Create Case
VN 2017-004 (CVE-2017-14328, CVE-2017-14332)
- Article Type:
- Security Advisory
- Article Number:
- 000060024
- Last Modified:
- 2/12/2018
Summary
Two specific vulnerabilities have been identified in EXOS which can lead to undesired product behavior and/or unauthorized access to switch configuration. Thanks to the research team at IDW Security for identifying and reporting these issues to Extreme Networks.
| ||||||||||||||||||||||||||||||||
Products Potentially Affected
|
Impact Details
CVE-2017-14328
Impact: Denial-of-Service, system reboot
Attack Vector: remote
Affected Platforms: EXOS 15.7.x, 16.x, 21.x, 22.x
CVSS base score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Description: A remote user can force the switch to reboot by sending a single, specially crafted packet to the web server.
CVE-2017-14332 Impact: Session hijacking
Attack Vector: remote
Affected Platforms: EXOS 15.7, 16.x, 21.x, 22.x
CVSS base score: 8.1 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Description: A remote user can hijack a session on the switch web server.
Detail: A remote user can hijack a session on the switch web server by using non-trivial methods to determine the SessionIDs used in authentication.
|
Repair Recommendations
To mitigate impacts of both issues until an upgrade is possible, disable Chalet. disable web http / disable web https EXOS v16.2.3.5-patch1-14 resolves CVE-2017-14332 (but not CVE-2017-14328). Both CVEs are fixed in the following releases:
|
Legal Notice
This advisory notice is provided on an “as is” basis and Extreme Networks makes no representations or warranties of any kind, expressly disclaiming the warranties of merchantability or fitness for a particular use. Use of the information provided herein or materials linked from this advisory notice is at your own risk. Extreme Networks reserves the right to change or update this document at any time, and expects to update this document as new information becomes available. The information provided herein is applicable to current Extreme Networks products identified herein and is not intended to be any representation of future functionality or compatibility with any third-party technologies referenced herein. This notice shall not change any contract or agreement that you have entered into with Extreme Networks. |
Version
4