Sign-up

ID

VAR-201803-1372


CVE

CVE-2018-0152


TITLE

Cisco IOS XE software Vulnerabilities related to authorization, permissions, and access control

Trust: 0.8

sources: JVNDB: JVNDB-2018-003424

DESCRIPTION

A vulnerability in the web-based user interface (web UI) of Cisco IOS XE Software could allow an authenticated, remote attacker to gain elevated privileges on an affected device. The vulnerability exists because the affected software does not reset the privilege level for each web UI session. An attacker who has valid credentials for an affected device could exploit this vulnerability by remotely accessing a VTY line to the device. A successful exploit could allow the attacker to access an affected device with the privileges of the user who previously logged in to the web UI. This vulnerability affects Cisco devices that are running a vulnerable release of Cisco IOS XE Software, if the HTTP Server feature is enabled and authentication, authorization, and accounting (AAA) authorization is not configured for EXEC sessions. The default state of the HTTP Server feature is version-dependent. This vulnerability was introduced in Cisco IOS XE Software Release 16.1.1. Cisco Bug IDs: CSCvf71769. Vendors have confirmed this vulnerability Bug ID CSCvf71769 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state

Trust: 1.98

sources: NVD: CVE-2018-0152 // JVNDB: JVNDB-2018-003424 // BID: 103558 // VULHUB: VHN-118354

AFFECTED PRODUCTS

vendor:ciscomodel:ios xescope:eqversion:16.1.1

Trust: 2.4

vendor:ciscomodel:iosscope: - version: -

Trust: 0.8

vendor:ciscomodel:iosscope:eqversion:everest-16.6.1

Trust: 0.6

vendor:ciscomodel:iosscope:eqversion:16.6.1

Trust: 0.6

vendor:ciscomodel:ios xe softwarescope:eqversion:16.1.1

Trust: 0.3

vendor:ciscomodel:ios everest-16.6.1scope: - version: -

Trust: 0.3

vendor:ciscomodel:iosscope:eqversion:16.1.1

Trust: 0.3

sources: BID: 103558 // JVNDB: JVNDB-2018-003424 // CNNVD: CNNVD-201803-1037 // NVD: CVE-2018-0152

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-0152
value: HIGH

Trust: 1.0

NVD: CVE-2018-0152
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201803-1037
value: HIGH

Trust: 0.6

VULHUB: VHN-118354
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2018-0152
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-118354
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-0152
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2018-0152
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-118354 // JVNDB: JVNDB-2018-003424 // CNNVD: CNNVD-201803-1037 // NVD: CVE-2018-0152

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.9

problemtype:CWE-613

Trust: 1.1

sources: VULHUB: VHN-118354 // JVNDB: JVNDB-2018-003424 // NVD: CVE-2018-0152

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201803-1037

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-201803-1037

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-003424

PATCH
title:cisco-sa-20180328-xeprivurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-xepriv
Trust: 0.8
title:Cisco IOS XE Software Fixes for permission permissions and access control vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=79505
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-003424 // 
            
            
            
            CNNVD: CNNVD-201803-1037

EXTERNAL IDS
db:NVDid:CVE-2018-0152
Trust: 2.8
db:BIDid:103558
Trust: 2.0
db:SECTRACKid:1040597
Trust: 1.7
db:JVNDBid:JVNDB-2018-003424
Trust: 0.8
db:CNNVDid:CNNVD-201803-1037
Trust: 0.7
db:VULHUBid:VHN-118354
Trust: 0.1
sources:
            
            
            VULHUB: VHN-118354 // 
            
            
            
            BID: 103558 // 
            
            
            
            JVNDB: JVNDB-2018-003424 // 
            
            
            
            CNNVD: CNNVD-201803-1037 // 
            
            
            
            NVD: CVE-2018-0152

REFERENCES
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20180328-xepriv
Trust: 2.0
url:http://www.securityfocus.com/bid/103558
Trust: 1.7
url:http://www.securitytracker.com/id/1040597
Trust: 1.7
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-0152
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-0152
Trust: 0.8
url:http://www.cisco.com/
Trust: 0.3
sources:
            
            
            VULHUB: VHN-118354 // 
            
            
            
            BID: 103558 // 
            
            
            
            JVNDB: JVNDB-2018-003424 // 
            
            
            
            CNNVD: CNNVD-201803-1037 // 
            
            
            
            NVD: CVE-2018-0152

CREDITS
Cisco
Trust: 0.3
sources:
            
            
            BID: 103558

SOURCES
db:VULHUBid:VHN-118354
db:BIDid:103558
db:JVNDBid:JVNDB-2018-003424
db:CNNVDid:CNNVD-201803-1037
db:NVDid:CVE-2018-0152

LAST UPDATE DATE
2024-11-23T22:41:57.589000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-118354date:2019-12-03T00:00:00
db:BIDid:103558date:2018-03-28T00:00:00
db:JVNDBid:JVNDB-2018-003424date:2018-05-23T00:00:00
db:CNNVDid:CNNVD-201803-1037date:2019-10-17T00:00:00
db:NVDid:CVE-2018-0152date:2024-11-21T03:37:37.193

SOURCES RELEASE DATE
db:VULHUBid:VHN-118354date:2018-03-28T00:00:00
db:BIDid:103558date:2018-03-28T00:00:00
db:JVNDBid:JVNDB-2018-003424date:2018-05-23T00:00:00
db:CNNVDid:CNNVD-201803-1037date:2018-03-29T00:00:00
db:NVDid:CVE-2018-0152date:2018-03-28T22:29:00.343