Denial of service in Cisco Network Assurance Engine

Published: 2019-02-12 17:41:55
Severity Low
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2019-1688
CVSSv3 6.7 [CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C]
CWE ID CWE-798
Exploitation vector Local
Public exploit N/A
Vulnerable software Cisco Network Assurance
Vulnerable software versions Cisco Network Assurance 3.0(1)
Vendor URL Cisco Systems, Inc

Security Advisory

1) Use of hardcoded credentials

Description

The vulnerability allows a local unauthenticated attacker to obtain potentially sensitive information or cause DoS condition.

The vulnerability exists in the management web interface of Cisco Network Assurance Engine (NAE) due to a fault in the password management system of NAE. A local attacker can authenticate with the default administrator password via the CLI to view potentially sensitive information or bring the server down, causing a DoS condition.

Remediation

Update to version 3.0(1a).

External links

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190212-nae-dos