SB2018090619 - Information disclosure in Cisco Network Services Orchestrator

Security Bulletin ID SB2018090619

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Information disclosure (CVE-ID: CVE-2018-0463)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to the Network Plug and Play component performs incomplete validation when configured to use secure unique device identifiers (SUDI) for authentication. A remote attacker who controls a Cisco device that supports SUDI authentication and has connectivity to an affected NSO system can leverage information about the devices that are being registered on the NSO server to send crafted Cisco Network Plug and Play authentication packets and gain unauthorized access to configuration data for devices that will be managed by the NSO system.

Remediation

Install update from vendor's website.

References

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-nso-infodis