Vulnslist

Cisco vulnerabilities by product, model, software, and advisory.

Cisco Secure Access Control System Unprivileged Support Bundle Download Vulnerability

Cisco-SA-20131202-CVE-2013-6695 · Medium · Published · Updated

A vulnerability in the role-based access control code of the Cisco Secure Access Control System (ACS) could allow an authenticated, remote attacker to access support bundle information. The vulnerability is due to a failure to check the user privileges correctly when downloading the support bundle. An attacker could exploit this vulnerability by downloading the support bundle without the appropriate user privileges. An exploit could allow the unprivileged attacker to download the support bundle and access sensitive information such as the user database. Cisco has confirmed the vulnerability in a security notice and released software updates. To exploit this vulnerability, an attacker must authenticate to the affected device. The access requirement decreases the likelihood of a successful exploit. Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.

Cisco advisory · CSAF JSON

Workarounds

Administrators are advised to apply the appropriate updates.

Administrators are advised to allow only trusted users to have network access.

Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.

Administrators are advised to monitor affected systems.

CVEsCVE-2013-6695
Cisco Bug IDsCSCuj39274
CVSS ScoreBase 4.0
Base 4.0 AV:N/AC:L/Au:S/C:P/I:N/A:N/E:F/RL:OF/RC:C
Product Names From Source
Cisco Secure Access Control System (ACS)

Related Products

Product CVE Evidence
Cisco Secure Access Control System (ACS) CVE-2013-6695 Cisco OpenVuln