SB2018090609 - Multiple vulnerabilities in Cisco Enterprise NFV Infrastructure Software
Published: September 6, 2018
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2018-0460)
The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information.
The vulnerability exists in the REST API of Cisco Enterprise NFV Infrastructure Software (NFVIS) due to insufficient authorization and parameter validation checks. A remote attacker can send a malicious API request with the authentication credentials of a low-privileged user and read any file on the affected system.
2) Improper input validation (CVE-ID: CVE-2018-0462)
The vulnerability allows a remote administrative attacker to cause DoS condition.
The vulnerability exists in the user management functionality of Cisco Enterprise NFV Infrastructure Software (NFVIS) due to insufficient validation of user-provided input. A remote attacker can log in with a highly privileged user account, perform a sequence of specific user management operations that interfere with the underlying operating system and permanently degrade the functionality of the affected system.
3) Improper input validation (CVE-ID: CVE-2018-0459)
The vulnerability allows a remote administrative attacker to cause DoS condition.
The vulnerability exists in the web-based management interface of Cisco Enterprise NFV Infrastructure Software (NFVIS) due to insufficient server-side authorization checks. A remote attacker who is logged in to the web-based management interface as a low-privileged user can send a specially crafted HTTP request and use the low-privileged user account to reboot or shut down the affected system.
Remediation
Install update from vendor's website.
References
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-nfvis-infodi...
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-nfvis-dos1
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-nfvis-dos