Sign-up

ID

VAR-201602-0045


CVE

CVE-2016-1302


TITLE

Cisco Application Policy Infrastructure Controller Device software and Nexus 9000 ACI Mode In switch software RBAC Vulnerabilities bypassing restrictions

Trust: 0.8

sources: JVNDB: JVNDB-2016-001606

DESCRIPTION

Cisco Application Policy Infrastructure Controller (APIC) devices with software before 1.0(3h) and 1.1 before 1.1(1j) and Nexus 9000 ACI Mode switches with software before 11.0(3h) and 11.1 before 11.1(1j) allow remote authenticated users to bypass intended RBAC restrictions via crafted REST requests, aka Bug ID CSCut12998. Vendors report this vulnerability Bug ID CSCut12998 Published as. Supplementary information : CWE Vulnerability types by CWE-284: Improper Access Control ( Improper access control ) Has been identified. http://cwe.mitre.org/data/definitions/284.htmlCrafted by a remotely authenticated user REST Via a request, RBAC Restrictions may be bypassed. Cisco ApplicationPolicyInfrastructureControllers and CiscoNexus9000SeriesACIModeSwitches are products of Cisco. The former is a controller that automates the management of application-centric infrastructure (ACI). The latter is a 9000 series switch for Application-Centric Infrastructure (ACI). Security vulnerabilities exist in CiscoAPIC and Nexus9000ACIModeSwitches, which can be exploited by remote attackers to bypass established RBAC restrictions by sending specially crafted REST requests. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may aid in further attacks

Trust: 2.52

sources: NVD: CVE-2016-1302 // JVNDB: JVNDB-2016-001606 // CNVD: CNVD-2016-01453 // BID: 82549 // VULHUB: VHN-90121

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2016-01453

AFFECTED PRODUCTS

vendor:ciscomodel:nx-osscope:eqversion:base

Trust: 1.8

vendor:zzincmodel:keymousescope:eqversion:3.08

Trust: 1.0

vendor:samsungmodel:x14jscope:eqversion:t-ms14jakucb-1102.5

Trust: 1.0

vendor:sunmodel:opensolarisscope:eqversion:snv_124

Trust: 1.0

vendor:zyxelmodel:gs1900-10hpscope:ltversion:2.50\(aazi.0\)c0

Trust: 1.0

vendor:ciscomodel:nx-osscope:eqversion:11.0(1d)

Trust: 0.8

vendor:ciscomodel:nexus 9000 seriesscope:eqversion:aci mode switch 11.1(1j)

Trust: 0.8

vendor:ciscomodel:nexus 9000 seriesscope:ltversion:11.1

Trust: 0.8

vendor:ciscomodel:nx-osscope:eqversion:11.0(2m)

Trust: 0.8

vendor:ciscomodel:nx-osscope:eqversion:11.0(3f)

Trust: 0.8

vendor:ciscomodel:nx-osscope:eqversion:11.0(1b)

Trust: 0.8

vendor:ciscomodel:application policy infrastructure controller softwarescope:ltversion:1.1

Trust: 0.8

vendor:ciscomodel:nx-osscope:eqversion:11.0(1c)

Trust: 0.8

vendor:ciscomodel:nx-osscope:eqversion:11.0(2j)

Trust: 0.8

vendor:ciscomodel:nx-osscope:eqversion:11.0(1e)

Trust: 0.8

vendor:ciscomodel:application policy infrastructure controller softwarescope:eqversion:1.1(1j)

Trust: 0.8

vendor:ciscomodel:application policy infrastructure controller <1.0scope: - version: -

Trust: 0.6

vendor:ciscomodel:application policy infrastructure controller 1.1 )scope: - version: -

Trust: 0.6

vendor:ciscomodel:nexus aci mode switches with software <11.0scope:eqversion:9000

Trust: 0.6

vendor:ciscomodel:nexus aci mode switches with software 11.1 )scope:eqversion:9000

Trust: 0.6

vendor:ciscomodel:application policy infrastructure controllerscope:eqversion:1.0\\\(2j\\\)

Trust: 0.6

vendor:ciscomodel:application policy infrastructure controllerscope:eqversion:1.0\\\(1n\\\)

Trust: 0.6

vendor:ciscomodel:nexus 9516scope:eqversion: -

Trust: 0.6

vendor:ciscomodel:application policy infrastructure controllerscope:eqversion:1.0\\\(1e\\\)

Trust: 0.6

vendor:ciscomodel:application policy infrastructure controllerscope:eqversion:1.0\\\(1k\\\)

Trust: 0.6

vendor:ciscomodel:application policy infrastructure controllerscope:eqversion:1.0\\\(1h\\\)

Trust: 0.6

vendor:ciscomodel:nexus 9504scope:eqversion: -

Trust: 0.6

vendor:ciscomodel:application policy infrastructure controllerscope:eqversion:1.0\\\(2m\\\)

Trust: 0.6

vendor:ciscomodel:nexus 9508scope:eqversion: -

Trust: 0.6

vendor:ciscomodel:application policy infrastructure controllerscope:eqversion:1.0\\\(3f\\\)

Trust: 0.6

sources: CNVD: CNVD-2016-01453 // JVNDB: JVNDB-2016-001606 // CNNVD: CNNVD-201602-142 // NVD: CVE-2016-1302

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-1302
value: HIGH

Trust: 1.0

NVD: CVE-2016-1302
value: HIGH

Trust: 0.8

CNVD: CNVD-2016-01453
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201602-142
value: CRITICAL

Trust: 0.6

VULHUB: VHN-90121
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2016-1302
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2016-01453
severity: HIGH
baseScore: 8.5
vectorString: AV:N/AC:M/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 6.8
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-90121
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2016-1302
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.0

sources: CNVD: CNVD-2016-01453 // VULHUB: VHN-90121 // JVNDB: JVNDB-2016-001606 // CNNVD: CNNVD-201602-142 // NVD: CVE-2016-1302

PROBLEMTYPE DATA

problemtype:CWE-284

Trust: 1.1

problemtype:CWE-Other

Trust: 0.8

sources: VULHUB: VHN-90121 // JVNDB: JVNDB-2016-001606 // NVD: CVE-2016-1302

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201602-142

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201602-142

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-001606

PATCH
title:cisco-sa-20160203-apicurl:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160203-apic
Trust: 0.8
title:CiscoApplicationPolicyInfrastructureController and Nexus9000ACIModeSwitches security bypass vulnerability patchesurl:https://www.cnvd.org.cn/patchInfo/show/72203
Trust: 0.6
title:Cisco Application Policy Infrastructure Controller  and Nexus 9000 ACI Mode Switches Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=60090
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2016-01453 // 
            
            
            
            JVNDB: JVNDB-2016-001606 // 
            
            
            
            CNNVD: CNNVD-201602-142

EXTERNAL IDS
db:NVDid:CVE-2016-1302
Trust: 3.4
db:SECTRACKid:1034925
Trust: 1.1
db:JVNDBid:JVNDB-2016-001606
Trust: 0.8
db:CNNVDid:CNNVD-201602-142
Trust: 0.7
db:CNVDid:CNVD-2016-01453
Trust: 0.6
db:BIDid:82549
Trust: 0.3
db:VULHUBid:VHN-90121
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2016-01453 // 
            
            
            
            VULHUB: VHN-90121 // 
            
            
            
            BID: 82549 // 
            
            
            
            JVNDB: JVNDB-2016-001606 // 
            
            
            
            CNNVD: CNNVD-201602-142 // 
            
            
            
            NVD: CVE-2016-1302

REFERENCES
url:http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20160203-apic
Trust: 2.6
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-1302
Trust: 1.4
url:http://www.securitytracker.com/id/1034925
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-1302
Trust: 0.8
url:http://www.cisco.com/
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2016-01453 // 
            
            
            
            VULHUB: VHN-90121 // 
            
            
            
            BID: 82549 // 
            
            
            
            JVNDB: JVNDB-2016-001606 // 
            
            
            
            CNNVD: CNNVD-201602-142 // 
            
            
            
            NVD: CVE-2016-1302

CREDITS
Cisco
Trust: 0.3
sources:
            
            
            BID: 82549

SOURCES
db:CNVDid:CNVD-2016-01453
db:VULHUBid:VHN-90121
db:BIDid:82549
db:JVNDBid:JVNDB-2016-001606
db:CNNVDid:CNNVD-201602-142
db:NVDid:CVE-2016-1302

LAST UPDATE DATE
2024-11-23T22:52:41.792000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2016-01453date:2016-03-04T00:00:00
db:VULHUBid:VHN-90121date:2016-12-06T00:00:00
db:BIDid:82549date:2016-07-05T21:22:00
db:JVNDBid:JVNDB-2016-001606date:2016-03-16T00:00:00
db:CNNVDid:CNNVD-201602-142date:2016-02-15T00:00:00
db:NVDid:CVE-2016-1302date:2024-11-21T02:46:08.933

SOURCES RELEASE DATE
db:CNVDid:CNVD-2016-01453date:2016-03-04T00:00:00
db:VULHUBid:VHN-90121date:2016-02-07T00:00:00
db:BIDid:82549date:2016-02-03T00:00:00
db:JVNDBid:JVNDB-2016-001606date:2016-03-08T00:00:00
db:CNNVDid:CNNVD-201602-142date:2016-02-14T00:00:00
db:NVDid:CVE-2016-1302date:2016-02-07T11:59:01.943