—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

Cisco Security Advisory: Cisco Cloud Services Platform 2100 Unauthorized Access Vulnerability

Advisory ID: cisco-sa-20171018-ccs

Revision: 1.0

For Public Release: 2017 October 18 16:00 GMT

Last Updated: 2017 October 18 16:00 GMT

CVE ID(s): CVE-2017-12251

CVSS Score v(3): 9.9 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

+———————————————————————

Summary
=======
A vulnerability in the web console of the Cisco Cloud Services Platform (CSP) 2100 could allow an authenticated, remote attacker to interact maliciously with the services or virtual machines (VMs) operating remotely on an affected CSP device.

The vulnerability is due to weaknesses in the generation of certain authentication mechanisms in the URL of the web console. An attacker could exploit this vulnerability by browsing to one of the hosted VMs’ URLs in Cisco CSP and viewing specific patterns that control the web application’s mechanisms for authentication control. An exploit could allow the attacker to access a specific VM on the CSP, which causes a complete loss of the system’s confidentiality, integrity, and availability.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171018-ccs [“https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171018-ccs”]

—–BEGIN PGP SIGNATURE—–

iQKBBAEBAgBrBQJZ53tLZBxDaXNjbyBTeXN0ZW1zIFByb2R1Y3QgU2VjdXJpdHkg
SW5jaWRlbnQgUmVzcG9uc2UgVGVhbSAoQ2lzY28gUFNJUlQga2V5IDIwMTYtMjAx
NykgPHBzaXJ0QGNpc2NvLmNvbT4ACgkQrz2APcQAkHmx5A/8DT9waYqvQjTBPYNe
kbWKLIPgpfu0C58S9AfIP+2XV+0lVo9k1HnoDJmZfH6VC+c6/MxG5RkSMi2oNYVV
3GdQxerM8iCV7UmousbFStgpe5xGMidEKkAzLxxl9BjNjRnR70GlDneBkz7/sw3I
CPYp7UPMCWlc7Bnfu56erMHue8RWOCTz68FCDnasZasWGigjmJNOy8f6bICkTkdS
tY+x40E9E2zuFx3RCYFp+Mpn69oQhig/6+EUy6qTZjpsSpvvPSCEgUqdAsT2+zML
2zCKarFjs5k6oAYr2fJ6cOX11JtIlrQGj2Be0LUOVLXPibyw4sVRYAw0OZl2fc4C
EBkGANYAxPoTEsRHn2q5IoDB9lIZdarNtX8Ys42wwjpX5eybMsuBd1glwmmNjqkc
DIyGzwQCBN5nBH54xmm9pRB1o7wOKV3Y1okdn6a47s89XEwlKh8SxXYASEEeyn33
c+Xerp4DKVfd30BchK39cYiKnGyngYNep20HDCRP3ZBfAxtVvRtwBn4HeOfqgDlI
5ZESStXFEoDAkm3YjBLLRAKYIcFxYOquBmHvcpAvuC7i0GQ50ys77lrEMNbIx9FJ
4M2mE1MPoQByYpFQtWtTDpUfP3rmAua8oB80ydoMgHpZAyo6amQsdVnai0CduLHX
B9ZyxahXTjfoDuEbgeHVY5GrDzQ=
=nCrT
—–END PGP SIGNATURE—–

_______________________________________________
cust-security-announce mailing list
cust-security-announce@cisco.com
To unsubscribe, send the command “unsubscribe” in the subject of your message to cust-security-announce-leave@cisco.com