Cisco Bug: CSCur27371 - Cisco Prime NCS Unauthorized Configuration Vulnerability
Sep 12, 2016
- Cisco Prime Infrastructure
Known Affected Releases
2.1(0.0.85) 2.2(0.0.58) 2.2(0.0.69)
Symptom: A vulnerability in the Authentication, Accounting and Authorization (AAA) user roles of the Cisco Prime Network Control System (NCS) network management application could allow an authenticated, remote attacker logged in as a system monitor user to perform configuration tasks. The vulnerability is due to inconsistent AAA user role implementation, which allows the configuration feature of DWC to be accessible to unauthorized users. An attacker could exploit this vulnerability by logging in as a lower privilege user and then performing actions which should be restricted. An exploit could allow the attacker to gain privileged escalation and perform commands which should be restricted. Conditions: Cisco NCS network management application running the default configuration.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases