Vulnslist

Cisco Secure Access Control Server Privilege Escalation Vulnerability

Cisco-SA-20150115-CVE-2014-8027 · Medium · Published 11 years ago · Updated 11 years ago

A vulnerability in role-based access control in Cisco Secure Access Control Server (ACS) could allow an authenticated, remote attacker to take actions with an elevated authorization level. The vulnerability is due to improper privilege validation. An attacker could exploit the vulnerability by sending crafted HTTP requests to the Cisco ACS. An exploit could allow the attacker to perform Create, Read, Update, and Delete operations on any Network Identity Group with privileges that should be limited to the Network Device Administrator role. Cisco has confirmed the vulnerabilities in a security notice and has released software updates. To exploit this vulnerability, an attacker requires authenticated access to the targeted system. Authenticated access may require the attacker to access trusted, internal networks. These requirements could limit the likelihood of a successful exploit. Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.

Cisco advisory · CSAF JSON

Workarounds

Related Products