Multiple vulnerabilities in Cisco Secure Access Control

Published: 2018-03-09 16:01:30 | Updated: 2018-03-10 11:51:20
Severity Low
Patch available YES
Number of vulnerabilities 3
CVE ID CVE-2018-0147
CVE-2018-0218
CVE-2018-0207
CVSSv3 8.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
3.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
3.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CWE ID CWE-77
CWE-611
Exploitation vector Network
Public exploit Not available
Vulnerable software Cisco Secure Access Control
Vulnerable software versions Cisco Secure Access Control 5.2(0.3)
Cisco Secure Access Control 5.8(0.8)
Vendor URL Cisco Systems, Inc

Security Advisory

1) Command injection

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The weakness exists in Java deserialization due to insecure deserialization of user-supplied content. A remote attacker can send a specially crafted serialized Java object and execute arbitrary commands on the device with root privileges.

Remediation

Update to version 5.8 patch 9.

External links

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180307-acs2

2) XXE attack

Description

The vulnerability allows a remote attacker to conduct XXE attack.

The weakness exists in the web-based user interface due to improper handling of XML External Entities (XXEs) when parsing an XML file. A remote attacker can trick the administrator of an affected system to import a crafted XML file, perform XXE attack and read arbitrary data.

Remediation

Update to version 5.8 patch 9.

External links

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180307-acs1

3) XXE attack

Description

The vulnerability allows a remote attacker to conduct XXE attack.

The weakness exists in the web-based user interface due to improper handling of XML External Entities (XXEs) when parsing an XML file. A remote attacker can trick the administrator of an affected system to import a crafted XML file, perform XXE attack and read arbitrary data.

Remediation

Update to version 5.8 patch 9.

External links

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180307-acs

Back to List