—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

Cisco Security Advisory: Cisco Elastic Services Controller Service Portal Authentication Bypass Vulnerability

Advisory ID: cisco-sa-20180221-esc

Revision: 1.0

For Public Release: 2018 February 21 16:00 GMT

Last Updated: 2018 February 21 16:00 GMT

CVE ID(s): CVE-2018-0121

CVSS Score v(3): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

+———————————————————————

Summary
=======
A vulnerability in the authentication functionality of the web-based service portal of Cisco Elastic Services Controller Software could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrator privileges on an affected system.

The vulnerability is due to improper security restrictions that are imposed by the web-based service portal of the affected software. An attacker could exploit this vulnerability by submitting an empty password value to an affected portal when prompted to enter an administrative password for the portal. A successful exploit could allow the attacker to bypass authentication and gain administrator privileges for the web-based service portal of the affected software.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180221-esc [“https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180221-esc”]

—–BEGIN PGP SIGNATURE—–

iQJ5BAEBAgBjBQJajZlhXBxDaXNjbyBQcm9kdWN0IFNlY3VyaXR5IEluY2lkZW50
IFJlc3BvbnNlIFRlYW0gKENpc2NvIFBTSVJUIGtleSAyMDE4LTIwMTkpIDxwc2ly
dEBjaXNjby5jb20+AAoJEJa12PPJBfczxKYP/2oVkyDpD9CTxfIIPu+TjDciO3XD
B6wpkCLks7XQHKxV90Riw2vmh89EroB5RCDI1VvtW6fgTXUxtNRrwVuqYt7Pvrz7
UBmu94LVUwjWE0B/SRAsSf4pzYp3r8lRpEVuX2cONQq7jlZFw+t2+bAHnELI+2bW
bRkvPfyeblag8WPE2agmMB4J2RHWUYFTkTM9PPVoAGeuvmFDV3yDXDBoAPRxwknh
NjVA24QJxPB+8pkSqcMy14QmReBM+nQDODxbc9FjguK8P9YRhDPcDefovhgbQSVZ
jM/q7YSFS3uq2hPPFjspaA+iXGTq2Xv004r25/Zw9ClPyG5C0eVoYYe/rUNdKzXt
38kkdNUfs5MSdryXy8ZXYQqu8uSb1tzm7u7gN8FrFTl7lgBGrtnQ43LHw47Ues31
xpXBu28JvmW9Bix4NvioIeSP197LwiGtDZJ4D0XzWRZUjFINGG5daNtbnroVNX+w
RPec+cgm4Jrzk2ydCRxfNZ16ya4quZ8NiOMlTtntZoT2sXaIx2YbASu3vz040UTB
X+qFfAk0nPpjDfk1g/GcDV/EVmGcRAXvm4TPZELp7/oN5c2zwOZpjudjvwJ6jIBz
6nwLWScq/qMhQUNiH2GrJCpsYcNZ62BjOGsxzKIzTFZfiZsd2WuH3YyNojdlIf6H
u0Wyll2FBqpvWNvL
=HhL6
—–END PGP SIGNATURE—–

_______________________________________________
cust-security-announce mailing list
cust-security-announce@cisco.com
To unsubscribe, send the command “unsubscribe” in the subject of your message to cust-security-announce-leave@cisco.com