Skip to main content

Mobility Services Engine CVE-2018-0377

CRITICAL
Missing Authentication for Critical Function (CWE-306)
2018-07-18 psirt@cisco.com
9.8
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Jul 18, 2018 - 23:29 nvd
CRITICAL 9.8

DescriptionNVD

A vulnerability in the Open Systems Gateway initiative (OSGi) interface of Cisco Policy Suite before 18.1.0 could allow an unauthenticated, remote attacker to directly connect to the OSGi interface. The vulnerability is due to a lack of authentication. An attacker could exploit this vulnerability by directly connecting to the OSGi interface. An exploit could allow the attacker to access or change any files that are accessible by the OSGi process. Cisco Bug IDs: CSCvh18017.

AnalysisAI

A vulnerability in the Open Systems Gateway initiative (OSGi) interface of Cisco Policy Suite before 18.1.0 could allow an unauthenticated, remote attacker to directly connect to the OSGi interface. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Missing Authentication for Critical Function (CWE-306), which allows attackers to access critical functionality without authentication. A vulnerability in the Open Systems Gateway initiative (OSGi) interface of Cisco Policy Suite before 18.1.0 could allow an unauthenticated, remote attacker to directly connect to the OSGi interface. The vulnerability is due to a lack of authentication. An attacker could exploit this vulnerability by directly connecting to the OSGi interface. An exploit could allow the attacker to access or change any files that are accessible by the OSGi process. Cisco Bug IDs: CSCvh18017. Affected products include: Cisco Mobility Services Engine, Cisco Policy Suite. Version information: before 18.1.0.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Require authentication for all sensitive operations, implement defense in depth.

CVE-2018-0376 CRITICAL
9.8 Jul 18

A vulnerability in the Policy Builder interface of Cisco Policy Suite before 18.2.0 could allow an unauthenticated, remo

CVE-2018-0375 CRITICAL
9.8 Jul 18

A vulnerability in the Cluster Manager of Cisco Policy Suite before 18.2.0 could allow an unauthenticated, remote attack

CVE-2018-0374 CRITICAL
9.8 Jul 18

A vulnerability in the Policy Builder database of Cisco Policy Suite before 18.2.0 could allow an unauthenticated, remot

CVE-2018-0116 HIGH
7.2 Feb 08

A vulnerability in the RADIUS authentication module of Cisco Policy Suite could allow an unauthenticated, remote attacke

CVE-2015-4282 MEDIUM
6.9 Nov 06

Cisco Mobility Services Engine (MSE) through 8.0.120.7 uses weak permissions for unspecified binary files, which allows

CVE-2016-9197 MEDIUM
6.7 Apr 07

A vulnerability in the CLI command parser of the Cisco Mobility Express 2800 and 3800 Series Wireless LAN Controllers co

CVE-2015-6316 MEDIUM
6.5 Nov 06

The default configuration of sshd_config in Cisco Mobility Services Engine (MSE) through 8.0.120.7 allows logins by the

CVE-2018-0134 MEDIUM
5.3 Feb 08

A vulnerability in the RADIUS authentication module of Cisco Policy Suite could allow an unauthenticated, remote attacke

CVE-2013-3469 MEDIUM
5.0 Sep 04

Cisco Mobility Services Engine does not properly set up the Oracle SSL service, which allows remote attackers to obtain

CVE-2015-0673 MEDIUM
4.0 Mar 26

Cisco Mobility Services Engine (MSE) 8.0(110.0) allows remote authenticated users to discover the passwords of arbitrary

CVE-2015-4263 MEDIUM
4.0 Jul 10

The Control and Provisioning functionality in Cisco Mobility Services Engine (MSE) 10.0(0.1) allows remote authenticated

Share

CVE-2018-0377 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy