SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Router/Bridge/Hub)  >   Cisco Application Control Engine Vendors:   Cisco
Cisco Application Control Engine IP Address Overlap May Let Remote Authenticated Administrators Login to the Incorrect Context
SecurityTracker Alert ID:  1027188
SecurityTracker URL:  http://securitytracker.com/id/1027188
CVE Reference:   CVE-2012-3063   (Links to External Site)
Date:  Jun 20 2012
Impact:   User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to versions A4(2.3) and A5(1.1)
Description:   A vulnerability was reported in Cisco Application Control Engine. A remote authenticated user may login to the incorrect context in certain cases.

When the Application Control Engine (ACE) is running in multicontext mode and two or more contexts are configured with the same management IP address, a remote authenticated administrative user may login to an unintended context (virtual instance) on the ACE.

The administrative user must have valid credentials on the target context.

Cisco has assigned Cisco bug ID CSCts30631 to this vulnerability.

Impact:   A remote authenticated user may login to the incorrect context in certain cases.
Solution:   The vendor has issued a fix (A4(2.3) and A5(1.1)).

The vendor's advisory is available at:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120620-ace

Vendor URL:  tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120620-ace (Links to External Site)
Cause:   Access control error

Message History:   None.


 Source Message Contents

Subject:  Cisco Security Advisory: Cisco Application Control Engine Administrator IP Address Overlap Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Cisco Application Control Engine Administrator IP Address Overlap Vulnerability

Advisory ID: cisco-sa-20120620-ace

Revision 1.0

For Public Release 2012 June 20 16:00  UTC (GMT)
+---------------------------------------------------------------------
 
Summary
=======

A vulnerability exists in Cisco Application Control Engine (ACE)
software.  Administrative users may be logged into an unintended
context (virtual instance) on the ACE when running in multicontext
mode.

Cisco has released free software updates that address this
vulnerability.  A workaround is available for this vulnerability. 

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120620-ace
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iF4EAREIAAYFAk/hxbUACgkQQXnnBKKRMND+xAD+Kyl1XE7s35MmPSXKKRu8wCyv
p1kEyH7KVtiqj2gBAcYA/0j0LhJpa77zHF0ZpOJbDrNwT1ccWUDHdr8jjD/yv+aP
=UyTX
-----END PGP SIGNATURE-----
_______________________________________________
cust-security-announce mailing list
cust-security-announce@cisco.com
To unsubscribe, send the command "unsubscribe" in the subject of your message to cust-security-announce-leave@cisco.com
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC