SB2017081704 - Multiple vulnerabilities in Cisco Elastic Services Controller

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2017081704

SB2017081704 - Multiple vulnerabilities in Cisco Elastic Services Controller

Published: August 17, 2017

Security Bulletin ID SB2017081704
Severity
Low
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.


1) Information disclosure (CVE-ID: CVE-2017-6786)

The vulnerability allows a local authenticated unprivileged attacker to obtain potentially sensitive information.

The vulnerability exists in Cisco Elastic Services Controller due to improper protection of sensitive log files. A local attacker can log in to an affected system and access unprotected log files, including system credentials.

Successful exploitation of the vulnerability may result in further attacks.


2) Information disclosure (CVE-ID: CVE-2017-6777)

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information.

The vulnerability exists in the ConfD server of the Cisco Elastic Services Controller (ESC) due to insufficient protection of sensitive files. A remote attacker can log into the ConfD server and execute certain commands to view configuration parameters.

Successful exploitation of the vulnerability may result in further attacks.


3) Cross-site scripting (CVE-ID: CVE-2017-6776)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability in in the web framework of Cisco Elastic Services Controller (ESC) due to incorrect filtration of input data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim’s browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

4) Information disclosure (CVE-ID: CVE-2017-6772)

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information.

The vulnerability exists in Cisco Elastic Services Controller (ESC) due to insufficient protection of sensitive data. A remote attacker can authenticate to the application and navigate to certain configuration files.

Successful exploitation of the vulnerability may result in further attacks.


Remediation

Install update from vendor's website.

References