Executive Summary
Summary | |
---|---|
Title | Cisco Adaptive Security Appliance insecurely logs passwords |
Informations | |||
---|---|---|---|
Name | VU#563673 | First vendor Publication | 2007-09-05 |
Vendor | VU-CERT | Last vendor Modification | 2007-10-01 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:A/AC:H/Au:S/C:C/I:N/A:N) | |||
---|---|---|---|
Cvss Base Score | 4.3 | Attack Range | Adjacent network |
Cvss Impact Score | 6.9 | Attack Complexity | High |
Cvss Expoit Score | 2.5 | Authentication | Requires single instance |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#563673Cisco Adaptive Security Appliance insecurely logs passwordsOverviewThe Cisco Adaptive Security Appliance (ASA) firewall may log user credentials, including passwords, as plain text when AAA authentication is enabled.I. DescriptionThe Cisco Adapative Security Appliance (ASA) is a firewall with Intrusion Protection System (IPS), Stateful Packet Inspection (SPI), and routing features. The Cisco ASA includes Authentication, Authorization and Accounting (AAA) support that allows adminsitrators and users to use a single set of credentials to manage multiple devices.
Systems Affected
References
This vulnerability was reported and discovered by Lisa Sittler of CERT/CC. This document was written by Ryan Giobbi.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/563673 |
CAPEC : Common Attack Pattern Enumeration & Classification
Id | Name |
---|---|
CAPEC-31 | Accessing/Intercepting/Modifying HTTP Cookies |
CAPEC-37 | Lifting Data Embedded in Client Distributions |
CAPEC-65 | Passively Sniff and Capture Application Code Bound for Authorized Client |
CAPEC-102 | Session Sidejacking |
CAPEC-117 | Data Interception Attacks |
CAPEC-155 | Screen Temporary Files for Sensitive Information |
CAPEC-157 | Sniffing Attacks |
CAPEC-167 | Lifting Sensitive Data from the Client |
CAPEC-204 | Lifting cached, sensitive data embedded in client distributions (thick or thin) |
CAPEC-205 | Lifting credential(s)/key material embedded in client distributions (thick or... |
CAPEC-258 | Passively Sniffing and Capturing Application Code Bound for an Authorized Cli... |
CAPEC-259 | Passively Sniffing and Capturing Application Code Bound for an Authorized Cli... |
CAPEC-260 | Passively Sniffing and Capturing Application Code Bound for an Authorized Cli... |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-319 | Cleartext Transmission of Sensitive Information |
CPE : Common Platform Enumeration
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
37499 | Cisco Adaptive Security Appliance (ASA) PIX Cleartext Password Remote Disclosure |