Details of VAR-201801-1040

ID

VAR-201801-1040

CVE

CVE-2018-0089

TITLE

Cisco Policy Suite Vulnerabilities related to authorization, permissions, and access control

Trust: 0.8

sources: JVNDB: JVNDB-2018-001504

DESCRIPTION

A vulnerability in the Policy and Charging Rules Function (PCRF) of the Cisco Policy Suite (CPS) could allow an unauthenticated, remote attacker to access sensitive data. The attacker could use this information to conduct additional reconnaissance attacks. The attacker would also have to have access to the internal VLAN where CPS is deployed. The vulnerability is due to incorrect permissions of certain system files and not sufficiently protecting sensitive data that is at rest. An attacker could exploit the vulnerability by using certain tools available on the internal network interface to request and view system files. An exploit could allow the attacker to find out sensitive information about the application. Cisco Bug IDs: CSCvf77666. Vendors have confirmed this vulnerability Bug ID CSCvf77666 It is released as.Information may be obtained. This may aid in further attacks. This solution provides functions such as user-based business rules, real-time management of applications and network resources. Policy and Charging Rules Function (PCRF) is one of the policy and rule setting functional components

Trust: 1.98

sources: NVD: CVE-2018-0089 // JVNDB: JVNDB-2018-001504 // BID: 102758 // VULHUB: VHN-118291

AFFECTED PRODUCTS

vendor:	cisco	model:	policy suite	scope:	eq	version:	11.1.0	Trust: 1.6
vendor:	cisco	model:	policy suite	scope:	eq	version:	10.0.0	Trust: 1.6
vendor:	cisco	model:	policy suite	scope:	eq	version:	11.0.0	Trust: 1.6
vendor:	cisco	model:	policy suite	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	policy suite software	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	mobility services engine	scope:	eq	version:	11.1	Trust: 0.3
vendor:	cisco	model:	mobility services engine	scope:	eq	version:	11.0	Trust: 0.3
vendor:	cisco	model:	mobility services engine	scope:	eq	version:	10.0	Trust: 0.3

sources: BID: 102758 // JVNDB: JVNDB-2018-001504 // CNNVD: CNNVD-201801-630 // NVD: CVE-2018-0089

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-0089
value:	HIGH
Trust: 1.0
NVD:	CVE-2018-0089
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201801-630
value:	HIGH
Trust: 0.6
VULHUB:	VHN-118291
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-0089
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-118291
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-0089
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-118291 // JVNDB: JVNDB-2018-001504 // CNNVD: CNNVD-201801-630 // NVD: CVE-2018-0089

PROBLEMTYPE DATA

problemtype:	CWE-264	Trust: 1.9
problemtype:	CWE-312	Trust: 1.1
problemtype:	CWE-732	Trust: 1.1

sources: VULHUB: VHN-118291 // JVNDB: JVNDB-2018-001504 // NVD: CVE-2018-0089

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201801-630

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201801-630

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-001504

PATCH

title:	cisco-sa-20180117-cps	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180117-cps	Trust: 0.8
title:	Cisco Policy Suite Policy and Charging Rules Function Repair measures for information disclosure vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=77810	Trust: 0.6

sources: JVNDB: JVNDB-2018-001504 // CNNVD: CNNVD-201801-630

EXTERNAL IDS

db:	NVD	id:	CVE-2018-0089	Trust: 2.8
db:	BID	id:	102758	Trust: 2.0
db:	JVNDB	id:	JVNDB-2018-001504	Trust: 0.8
db:	CNNVD	id:	CNNVD-201801-630	Trust: 0.7
db:	VULHUB	id:	VHN-118291	Trust: 0.1

sources: VULHUB: VHN-118291 // BID: 102758 // JVNDB: JVNDB-2018-001504 // CNNVD: CNNVD-201801-630 // NVD: CVE-2018-0089

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20180117-cps	Trust: 2.0
url:	http://www.securityfocus.com/bid/102758	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-0089	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-0089	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3

sources: VULHUB: VHN-118291 // BID: 102758 // JVNDB: JVNDB-2018-001504 // CNNVD: CNNVD-201801-630 // NVD: CVE-2018-0089

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 102758

SOURCES

db:	VULHUB	id:	VHN-118291
db:	BID	id:	102758
db:	JVNDB	id:	JVNDB-2018-001504
db:	CNNVD	id:	CNNVD-201801-630
db:	NVD	id:	CVE-2018-0089

LAST UPDATE DATE

2024-11-23T22:48:51.744000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-118291	date:	2019-10-09T00:00:00
db:	BID	id:	102758	date:	2018-01-23T00:00:00
db:	JVNDB	id:	JVNDB-2018-001504	date:	2018-02-22T00:00:00
db:	CNNVD	id:	CNNVD-201801-630	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2018-0089	date:	2024-11-21T03:37:29.990

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-118291	date:	2018-01-18T00:00:00
db:	BID	id:	102758	date:	2018-01-23T00:00:00
db:	JVNDB	id:	JVNDB-2018-001504	date:	2018-02-22T00:00:00
db:	CNNVD	id:	CNNVD-201801-630	date:	2018-01-22T00:00:00
db:	NVD	id:	CVE-2018-0089	date:	2018-01-18T06:29:00.440