Cisco-SA-20150826-CVE-2015-6265

Cisco ACE 4710 and ACE30 Application Control Engine CLI Privilege Escalation Vulnerability

Cisco-SA-20150826-CVE-2015-6265 · Medium · Published 10 years ago · Updated 10 years ago

A vulnerability in the command-line interface (CLI) of Cisco Application Control Engine (ACE) could allow an authenticated, local attacker to elevate privileges to read and alter the content of files that belong to other contexts. The vulnerability is due to insufficient file access controls. An attacker could exploit this vulnerability by crafting a malicious file, copying it to the ACE, and using the file as input for a specific CLI command. Cisco has confirmed the vulnerability; however, software updates are not available. To exploit this vulnerability, an attacker must authenticate to the targeted device and have local network access. These access requirements may reduce the likelihood of a successful exploit. Cisco would like to thank Jens Krabbenhoeft of Rauscher networX for reporting this vulnerability.

Cisco advisory ·CSAF JSON

Workarounds

Administrators are advised to contact the vendor regarding future updates and releases.

Administrators are advised to allow only trusted users to access local systems.

Administrators are advised to monitor affected systems.

CVEs	CVE-2015-6265
Cisco Bug IDs	CSCur23662
CVSS Score	Base 4.3 Base 4.3 AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:U/RC:C
Product Names From Source	Cisco ACE 4700 Series Application Control Engine Appliances

Related Products

Product	CVE	Evidence
Cisco ACE 4700 Series Application Control Engine Appliances	CVE-2015-6265	Cisco OpenVuln

Vulnslist

find the latest Cisco vulnerabilities

Cisco ACE 4710 and ACE30 Application Control Engine CLI Privilege Escalation Vulnerability

Workarounds

Related Products