cnvd - cnvd-2017-36399

CNVD-2017-36399

Vulnerability from cnvd - Published: 2017-12-06

Title

Cisco Secure Access Control System信息泄露漏洞（CNVD-2017-36399）

Description

Cisco Secure Access Control System（ACS）是美国思科（Cisco）公司的一套安全访问控制系统。该系统可通过RADIUS、TACACS协议分别对网络访问和网络设备访问进行控制。 Cisco Secure ACS中的基于Web的界面存在信息泄露漏洞，该漏洞源于程序未能充分的保护系统软件版本信息。远程攻击者可通过向基于Web的界面发送特制的HTTP数据包利用该漏洞查看有关该系统软件的敏感信息。

Severity

中

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页及时更新： https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-acs

Reference

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-acs

Impacted products

Name
Cisco Secure Access Control System (ACS)

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-12354"
    }
  },
  "description": "Cisco Secure Access Control System\uff08ACS\uff09\u662f\u7f8e\u56fd\u601d\u79d1\uff08Cisco\uff09\u516c\u53f8\u7684\u4e00\u5957\u5b89\u5168\u8bbf\u95ee\u63a7\u5236\u7cfb\u7edf\u3002\u8be5\u7cfb\u7edf\u53ef\u901a\u8fc7RADIUS\u3001TACACS\u534f\u8bae\u5206\u522b\u5bf9\u7f51\u7edc\u8bbf\u95ee\u548c\u7f51\u7edc\u8bbe\u5907\u8bbf\u95ee\u8fdb\u884c\u63a7\u5236\u3002\r\n\r\nCisco Secure ACS\u4e2d\u7684\u57fa\u4e8eWeb\u7684\u754c\u9762\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u80fd\u5145\u5206\u7684\u4fdd\u62a4\u7cfb\u7edf\u8f6f\u4ef6\u7248\u672c\u4fe1\u606f\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u5411\u57fa\u4e8eWeb\u7684\u754c\u9762\u53d1\u9001\u7279\u5236\u7684HTTP\u6570\u636e\u5305\u5229\u7528\u8be5\u6f0f\u6d1e\u67e5\u770b\u6709\u5173\u8be5\u7cfb\u7edf\u8f6f\u4ef6\u7684\u654f\u611f\u4fe1\u606f\u3002",
  "discovererName": "Cisco",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u53ca\u65f6\u66f4\u65b0\uff1a\r\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-acs",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-36399",
  "openTime": "2017-12-06",
  "products": {
    "product": "Cisco Secure Access Control System (ACS)"
  },
  "referenceLink": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-acs",
  "serverity": "\u4e2d",
  "submitTime": "2017-12-04",
  "title": "Cisco Secure Access Control System\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2017-36399\uff09"
}

CVE-2017-12354 (GCVE-0-2017-12354)

Vulnerability from cvelistv5 – Published: 2017-11-30 09:00 – Updated: 2024-08-05 18:36

Summary

A vulnerability in the web-based interface of Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to view sensitive information on an affected system. The vulnerability exists because the affected software does not sufficiently protect system software version information when the software responds to HTTP requests that are sent to the web-based interface of the software. An attacker could exploit this vulnerability by sending crafted HTTP requests to the web-based interface of the affected software. A successful exploit could allow the attacker to view sensitive information about the software, which the attacker could use to conduct additional reconnaissance attacks. Cisco Bug IDs: CSCvf66155.

Severity ?

No CVSS data available.

CWE

CWE-200

Assigner

cisco

References

URL

Tags

	http://www.securityfocus.com/bid/101986	vdb-entryx_refsource_BID
	http://www.securitytracker.com/id/1039923	vdb-entryx_refsource_SECTRACK
	https://tools.cisco.com/security/center/content/C…	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	n/a	Cisco Secure Access Control System	Affected: Cisco Secure Access Control System

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T18:36:55.969Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "101986",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/101986"
          },
          {
            "name": "1039923",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1039923"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-acs"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Cisco Secure Access Control System",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Cisco Secure Access Control System"
            }
          ]
        }
      ],
      "datePublic": "2017-11-30T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability in the web-based interface of Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to view sensitive information on an affected system. The vulnerability exists because the affected software does not sufficiently protect system software version information when the software responds to HTTP requests that are sent to the web-based interface of the software. An attacker could exploit this vulnerability by sending crafted HTTP requests to the web-based interface of the affected software. A successful exploit could allow the attacker to view sensitive information about the software, which the attacker could use to conduct additional reconnaissance attacks. Cisco Bug IDs: CSCvf66155."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-12-01T10:57:01",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "name": "101986",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/101986"
        },
        {
          "name": "1039923",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1039923"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-acs"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@cisco.com",
          "ID": "CVE-2017-12354",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Cisco Secure Access Control System",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Cisco Secure Access Control System"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A vulnerability in the web-based interface of Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to view sensitive information on an affected system. The vulnerability exists because the affected software does not sufficiently protect system software version information when the software responds to HTTP requests that are sent to the web-based interface of the software. An attacker could exploit this vulnerability by sending crafted HTTP requests to the web-based interface of the affected software. A successful exploit could allow the attacker to view sensitive information about the software, which the attacker could use to conduct additional reconnaissance attacks. Cisco Bug IDs: CSCvf66155."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-200"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "101986",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/101986"
            },
            {
              "name": "1039923",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1039923"
            },
            {
              "name": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-acs",
              "refsource": "CONFIRM",
              "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-acs"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2017-12354",
    "datePublished": "2017-11-30T09:00:00",
    "dateReserved": "2017-08-03T00:00:00",
    "dateUpdated": "2024-08-05T18:36:55.969Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2017-36399

CVE-2017-12354 (GCVE-0-2017-12354)

Tags

Sightings

Nomenclature