15.7.x, 16.x, 21.x, 22.x
CVSS base score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Description: A remote user can force the switch to reboot by sending a single, specially crafted packet to the web server.
Impact: Session hijacking
Attack Vector: remote
Affected Platforms: EXOS 15.7, 16.x, 21.x, 22.x
CVSS base score: 8.1 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Description: A remote user can hijack a session on the switch web server.
Detail: A remote user can hijack a session on the switch web server by using non-trivial methods to determine the SessionIDs used in authentication.
Repair Recommendations
To mitigate impacts of both issues until an upgrade is possible, disable Chalet.
disable web http / disable web https

EXOS v16.2.3.5-patch1-14 resolves CVE-2017-14332 (but not CVE-2017-14328).

Both CVEs are fixed in the following releases:
  • EXOS (Available now)
  • EXOS (Available now)
  • EXOS (Available now)
  • EXOS 22.4.1 (Available now)
Legal Notice
This advisory notice is provided on an “as is” basis and Extreme Networks makes no representations or warranties of any kind, expressly disclaiming the warranties of merchantability or fitness for a particular use. Use of the information provided herein or materials linked from this advisory notice is at your own risk. Extreme Networks reserves the right to change or update this document at any time, and expects to update this document as new information becomes available. The information provided herein is applicable to current Extreme Networks products identified herein and is not intended to be any representation of future functionality or compatibility with any third-party technologies referenced herein. This notice shall not change any contract or agreement that you have entered into with Extreme Networks.



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255