CLI command Injection

CLI command Injection

Advisory ID	CVE Number	Date discovered	Severity	Advisory revision
STORM-2021-007	CVE-2021-28962	03/19/2021	high	v2

Vulnerability details

CLI commands injection are possible from a Read-Only administrator.

Impacted products

Products	Severity	Detail
Stormshield Network Security	high	SNS is impacted

Revisions

Version	Date	Description
v1	05/27/2021	Initial release
v2	12/08/2021	Updating information

Stormshield Network Security

CVSS v3.1 Overall Score: 8.4

Analysis	Impacted version
On SNS, an administrator configured with read-only rights can triggers CLI commands, and elevate his privileges.	SNS 2.5.0 to 2.7.8 SNS 2.8.0 to 2.16.0 SNS 3.0.0 to 3.7.20 SNS 3.8.0 to 3.11.8 SNS 4.0.0 to 4.2.1

Workaround solution

Solution

There is no workaround solution.

The vulnerability is fixed in versions

2.7.9
3.7.21
3.11.9
4.2.2

Attack Vector	Attack Complexity	Privileges Required	User Interaction	Scope	Confidentiality Impact	Integrity Impact	Availability impact
Adjacent Network	Low	Low	None	Changed	High	High	High

CVSS Base score: 9	CVSS Vector: (AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

Exploit Code Maturity	Remediation Level	Report Confidence
Functional exploit exists	Official fix	Confirmed

CVSS Temporal score: 8.3	CVSS Vector: (AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C)

Confidentiality Requirement	Integrity Requirement	Availability Requirement
High	High	High

CVSS Environmental score: 8.4	CVSS Vector: (AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X)

Acknowledgements

Daniel Kalinowski

RSS Feed Contact Report a vulnerability Legal terms STORMSHIELD Corporate website Personal Data