#VU14681 Information disclosure in Cisco Network Services Orchestrator (NSO) - CVE-2018-0463


| Updated: 2018-09-06

Vulnerability identifier: #VU14681

Vulnerability risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-0463

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Cisco Network Services Orchestrator (NSO)
Web applications / Remote management & hosting panels

Vendor: Cisco Systems, Inc

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to the Network Plug and Play component performs incomplete validation when configured to use secure unique device identifiers (SUDI) for authentication. A remote attacker who controls a Cisco device that supports SUDI authentication and has connectivity to an affected NSO system can leverage information about the devices that are being registered on the NSO server to send crafted Cisco Network Plug and Play authentication packets and gain unauthorized access to configuration data for devices that will be managed by the NSO system.

Mitigation
The vulnerability has been fixed in the version 1.3.0.

Vulnerable software versions

Cisco Network Services Orchestrator (NSO): 1.2.0 - 2.0


External links
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-nso-infodis


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability