Executive Summary

Summary
Title Cisco IOS XE Software for Cisco 5760 WLC, Cisco Catalyst 4500E Supervisor Engine 8-E, and Cisco NGWC 3850 GUI Privilege Escalation Vulnerability
Informations
Name cisco-sa-20170927-ngwc First vendor Publication 2017-09-27
Vendor Cisco Last vendor Modification 2017-09-27
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:S/C:C/I:C/A:C)
Cvss Base Score 9 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 8 Authentication Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

A vulnerability in the web-based Wireless Controller GUI of Cisco IOS XE Software for Cisco 5760 Wireless LAN Controllers, Cisco Catalyst 4500E Supervisor Engine 8-E (Wireless) Switches, and Cisco New Generation Wireless Controllers (NGWC) 3850 could allow an authenticated, remote attacker to elevate their privileges on an affected device.

The vulnerability is due to incomplete input validation of HTTP requests by the affected GUI, if the GUI connection state or protocol changes. An attacker could exploit this vulnerability by authenticating to the Wireless Controller GUI as a Lobby Administrator user of an affected device and subsequently changing the state or protocol for their connection to the GUI. A successful exploit could allow the attacker to elevate their privilege level to administrator and gain full control of the affected device.

Cisco has not released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170927-ngwc ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170927-ngwc"]

BEGIN PGP SIGNATURE

iQKBBAEBAgBrBQJZy813ZBxDaXNjbyBTeXN0ZW1zIFByb2R1Y3QgU2VjdXJpdHkg SW5jaWRlbnQgUmVzcG9uc2UgVGVhbSAoQ2lzY28gUFNJUlQga2V5IDIwMTYtMjAx NykgPHBzaXJ0QGNpc2NvLmNvbT4ACgkQrz2APcQAkHlIeg/8C0tLPtq/afJfN7KY ugzFlkFhahPT+k03GBkD0uufIQxCb8cVsDJ+9hIQYI9ST+KrIEUu3NePvY01dQbZ ehm/GKhKaKC6YHHdW20SwUlRddQNuVdGssL0SIfT0dQ56dYbVo8w2UFZLB2oZia0 X1+VEeQ9GPQAuVeCsgX+Sj1dufqRgADzGWg4SVuKZcYTLL1ZEBs2vVVb80N3Cbfv L55w3PqsZMlOI0jzpipdOx5sPGbWXxBz4fjBa8RWzJh20Ctim2XCjOjtXfI2TJZK Cs68sxObqD/wPTf1tv8eG8mPO7zUGqeyLnLyOqfDINIOnuaVd2fFm0gkiP8NAADy FoHdSbB/7FWcikwvGfAqU5MoRKwDbJGGiC8szLYgVp3bmsNlVoDlw6OQRn9Q+z1V kZjetDenyavZ+kgtyNKzQcFMPBotjlb+lfijWCf7c/hklAyjeqD1YoVeNEe7Vnn4 cftL/J+gDJdxrLFHC4dsH5WljOL2jKdNcpIWw14wVdvTL++VpQbWEOV0MCHFJ5iN 1VEY0p+kWQWPkgaNl0W6wo72ODzzsufiB9v2zOEPl45yGsNqWdxI9GuBWHXT5/2x LMc/xsmJ8pjiJXgPFElECkdhMFun5X9sYG4DEUMEDxsc/tsYcANoE2SCllC4zhlz r1c5TA2BwvAu9uW0zPv6fhlWvj4= =/PIf END PGP SIGNATURE

_______________________________________________ cust-security-announce mailing list cust-security-announce@cisco.com To unsubscribe, send the command "unsubscribe" in the subject of your message to cust-security-announce-leave@cisco.com

Original Source

Url : http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco (...)

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-20 Improper Input Validation

CPE : Common Platform Enumeration

TypeDescriptionCount
Os 6

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2017-10-07 00:24:30
  • Multiple Updates
2017-09-29 09:26:02
  • Multiple Updates
2017-09-27 21:23:01
  • First insertion