Guest

Preview Tool

Cisco Bug: CSCum59958 - PI grants a user default permissions, if wrong register is used to login

Last Modified

Feb 22, 2018

Products (1)

  • Cisco Prime Infrastructure

Known Affected Releases

1.4(0.45) 3.0

Description (partial)

Symptom:
A vulnerability in the handling of usernames in Cisco Prime Infrastructure (PI) could allow an authenticated, remote attacker with a limited
privileges account to escalate his privileges to the default ones.

The vulnerability is due to the fact that PI saves usernames, and performs username string comparisons, in a case sensitive manner. An attacker
could exploit this vulnerability by typing his/her username in a different case combination than the one registered on PI. If PI is configured
for external authentication (e.g: Radius or TACACS) the login will succeed but PI will assign default authorizations to the logged in user.

Conditions:
PI configured for external authentication.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.