SB2017081703 - Information disclosure in Cisco Ultra Services Framework

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2017-6778)

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information.

The vulnerability exists in the Elastic Services Controller (ESC) web interface of the Cisco Ultra Services Platform due to the transmission of sensitive information as part of a GET request. A remote attacker can send a GET request to a vulnerable device and view information regarding the Ultra Services Platform deployment.

Successful exploitation of the vulnerability results in information disclosure.

2) Information disclosure (CVE-ID: CVE-2017-6771)

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists in the AutoVNF automation tool of the Cisco Ultra Services Framework due to insufficient protection of sensitive data. A remote attacker can browse to a specific URL of an affected device and view sensitive configuration information about the deployment.

Successful exploitation of the vulnerability results in information disclosure.

Remediation

Install update from vendor's website.

References

• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170816-usp
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170816-usf