CVE-2018-6961
Published: 11 June 2018
Summary
CVE-2018-6961 is a high-severity OS Command Injection (CWE-78) vulnerability in Vmware Nsx Sd-Wan By Velocloud. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SC-7 (Boundary Protection).
Deeper analysis
VMware NSX SD-WAN Edge by VeloCloud versions prior to 3.1.0 contain a command injection vulnerability, tracked as CWE-78, in the product's local web UI component. This component is disabled by default and the issue received a CVSS v3.1 score of 8.1 reflecting network attack vector, high complexity, and no required privileges or user interaction.
An unauthenticated attacker able to reach the web UI over the network could exploit the flaw to execute arbitrary commands on the affected appliance, resulting in full remote code execution with impacts to confidentiality, integrity, and availability.
Public references, including the VMware VMSA-2018-0011 advisory, reiterate that the component should not be enabled on untrusted networks and note that the service will be removed in future product releases. An exploit for the issue has been published on Exploit-DB.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2018-18705
Vulnerability details
VMware NSX SD-WAN Edge by VeloCloud prior to version 3.1.0 contains a command injection vulnerability in the local web UI component. This component is disabled by default and should not be enabled on untrusted networks. VeloCloud by VMware will be…
more
removing this service from the product in future releases. Successful exploitation of this issue could result in remote code execution.
- CWE(s)
- KEV Date Added
- 25 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces disabling the vulnerable local web UI component by default and prohibits its activation on untrusted networks, eliminating the attack surface for the command-injection flaw.
Boundary-protection rules can block all network access to the local web UI, preventing an unauthenticated attacker from reaching the command-injection endpoint.
Requires prompt application of the vendor patch (or removal of the service in later releases) that eliminates the CWE-78 command-injection vulnerability.