Vulnslist

Cisco vulnerabilities by product, model, software, and advisory.

Cisco Secure Access Control System Password Modification Vulnerability

Cisco-SA-20110330-CVE-2011-0951 · Medium · Published · Updated

Cisco Secure Access Control System (ACS) contains a vulnerability that could allow an unauthenticated, remote attacker to modify user passwords. The vulnerability is due to improper security restrictions on user password change functions in the web-based management interface of the Cisco Secure ACS application.  An unauthenticated, remote attacker could exploit this vulnerability by sending malicious requests to the system.  If successful, the attacker could modify user account passwords. Cisco has confirmed this vulnerability in a security advisory and released updated software. To exploit this vulnerability, an attacker must be able to send malicious requests to the targeted system.  Attackers may require access to internal networks to accomplish an exploit. Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.

Cisco advisory · CSAF JSON

Workarounds

Administrators are advised to apply the available software updates.

Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the web-based management interface on affected systems.

Administrators are advised to monitor critical systems.

The Cisco Applied Intelligence team has created the following companion document to guide administrators in identifying and mitigating attempts to exploit this vulnerability prior to applying updated software: cisco-amb-20110330-acs["http://www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a0080b7411a.html"]

CVEsCVE-2011-0951
Cisco Bug IDsNA
CVSS ScoreBase 5.0
Base 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C/CDP:N/TD:N/CR:ND/IR:ND/AR:ND
Product Names From Source
Cisco Secure Access Control System (ACS)

Related Products

Product CVE Evidence
Cisco Secure Access Control System (ACS) CVE-2011-0951 Cisco OpenVuln