Mobility Services Engine
CVE-2018-0134
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
A vulnerability in the RADIUS authentication module of Cisco Policy Suite could allow an unauthenticated, remote attacker to determine whether a subscriber username is valid. The vulnerability occurs because the Cisco Policy Suite RADIUS server component returns different authentication failure messages based on the validity of usernames. An attacker could use these messages to determine whether a valid subscriber username has been identified. The attacker could use this information in subsequent attacks against the system. Cisco Bug IDs: CSCvg47830.
AnalysisAI
A vulnerability in the RADIUS authentication module of Cisco Policy Suite could allow an unauthenticated, remote attacker to determine whether a subscriber username is valid. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Exposure of Sensitive Information (CWE-200), which allows attackers to access sensitive data that should not be disclosed. A vulnerability in the RADIUS authentication module of Cisco Policy Suite could allow an unauthenticated, remote attacker to determine whether a subscriber username is valid. The vulnerability occurs because the Cisco Policy Suite RADIUS server component returns different authentication failure messages based on the validity of usernames. An attacker could use these messages to determine whether a valid subscriber username has been identified. The attacker could use this information in subsequent attacks against the system. Cisco Bug IDs: CSCvg47830. Affected products include: Cisco Mobility Services Engine.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Minimize information in error messages, implement proper access controls, encrypt sensitive data at rest and in transit.
More in Mobility Services Engine
View allA vulnerability in the Open Systems Gateway initiative (OSGi) interface of Cisco Policy Suite before 18.1.0 could allow
A vulnerability in the Policy Builder interface of Cisco Policy Suite before 18.2.0 could allow an unauthenticated, remo
A vulnerability in the Cluster Manager of Cisco Policy Suite before 18.2.0 could allow an unauthenticated, remote attack
A vulnerability in the Policy Builder database of Cisco Policy Suite before 18.2.0 could allow an unauthenticated, remot
A vulnerability in the RADIUS authentication module of Cisco Policy Suite could allow an unauthenticated, remote attacke
Cisco Mobility Services Engine (MSE) through 8.0.120.7 uses weak permissions for unspecified binary files, which allows
A vulnerability in the CLI command parser of the Cisco Mobility Express 2800 and 3800 Series Wireless LAN Controllers co
The default configuration of sshd_config in Cisco Mobility Services Engine (MSE) through 8.0.120.7 allows logins by the
Cisco Mobility Services Engine does not properly set up the Oracle SSL service, which allows remote attackers to obtain
Cisco Mobility Services Engine (MSE) 8.0(110.0) allows remote authenticated users to discover the passwords of arbitrary
The Control and Provisioning functionality in Cisco Mobility Services Engine (MSE) 10.0(0.1) allows remote authenticated
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today