Executive Summary

Summary
Title Cisco Elastic Services Controller Unauthorized Access Vulnerability
Informations
Name cisco-sa-20170705-esc2 First vendor Publication 2017-07-05
Vendor Cisco Last vendor Modification 2017-07-05
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

A vulnerability in the Play Framework of Cisco Elastic Services Controller (ESC) could allow an unauthenticated, remote attacker to gain full access to the affected system.

The vulnerability is due to static, default credentials for the Cisco ESC UI that are shared between installations. An attacker who can extract the static credentials from an existing installation of Cisco ESC could generate an admin session token that allows access to all instances of the ESC web UI.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-esc2 ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-esc2"]

BEGIN PGP SIGNATURE

iQKBBAEBAgBrBQJZXQ8JZBxDaXNjbyBTeXN0ZW1zIFByb2R1Y3QgU2VjdXJpdHkg SW5jaWRlbnQgUmVzcG9uc2UgVGVhbSAoQ2lzY28gUFNJUlQga2V5IDIwMTYtMjAx NykgPHBzaXJ0QGNpc2NvLmNvbT4ACgkQrz2APcQAkHk00w/8CeCeVzuG2xmoritf m4eTXY4WRspXCQA/Fj4+gpuRFmA8VxhfLdJ1fL4uQFlVi49BCLyL6nnxvobxbEa4 zL+l4BBjuSWR+PXXxXgLgho0XI+kwffQPCERtbB8S42mlTeC4znt7lCJ5lBSRZX6 qRO8L7+9K/hO+/NCxhMJxPrzKDPnQQnL85qTD+FNqINNxklvXHG4DAaVTA7r53qc YVCuCKEM4LZk2m53xM1x+o4N36L/U43Oubg+NNy2nWWkBL1zKulXCAfsQEX5dN0L pnq0Di2CiqWLedzqpL2/d/w8zzOBb/IvJm5uHVbQeWxZMneqOua9GLx6w0DFeTcc uce8aHvQ8zWODBAojyP8Penkb8R4dUWvf6A/ttgCSPykNLH1DfB0zDHTKBiIT2B4 qYcK31sgmC2hz03JxXcLlB7VWtIXlY7RVNAV1P5Iz+rXqsuBId1167a9jFpEoIhZ TN44KpZZi4HlznuIfWKVsqt8W9AQhEc8R9o/X/ltdfx8hKjA59ag0OF7GSPDTbjz 67MakNadwrKx5g2+KzQtlNoph8dRH1FeithfgfOYrWF17aYolfpEDmcKveMCVQxS mbfTBxyhlv4fQ+3JDML4FjfQDn89puQr/E010OdEMxgpKJ04+rtWxXGxxpo87e3P CKbkpO0kUjzKowYJGZNNLbC5LyI= =11TG END PGP SIGNATURE

_______________________________________________ cust-security-announce mailing list cust-security-announce@cisco.com To unsubscribe, send the command "unsubscribe" in the subject of your message to cust-security-announce-leave@cisco.com

Original Source

Url : http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco (...)

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-770 Allocation of Resources Without Limits or Throttling

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 6

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2017-07-07 21:24:49
  • Multiple Updates
2017-07-06 09:24:47
  • Multiple Updates
2017-07-06 00:22:11
  • First insertion