Multiple vulnerabilities in Cisco Enterprise NFV Infrastructure Software
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2018-0460 CVE-2018-0462 CVE-2018-0459 |
| CWE-ID | CWE-200 CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Enterprise NFV Infrastructure Software Server applications / Virtualization software |
| Vendor | Cisco Systems, Inc |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Information disclosure
EUVDB-ID: #VU14667
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-0460
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to obtain potentially sensitive information.
The vulnerability exists in the REST API of Cisco Enterprise NFV Infrastructure Software (NFVIS) due to insufficient authorization and parameter validation checks. A remote attacker can send a malicious API request with the authentication credentials of a low-privileged user and read any file on the affected system.
MitigationInstall update from vendor's website.
Vulnerable software versionsEnterprise NFV Infrastructure Software: 3.9.1
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper input validation
EUVDB-ID: #VU14668
Risk: Low
CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-0462
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote administrative attacker to cause DoS condition.
The vulnerability exists in the user management functionality of Cisco Enterprise NFV Infrastructure Software (NFVIS) due to insufficient validation of user-provided input. A remote attacker can log in with a highly privileged user account, perform a sequence of specific user management operations that interfere with the underlying operating system and permanently degrade the functionality of the affected system.
MitigationInstall update from vendor's website.
Vulnerable software versionsEnterprise NFV Infrastructure Software: 6.0 - 8.0
External linkshttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-nfvis-dos1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper input validation
EUVDB-ID: #VU14669
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-0459
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote administrative attacker to cause DoS condition.
The vulnerability exists in the web-based management interface of Cisco Enterprise NFV Infrastructure Software (NFVIS) due to insufficient server-side authorization checks. A remote attacker who is logged in to the web-based management interface as a low-privileged user can send a specially crafted HTTP request and use the low-privileged user account to reboot or shut down the affected system.
MitigationInstall update from vendor's website.
Vulnerable software versionsEnterprise NFV Infrastructure Software: 8.0
External linkshttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-nfvis-dos
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
