ID

VAR-201810-0336


CVE

CVE-2018-0463


TITLE

Cisco Network Services Orchestrator Vulnerabilities related to authorization, permissions, and access control

Trust: 0.8

sources: JVNDB: JVNDB-2018-013264

DESCRIPTION

A vulnerability in the Cisco Network Plug and Play server component of Cisco Network Services Orchestrator (NSO) could allow an unauthenticated, remote attacker to gain unauthorized access to configuration data that is stored on an affected NSO system. The vulnerability exists because the Network Plug and Play component performs incomplete validation when configured to use secure unique device identifiers (SUDI) for authentication. An attacker who controls a Cisco device that supports SUDI authentication and has connectivity to an affected NSO system could exploit this vulnerability. The attacker would need to leverage information about the devices that are being registered on the NSO server to send crafted Cisco Network Plug and Play authentication packets to an affected system. A successful exploit could allow the attacker to gain unauthorized access to configuration data for devices that will be managed by the NSO system. Network Plug and Play server is one of the network plug and play server components

Trust: 1.71

sources: NVD: CVE-2018-0463 // JVNDB: JVNDB-2018-013264 // VULHUB: VHN-118665

AFFECTED PRODUCTS

vendor:ciscomodel:network services orchestratorscope:eqversion:1.2.0

Trust: 1.6

vendor:ciscomodel:network services orchestratorscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2018-013264 // CNNVD: CNNVD-201809-274 // NVD: CVE-2018-0463

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-0463
value: HIGH

Trust: 1.0

NVD: CVE-2018-0463
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201809-274
value: HIGH

Trust: 0.6

VULHUB: VHN-118665
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-0463
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-118665
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-0463
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-118665 // JVNDB: JVNDB-2018-013264 // CNNVD: CNNVD-201809-274 // NVD: CVE-2018-0463

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.8

problemtype:NVD-CWE-noinfo

Trust: 1.0

sources: JVNDB: JVNDB-2018-013264 // NVD: CVE-2018-0463

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201809-274

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201809-274

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-013264

PATCH

title:cisco-sa-20180905-nso-infodisurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-nso-infodis

Trust: 0.8

title:Cisco Network Services Orchestrator Network Plug and Play server Fixes for component permissions licensing and access control vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=84605

Trust: 0.6

sources: JVNDB: JVNDB-2018-013264 // CNNVD: CNNVD-201809-274

EXTERNAL IDS

db:NVDid:CVE-2018-0463

Trust: 2.5

db:JVNDBid:JVNDB-2018-013264

Trust: 0.8

db:CNNVDid:CNNVD-201809-274

Trust: 0.7

db:VULHUBid:VHN-118665

Trust: 0.1

sources: VULHUB: VHN-118665 // JVNDB: JVNDB-2018-013264 // CNNVD: CNNVD-201809-274 // NVD: CVE-2018-0463

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20180905-nso-infodis

Trust: 1.7

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-0463

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2018-0463

Trust: 0.8

sources: VULHUB: VHN-118665 // JVNDB: JVNDB-2018-013264 // CNNVD: CNNVD-201809-274 // NVD: CVE-2018-0463

SOURCES

db:VULHUBid:VHN-118665
db:JVNDBid:JVNDB-2018-013264
db:CNNVDid:CNNVD-201809-274
db:NVDid:CVE-2018-0463

LAST UPDATE DATE

2024-08-14T15:28:47.802000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-118665date:2019-10-09T00:00:00
db:JVNDBid:JVNDB-2018-013264date:2019-02-18T00:00:00
db:CNNVDid:CNNVD-201809-274date:2019-10-17T00:00:00
db:NVDid:CVE-2018-0463date:2019-10-09T23:32:08.477

SOURCES RELEASE DATE

db:VULHUBid:VHN-118665date:2018-10-05T00:00:00
db:JVNDBid:JVNDB-2018-013264date:2019-02-18T00:00:00
db:CNNVDid:CNNVD-201809-274date:2018-09-06T00:00:00
db:NVDid:CVE-2018-0463date:2018-10-05T14:29:04.247