Guest

Preview Tool

Cisco Bug: CSCur27371 - Cisco Prime NCS Unauthorized Configuration Vulnerability

Last Modified

Sep 12, 2016

Products (1)

  • Cisco Prime Infrastructure

Known Affected Releases

2.1(0.0.85) 2.2(0.0.58) 2.2(0.0.69)

Description (partial)

Symptom:
A vulnerability in the Authentication, Accounting and Authorization (AAA) user roles of the 
Cisco Prime Network Control System (NCS) network management application could allow 
an authenticated, remote attacker logged in as a system monitor user to perform configuration tasks.

The vulnerability is due to inconsistent AAA user role implementation, which allows the configuration feature of DWC to be accessible to unauthorized users. An attacker could exploit this vulnerability by logging in as a lower privilege user and then performing actions which should be restricted. An exploit could allow the attacker to gain privileged escalation and perform commands which should be restricted.

Conditions:
Cisco NCS network management application running the default configuration.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.