CVE-2018-0121

Name of the Vulnerable Software and Affected Versions Cisco Elastic Services Controller Software Release 3.0.0

Description A vulnerability in the authentication functionality of the web-based service portal could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrator privileges on an affected system. The issue is due to improper security restrictions imposed by the web-based service portal. An attacker could exploit this by submitting an empty password value when prompted to enter an administrative password, potentially gaining administrator privileges for the web-based service portal.

Recommendations For Cisco Elastic Services Controller Software Release 3.0.0, consider restricting access to the web-based service portal until a fix is available, and avoid using empty password values to prevent exploitation. As a temporary workaround, consider disabling the administrative password prompt for the portal until a patch is available.