PT-2017-17263 · Cisco · Cisco Openstack+2
Published
2017-07-06
·
Updated
2019-10-09
·
CVE-2017-6709
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Cisco Ultra Services Framework versions prior to 5.0.3 and 5.1
Description
A vulnerability exists in the AutoVNF tool, allowing an unauthenticated, remote attacker to access administrative credentials for Cisco Elastic Services Controller (ESC) and Cisco OpenStack deployments. This issue arises because the affected software logs administrative credentials in clear text for deployment purposes. An attacker can exploit this by accessing the AutoVNF URL where log files are stored and then accessing the administrative credentials stored in clear text in those log files.
Recommendations
For versions prior to 5.0.3, update to Release 5.0.3 or later to resolve the issue.
For versions prior to 5.1, update to Release 5.1 or later to resolve the issue.
As a temporary workaround, consider restricting access to the AutoVNF URL where log files are stored to minimize the risk of exploitation.
Fix
Insufficiently Protected Credentials
Information Disclosure
Insertion into Log File
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Cisco Elastic Services Controller
Cisco Openstack
Cisco Ultra Services Framework