A vulnerability in the Cisco Small Business Switches software could allow an unauthenticated, remote attacker to bypass the user…
cisco·CWE-798·Published 2018-11-08
A vulnerability in the Cisco Small Business Switches software could allow an unauthenticated, remote attacker to bypass the user authentication mechanism of an affected device. The vulnerability exists because under specific circumstances, the affected software enables a privileged user account without notifying administrators of the system. An attacker could exploit this vulnerability by using this account to log in to an affected device and execute commands with full admin rights. Cisco has not released software updates that address this vulnerability. This advisory will be updated with fixed software information once fixed software becomes available. There is a workaround to address this vulnerability.
A vulnerability in the Cisco Small Business Switches software could allow an unauthenticated, remote attacker to bypass the user authentication mechanism of an affected device. The vulnerability exists because under specific circumstances, the affected software enables a privileged user account without notifying administrators of the system. An attacker could exploit this vulnerability by using this account to log in to an affected device and execute commands with full admin rights. Cisco has not released software updates that address this vulnerability. This advisory will be updated with fixed software information once fixed software becomes available. There is a workaround to address this vulnerability.
Una vulnerabilidad en el software Cisco Small Business Switches podría permitir que un atacante remoto no autenticado omita el mecanismo de autenticación de usuarios de un dispositivo afectado. La vulnerabilidad existe porque, en determinadas circunstancias, el software afectado habilita una cuenta de usuario privilegiado sin notificar a los administradores del sistema. Un atacante podría explotar esta vulnerabilidad usando esta cuenta para iniciar sesión en un dispositivo afectado y ejecutar comandos con derechos de administrador total. Cisco no ha publicado ninguna actualización de software que solucione esta vulnerabilidad. Este aviso se actualizará con información de software solucionado cuando dicho software esté disponible. Existe una alternativa para solucionar esta vulnerabilidad.
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 2.0 | Primary | NVD | 9.3 | 8.6 | 10.0 | AV:N/AC:M/Au:N/C:C/I:C/A:C |
| 3.0 | Primary | cve.org | 9.8 | — | — | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.0 | Primary | cve.org | 9.8 | — | — | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.0 | Secondary | NVD | 9.8 | 3.9 | 5.9 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | Primary | NVD | 9.8 | 3.9 | 5.9 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |