Details of VAR-201608-0237

ID

VAR-201608-0237

CVE

CVE-2016-1458

TITLE

Cisco Firepower Management Center and ASA 5500-X Series with FirePOWER Services of Web base GUI Vulnerability in expanding user account privileges

Trust: 0.8

sources: JVNDB: JVNDB-2016-004413

DESCRIPTION

The web-based GUI in Cisco Firepower Management Center 4.x and 5.x before 5.3.0.3, 5.3.1.x before 5.3.1.2, and 5.4.x before 5.4.0.1 and Cisco Adaptive Security Appliance (ASA) Software on 5500-X devices with FirePOWER Services 4.x and 5.x before 5.3.0.3, 5.3.1.x before 5.3.1.2, and 5.4.x before 5.4.0.1 allows remote authenticated users to increase user-account privileges via crafted HTTP requests, aka Bug ID CSCur25483. Vendors have confirmed this vulnerability Bug ID CSCur25483 It is released as.Crafted by remotely authenticated users HTTP User account privileges may be expanded through requests. An attacker can exploit this issue to gain elevated privileges on an affected device. This issue is being tracked by Cisco Bug ID CSCur25483

Trust: 1.98

sources: NVD: CVE-2016-1458 // JVNDB: JVNDB-2016-004413 // BID: 92512 // VULHUB: VHN-90277

AFFECTED PRODUCTS

vendor:	cisco	model:	firepower management center	scope:	eq	version:	5.3.1	Trust: 1.7
vendor:	cisco	model:	firepower management center	scope:	eq	version:	4.10.3	Trust: 1.7
vendor:	cisco	model:	firepower management center	scope:	eq	version:	5.2.0	Trust: 1.4
vendor:	cisco	model:	firepower management center	scope:	eq	version:	5.3.0	Trust: 1.4
vendor:	cisco	model:	firepower management center	scope:	eq	version:	5.4.0	Trust: 1.4
vendor:	cisco	model:	secure firewall management center	scope:	eq	version:	4.10.3	Trust: 1.0
vendor:	cisco	model:	secure firewall management center	scope:	eq	version:	5.3.0	Trust: 1.0
vendor:	cisco	model:	secure firewall management center	scope:	eq	version:	5.3.1	Trust: 1.0
vendor:	cisco	model:	secure firewall management center	scope:	eq	version:	5.2.0	Trust: 1.0
vendor:	cisco	model:	secure firewall management center	scope:	eq	version:	5.4.0	Trust: 1.0
vendor:	cisco	model:	asa 5500-x series with firepower services	scope:	eq	version:	4.10.3	Trust: 0.8
vendor:	cisco	model:	asa 5500-x series with firepower services	scope:	eq	version:	5.2.0	Trust: 0.8
vendor:	cisco	model:	asa 5500-x series with firepower services	scope:	eq	version:	5.3.0	Trust: 0.8
vendor:	cisco	model:	asa 5500-x series with firepower services	scope:	eq	version:	5.3.1	Trust: 0.8
vendor:	cisco	model:	asa 5500-x series with firepower services	scope:	eq	version:	5.4.0	Trust: 0.8
vendor:	cisco	model:	firepower management center	scope:	eq	version:	5.4	Trust: 0.3
vendor:	cisco	model:	firepower management center	scope:	eq	version:	5.3	Trust: 0.3
vendor:	cisco	model:	firepower management center	scope:	eq	version:	5.2	Trust: 0.3
vendor:	cisco	model:	asa series with firepower service	scope:	eq	version:	5500-x5.4	Trust: 0.3
vendor:	cisco	model:	asa series with firepower service	scope:	eq	version:	5500-x5.3.1	Trust: 0.3
vendor:	cisco	model:	asa series with firepower service	scope:	eq	version:	5500-x5.3	Trust: 0.3
vendor:	cisco	model:	asa series with firepower service	scope:	eq	version:	5500-x5.2	Trust: 0.3
vendor:	cisco	model:	asa series with firepower service	scope:	eq	version:	5500-x4.10.3	Trust: 0.3
vendor:	cisco	model:	firepower management center	scope:	ne	version:	6.0	Trust: 0.3
vendor:	cisco	model:	firepower management center	scope:	ne	version:	5.4.1	Trust: 0.3
vendor:	cisco	model:	firepower management center	scope:	ne	version:	5.4.0.1	Trust: 0.3
vendor:	cisco	model:	firepower management center	scope:	ne	version:	5.3.1.2	Trust: 0.3
vendor:	cisco	model:	firepower management center	scope:	ne	version:	5.3.0.3	Trust: 0.3
vendor:	cisco	model:	asa series with firepower service	scope:	ne	version:	5500-x6.0	Trust: 0.3
vendor:	cisco	model:	asa series with firepower service	scope:	ne	version:	5500-x5.4.1	Trust: 0.3
vendor:	cisco	model:	asa series with firepower service	scope:	ne	version:	5500-x5.4.0.1	Trust: 0.3
vendor:	cisco	model:	asa series with firepower service	scope:	ne	version:	5500-x5.3.1.2	Trust: 0.3
vendor:	cisco	model:	asa series with firepower service	scope:	ne	version:	5500-x5.3.0.3	Trust: 0.3

sources: BID: 92512 // JVNDB: JVNDB-2016-004413 // CNNVD: CNNVD-201608-332 // NVD: CVE-2016-1458

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-1458
value:	HIGH
Trust: 1.0
NVD:	CVE-2016-1458
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201608-332
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-90277
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2016-1458
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-90277
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-1458
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-90277 // JVNDB: JVNDB-2016-004413 // CNNVD: CNNVD-201608-332 // NVD: CVE-2016-1458

PROBLEMTYPE DATA

problemtype:

CWE-264

Trust: 1.9

sources: VULHUB: VHN-90277 // JVNDB: JVNDB-2016-004413 // NVD: CVE-2016-1458

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201608-332

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201608-332

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-004413

PATCH

title:	cisco-sa-20160817-firepower	url:	http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-firepower	Trust: 0.8
title:	Cisco Firepower Management Center and ASA 5500-X Series with FirePOWER Services Repair measures for privilege escalation	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=63698	Trust: 0.6

sources: JVNDB: JVNDB-2016-004413 // CNNVD: CNNVD-201608-332

EXTERNAL IDS

db:	NVD	id:	CVE-2016-1458	Trust: 2.8
db:	BID	id:	92512	Trust: 2.0
db:	JVNDB	id:	JVNDB-2016-004413	Trust: 0.8
db:	CNNVD	id:	CNNVD-201608-332	Trust: 0.7
db:	VULHUB	id:	VHN-90277	Trust: 0.1

sources: VULHUB: VHN-90277 // BID: 92512 // JVNDB: JVNDB-2016-004413 // CNNVD: CNNVD-201608-332 // NVD: CVE-2016-1458

REFERENCES

url:	http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20160817-firepower	Trust: 2.0
url:	http://www.securityfocus.com/bid/92512	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-1458	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-1458	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3

sources: VULHUB: VHN-90277 // BID: 92512 // JVNDB: JVNDB-2016-004413 // CNNVD: CNNVD-201608-332 // NVD: CVE-2016-1458

CREDITS

Cisco

Trust: 0.9

sources: BID: 92512 // CNNVD: CNNVD-201608-332

SOURCES

db:	VULHUB	id:	VHN-90277
db:	BID	id:	92512
db:	JVNDB	id:	JVNDB-2016-004413
db:	CNNVD	id:	CNNVD-201608-332
db:	NVD	id:	CVE-2016-1458

LAST UPDATE DATE

2024-11-27T22:53:47.203000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-90277	date:	2016-11-28T00:00:00
db:	BID	id:	92512	date:	2016-08-17T00:00:00
db:	JVNDB	id:	JVNDB-2016-004413	date:	2016-08-22T00:00:00
db:	CNNVD	id:	CNNVD-201608-332	date:	2016-08-19T00:00:00
db:	NVD	id:	CVE-2016-1458	date:	2024-11-26T16:09:02.407

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-90277	date:	2016-08-18T00:00:00
db:	BID	id:	92512	date:	2016-08-17T00:00:00
db:	JVNDB	id:	JVNDB-2016-004413	date:	2016-08-22T00:00:00
db:	CNNVD	id:	CNNVD-201608-332	date:	2016-08-18T00:00:00
db:	NVD	id:	CVE-2016-1458	date:	2016-08-18T19:59:02.537