Guest

Preview Tool

Cisco Bug: CSCvu75093 - MGBL-AAA: Unauthorised user able to read data through lpts-ifib,lpts-pa,lpts-pre-ifib oper models

Last Modified

Sep 02, 2020

Products (1)

  • Cisco ASR 9000 Series Aggregation Services Routers

Known Affected Releases

7.1.2.BASE

Description (partial)

Release-note

Symptom:
User logs in via TACACS authen/author with limited permission as service admin.
When the same User logs into VTY, user has very limited permission. however with the same permission through netconf, user is able to access the data via the lpts-ifib,lpts-pa,lpts-pre-ifib oper models. refer - "Debug-output" Enclosure.

Conditions:
User logs in via TACACS authen/author with limited permission as service admin.

When the same user logs into VTY, user has very limited permission (refer "show commands" enclosure). however with the same permission through netconf, user can access the data via the lpts-ifib,lpts-pa,lpts-pre-ifib oper models. refer - "Debug-output" Enclosure.

RP/0/RP0/CPU0:R1#show user group 
Fri Jun 26 16:44:15.992 UTC
serviceadmin
RP/0/RP0/CPU0:R1#show user tasks       
Fri Jun 26 16:44:38.151 UTC
Task:             firewall  : READ    WRITE    EXECUTE    DEBUG
Task:                  sbc  : READ    WRITE    EXECUTE    DEBUG

<<< you can see service admin user has only access to these two tasks and user dont have access to "lpts" task. still same user is able to get yang data of LPTS oper models through netconf whereas same user dont have access to LPTS show commands if he logged into VTY.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.