Details of VAR-201602-0044

ID

VAR-201602-0044

CVE

CVE-2016-1301

TITLE

Cisco ASA CX Content-Aware Security and Prime Security Manager Software arbitrary password change vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2016-001560

DESCRIPTION

The RBAC implementation in Cisco ASA-CX Content-Aware Security software before 9.3.1.1(112) and Cisco Prime Security Manager (PRSM) software before 9.3.1.1(112) allows remote authenticated users to change arbitrary passwords via a crafted HTTP request, aka Bug ID CSCuo94842. Vendors have confirmed this vulnerability Bug ID CSCuo94842 It is released as. Supplementary information : CWE Vulnerability type by CWE-284: Improper Access Control ( Inappropriate access control ) Has been identified. http://cwe.mitre.org/data/definitions/284.htmlCrafted by remotely authenticated users HTTP Any password may be changed via request. An attacker can exploit this issue to gain elevated privileges on an affected application. PRSM is a multi-device management platform for ASA-CX. The platform can add multiple ASA CX devices to PRSM's device inventory and apply security policies to their devices. A remote attacker could exploit this vulnerability to change arbitrary passwords by sending specially crafted HTTP requests

Trust: 1.98

sources: NVD: CVE-2016-1301 // JVNDB: JVNDB-2016-001560 // BID: 82557 // VULHUB: VHN-90120

AFFECTED PRODUCTS

vendor:	cisco	model:	prime security manager	scope:	eq	version:	9.2.0	Trust: 1.6
vendor:	cisco	model:	prime security manager	scope:	eq	version:	9.1.2-29	Trust: 1.6
vendor:	cisco	model:	prime security manager	scope:	eq	version:	9.2.1-2	Trust: 1.6
vendor:	cisco	model:	prime security manager	scope:	eq	version:	9.2.1-1	Trust: 1.6
vendor:	cisco	model:	prime security manager	scope:	eq	version:	9.1.0	Trust: 1.6
vendor:	cisco	model:	prime security manager	scope:	eq	version:	9.1.3-10	Trust: 1.6
vendor:	cisco	model:	prime security manager	scope:	eq	version:	9.1.3-13	Trust: 1.6
vendor:	cisco	model:	prime security manager	scope:	eq	version:	9.1.3-8	Trust: 1.6
vendor:	cisco	model:	prime security manager	scope:	eq	version:	9.0.2-68	Trust: 1.6
vendor:	cisco	model:	prime security manager	scope:	eq	version:	9.1.2-42	Trust: 1.6
vendor:	cisco	model:	asa cx context-aware security software	scope:	eq	version:	9.2.1-1	Trust: 1.0
vendor:	cisco	model:	asa cx context-aware security software	scope:	eq	version:	9.0.2-68	Trust: 1.0
vendor:	cisco	model:	prime security manager	scope:	eq	version:	9.0.0	Trust: 1.0
vendor:	cisco	model:	asa cx context-aware security software	scope:	eq	version:	9.1.3-8	Trust: 1.0
vendor:	cisco	model:	asa cx context-aware security software	scope:	eq	version:	9.0.2	Trust: 1.0
vendor:	cisco	model:	asa cx context-aware security software	scope:	eq	version:	9.2.1-2	Trust: 1.0
vendor:	cisco	model:	asa cx context-aware security software	scope:	eq	version:	9.0.1-40	Trust: 1.0
vendor:	cisco	model:	asa cx context-aware security software	scope:	eq	version:	9.0.1	Trust: 1.0
vendor:	cisco	model:	asa cx context-aware security software	scope:	eq	version:	9.0_base	Trust: 1.0
vendor:	cisco	model:	prime security manager	scope:	eq	version:	9.0.1-40	Trust: 1.0
vendor:	cisco	model:	asa cx context-aware security software	scope:	eq	version:	9.1.2-29	Trust: 1.0
vendor:	cisco	model:	asa cx context-aware security software	scope:	eq	version:	9.2.1-4	Trust: 1.0
vendor:	cisco	model:	asa cx context-aware security software	scope:	eq	version:	9.2.1-3	Trust: 1.0
vendor:	cisco	model:	asa cx context-aware security software	scope:	eq	version:	9.1.3-10	Trust: 1.0
vendor:	cisco	model:	asa cx context-aware security software	scope:	eq	version:	9.1.3-13	Trust: 1.0
vendor:	cisco	model:	asa cx context-aware security software	scope:	eq	version:	9.1.2-42	Trust: 1.0
vendor:	cisco	model:	asa cx context-aware security software	scope:	lt	version:	9.3.1.1(112)	Trust: 0.8
vendor:	cisco	model:	prime security manager	scope:	lt	version:	9.3.1.1(112)	Trust: 0.8

sources: JVNDB: JVNDB-2016-001560 // CNNVD: CNNVD-201602-141 // NVD: CVE-2016-1301

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-1301
value:	HIGH
Trust: 1.0
NVD:	CVE-2016-1301
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201602-141
value:	HIGH
Trust: 0.6
VULHUB:	VHN-90120
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2016-1301
severity:	HIGH
baseScore:	8.5
vectorString:	AV:N/AC:M/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	6.8
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-90120
severity:	HIGH
baseScore:	8.5
vectorString:	AV:N/AC:M/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	6.8
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-1301
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.0

sources: VULHUB: VHN-90120 // JVNDB: JVNDB-2016-001560 // CNNVD: CNNVD-201602-141 // NVD: CVE-2016-1301

PROBLEMTYPE DATA

problemtype:	CWE-284	Trust: 1.1
problemtype:	CWE-Other	Trust: 0.8

sources: VULHUB: VHN-90120 // JVNDB: JVNDB-2016-001560 // NVD: CVE-2016-1301

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201602-141

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201602-141

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-001560

PATCH

title:	cisco-sa-20160203-prsm	url:	http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160203-prsm	Trust: 0.8
title:	Cisco ASA-CX Content-Aware Security software and Cisco Prime Security Manager Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=60089	Trust: 0.6

sources: JVNDB: JVNDB-2016-001560 // CNNVD: CNNVD-201602-141

EXTERNAL IDS

db:	NVD	id:	CVE-2016-1301	Trust: 2.8
db:	SECTRACK	id:	1034926	Trust: 1.1
db:	SECTRACK	id:	1034927	Trust: 1.1
db:	JVNDB	id:	JVNDB-2016-001560	Trust: 0.8
db:	CNNVD	id:	CNNVD-201602-141	Trust: 0.7
db:	BID	id:	82557	Trust: 0.3
db:	VULHUB	id:	VHN-90120	Trust: 0.1

sources: VULHUB: VHN-90120 // BID: 82557 // JVNDB: JVNDB-2016-001560 // CNNVD: CNNVD-201602-141 // NVD: CVE-2016-1301

REFERENCES

url:	http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20160203-prsm	Trust: 2.0
url:	http://www.securitytracker.com/id/1034926	Trust: 1.1
url:	http://www.securitytracker.com/id/1034927	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-1301	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-1301	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3

sources: VULHUB: VHN-90120 // BID: 82557 // JVNDB: JVNDB-2016-001560 // CNNVD: CNNVD-201602-141 // NVD: CVE-2016-1301

CREDITS

Karn Ganeshen

Trust: 0.3

sources: BID: 82557

SOURCES

db:	VULHUB	id:	VHN-90120
db:	BID	id:	82557
db:	JVNDB	id:	JVNDB-2016-001560
db:	CNNVD	id:	CNNVD-201602-141
db:	NVD	id:	CVE-2016-1301

LAST UPDATE DATE

2024-11-23T22:42:21.709000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-90120	date:	2016-12-06T00:00:00
db:	BID	id:	82557	date:	2016-07-05T21:22:00
db:	JVNDB	id:	JVNDB-2016-001560	date:	2016-03-04T00:00:00
db:	CNNVD	id:	CNNVD-201602-141	date:	2016-02-15T00:00:00
db:	NVD	id:	CVE-2016-1301	date:	2024-11-21T02:46:08.817

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-90120	date:	2016-02-07T00:00:00
db:	BID	id:	82557	date:	2016-02-03T00:00:00
db:	JVNDB	id:	JVNDB-2016-001560	date:	2016-03-04T00:00:00
db:	CNNVD	id:	CNNVD-201602-141	date:	2016-02-14T00:00:00
db:	NVD	id:	CVE-2016-1301	date:	2016-02-07T11:59:01.053