Main Vulnerability Database SB2017120111

SB2017120111 - Information disclosure in Cisco Secure Access Control System

Published: December 1, 2017

Security Bulletin ID SB2017120111

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Information disclosure (CVE-ID: CVE-2017-12354)

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists in the web-based interface of Cisco Secure Access Control System (ACS) due to insufficient protection of system software version information when the software responds to HTTP requests that are sent to the web-based interface of the software. A remote attacker can send specially crafted HTTP requests to the web-based interface and gain access to potentially sensitive information that can be used to conduct additional reconnaissance attacks.

Remediation

Install update from vendor's website.

References

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-acs