Information disclosure in Policy Suite - CVE-2018-0134
Published: February 7, 2018 / Updated: February 8, 2018
Vulnerability identifier: #VU10404
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-0134
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Policy Suite
Policy Suite
Detailed vulnerability description
The vulnerability allows a remote attacker to obtain potentially sensitive information.
The vulnerability exists in the RADIUS authentication module of Cisco Policy Suite due to the Cisco Policy Suite RADIUS server component returns different authentication failure messages based on the validity of usernames. A remote attacker can use these messages to determine whether a valid subscriber username has been identified and conduct subsequent attacks against the system.
How to mitigate CVE-2018-0134
Install update from vendor's website.