9 - cisco-sa-20180328-xepriv

A vulnerability in the web-based user interface (web UI) of Cisco IOS XE Software could allow an authenticated, remote attacker to gain elevated privileges on an affected device.

The vulnerability exists because the affected software does not reset the privilege level for each web UI session. An attacker who has valid credentials for an affected device could exploit this vulnerability by remotely accessing a VTY line to the device. A successful exploit could allow the attacker to access an affected device with the privileges of the user who previously logged in to the web UI.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-xepriv ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-xepriv"] This advisory is part of the March 28, 2018, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 20 Cisco Security Advisories that describe 22 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: March 2018 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication ["https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-66682"].

BEGIN PGP SIGNATURE

iQJ5BAEBAgBjBQJau70wXBxDaXNjbyBQcm9kdWN0IFNlY3VyaXR5IEluY2lkZW50 IFJlc3BvbnNlIFRlYW0gKENpc2NvIFBTSVJUIGtleSAyMDE4LTIwMTkpIDxwc2ly dEBjaXNjby5jb20+AAoJEJa12PPJBfczrvkP/2AfGA8SKtPU5XygUx2ZbvPW91kW AG8FO+o//6d74Z/U+ApqR3Exs3oo9NVX15fLJtGpcP3hBy3NCszqa66ZbrWKQ65n i7GK6rsUYZoQNIRcm/tNzEzaJ+5i5Vql4vOWzqDRGcOJ2XezST9QFcq/5XNjeYD1 9SaNVujNx1Zncap1wMxYFky2DDHhjorER6tJdLJ/YqE6tyMf+gCuV6kQOYSVqgya kqZw7s1Vg1BrevBrhoeWI7jvOZHqidYid5Cny68+IlcHFKg3aBVfCfENYoQTcvaB QD2JogV65g2B/iNgZ6LnZPB2uY4WAz6DzpdYEwd5XtzhurY3cd5KaQM7cOFvNzS8 15AKt2ZeaSxZsoy57M4GlkA6UJ2wV9UjK8FVHUlpsBZiIa3St3CBGavzObUHaJ6f /GpAFDiGQB4OygmMkh/+8kQ8Fd0bMzQt0nr5HRcUy7kTyKmHKF3zz1tqCN8ovnPV v2FNQpqJmINls6ZiGrorWsXS6jT0brOGNhU7eFFeKQR1RJquC7NEWAy9E/9ijxU5 0sfpyor9xImEQj/ylE19oOV96ccUr2scfejSAXxhtZQkst4AZzHHvHxq+p3FuOSH taWiw1MopsB5EXROGRcNybA4B2lJi3hzQr9X1DJ97Z4pkc8qfXm+DNkQecOzyuNp dOMNNZ1N19AKB3DF =C/6O END PGP SIGNATURE

_______________________________________________ cust-security-announce mailing list cust-security-announce@cisco.com To unsubscribe, send the command "unsubscribe" in the subject of your message to cust-security-announce-leave@cisco.com