ID

VAR-201803-1369


CVE

CVE-2018-0147


TITLE

Cisco Secure Access Control System Input validation vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-002725

DESCRIPTION

A vulnerability in Java deserialization used by Cisco Secure Access Control System (ACS) prior to release 5.8 patch 9 could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by sending a crafted serialized Java object. An exploit could allow the attacker to execute arbitrary commands on the device with root privileges. Cisco Bug IDs: CSCvh25988. Vendors have confirmed this vulnerability Bug ID CSCvh25988 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. CiscoSecureAccessControlSystem is a policy-based enterprise access and network device management control platform. A Java deserialization vulnerability exists in CiscoSecureAccessControlSystem. Failed exploits will result in denial-of-service conditions

Trust: 2.61

sources: NVD: CVE-2018-0147 // JVNDB: JVNDB-2018-002725 // CNVD: CNVD-2018-06715 // BID: 103328 // VULHUB: VHN-118349 // VULMON: CVE-2018-0147

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2018-06715

AFFECTED PRODUCTS

vendor:ciscomodel:secure access control systemscope:eqversion:5.2\(0.3\)

Trust: 1.6

vendor:ciscomodel:secure access control system softwarescope:ltversion:5.8 patch 9

Trust: 0.8

vendor:ciscomodel:secure access control system patchscope:ltversion:5.89

Trust: 0.6

vendor:ciscomodel:secure access control systemscope:eqversion:5.6

Trust: 0.3

vendor:ciscomodel:secure access control systemscope:eqversion:5.5

Trust: 0.3

vendor:ciscomodel:secure access control systemscope:eqversion:5.4.0.46.6

Trust: 0.3

vendor:ciscomodel:secure access control systemscope:eqversion:5.4.0.46.5

Trust: 0.3

vendor:ciscomodel:secure access control systemscope:eqversion:5.4.0.46.4

Trust: 0.3

vendor:ciscomodel:secure access control systemscope:eqversion:5.4.0.46.3

Trust: 0.3

vendor:ciscomodel:secure access control systemscope:eqversion:5.4.0.46.2

Trust: 0.3

vendor:ciscomodel:secure access control systemscope:eqversion:5.4.0.46.1

Trust: 0.3

vendor:ciscomodel:secure access control systemscope:eqversion:5.4

Trust: 0.3

vendor:ciscomodel:secure access control systemscope:eqversion:5.3.0.6

Trust: 0.3

vendor:ciscomodel:secure access control system patchscope:neversion:5.89

Trust: 0.3

sources: CNVD: CNVD-2018-06715 // BID: 103328 // JVNDB: JVNDB-2018-002725 // CNNVD: CNNVD-201803-261 // NVD: CVE-2018-0147

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-0147
value: CRITICAL

Trust: 1.0

NVD: CVE-2018-0147
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2018-06715
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201803-261
value: CRITICAL

Trust: 0.6

VULHUB: VHN-118349
value: HIGH

Trust: 0.1

VULMON: CVE-2018-0147
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2018-0147
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2018-06715
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-118349
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-0147
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2018-0147
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2018-06715 // VULHUB: VHN-118349 // VULMON: CVE-2018-0147 // JVNDB: JVNDB-2018-002725 // CNNVD: CNNVD-201803-261 // NVD: CVE-2018-0147

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.9

problemtype:CWE-502

Trust: 1.9

sources: VULHUB: VHN-118349 // JVNDB: JVNDB-2018-002725 // NVD: CVE-2018-0147

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201803-261

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-201803-261

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-002725

PATCH

title:cisco-sa-20180307-acs2url:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180307-acs2

Trust: 0.8

title:Patch for CiscoSecureAccessControlSystemJava Deserialization Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/124333

Trust: 0.6

title:Cisco Secure Access Control System Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=78994

Trust: 0.6

title:Cisco: Cisco Secure Access Control System Java Deserialization Vulnerabilityurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-20180307-acs2

Trust: 0.1

title:Java-Deserialization-CVEsurl:https://github.com/PalindromeLabs/Java-Deserialization-CVEs

Trust: 0.1

title:The Registerurl:https://www.theregister.co.uk/2018/03/08/cisco_security_patches/

Trust: 0.1

sources: CNVD: CNVD-2018-06715 // VULMON: CVE-2018-0147 // JVNDB: JVNDB-2018-002725 // CNNVD: CNNVD-201803-261

EXTERNAL IDS

db:NVDid:CVE-2018-0147

Trust: 3.5

db:BIDid:103328

Trust: 2.1

db:SECTRACKid:1040463

Trust: 1.8

db:JVNDBid:JVNDB-2018-002725

Trust: 0.8

db:CNVDid:CNVD-2018-06715

Trust: 0.6

db:CNNVDid:CNNVD-201803-261

Trust: 0.6

db:VULHUBid:VHN-118349

Trust: 0.1

db:VULMONid:CVE-2018-0147

Trust: 0.1

sources: CNVD: CNVD-2018-06715 // VULHUB: VHN-118349 // VULMON: CVE-2018-0147 // BID: 103328 // JVNDB: JVNDB-2018-002725 // CNNVD: CNNVD-201803-261 // NVD: CVE-2018-0147

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20180307-acs2

Trust: 2.8

url:http://www.securityfocus.com/bid/103328

Trust: 1.9

url:http://www.securitytracker.com/id/1040463

Trust: 1.8

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-0147

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2018-0147

Trust: 0.8

url:http://www.cisco.com/

Trust: 0.3

url:https://cwe.mitre.org/data/definitions/502.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://github.com/palindromelabs/java-deserialization-cves

Trust: 0.1

sources: CNVD: CNVD-2018-06715 // VULHUB: VHN-118349 // VULMON: CVE-2018-0147 // BID: 103328 // JVNDB: JVNDB-2018-002725 // CNNVD: CNNVD-201803-261 // NVD: CVE-2018-0147

CREDITS

Mikhail Klyuchnikov and Yury Aleynov

Trust: 0.3

sources: BID: 103328

SOURCES

db:CNVDid:CNVD-2018-06715
db:VULHUBid:VHN-118349
db:VULMONid:CVE-2018-0147
db:BIDid:103328
db:JVNDBid:JVNDB-2018-002725
db:CNNVDid:CNNVD-201803-261
db:NVDid:CVE-2018-0147

LAST UPDATE DATE

2024-11-23T22:00:39.772000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2018-06715date:2018-03-29T00:00:00
db:VULHUBid:VHN-118349date:2020-09-04T00:00:00
db:VULMONid:CVE-2018-0147date:2020-09-04T00:00:00
db:BIDid:103328date:2018-03-07T00:00:00
db:JVNDBid:JVNDB-2018-002725date:2018-04-26T00:00:00
db:CNNVDid:CNNVD-201803-261date:2019-10-17T00:00:00
db:NVDid:CVE-2018-0147date:2024-11-21T03:37:36.570

SOURCES RELEASE DATE

db:CNVDid:CNVD-2018-06715date:2018-03-29T00:00:00
db:VULHUBid:VHN-118349date:2018-03-08T00:00:00
db:VULMONid:CVE-2018-0147date:2018-03-08T00:00:00
db:BIDid:103328date:2018-03-07T00:00:00
db:JVNDBid:JVNDB-2018-002725date:2018-04-26T00:00:00
db:CNNVDid:CNNVD-201803-261date:2018-03-09T00:00:00
db:NVDid:CVE-2018-0147date:2018-03-08T07:29:00.377