The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Cisco Secure Access Control Server

vulnerability announce CVE-2015-1791

OpenSSL: use after free via NewSessionTicket

Synthesis of the vulnerability

An attacker, who own a malicious TLS server, can send the NewSessionTicket message, to force the usage of a freed memory area in a client linked to OpenSSL, in order to trigger a denial of service, and possibly to execute code.
Impacted products: ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, Cisco ASR, Cisco ATA, Cisco AnyConnect Secure Mobility Client, AnyConnect VPN Client, Cisco ACE, ASA, AsyncOS, Cisco Catalyst, Cisco Content SMA, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, IronPort Encryption, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Prime Collaboration Assurance, Cisco Prime DCNM, Prime Infrastructure, Cisco Prime LMS, Prime Network Control Systems, Cisco PRSM, Cisco Router, Secure ACS, Cisco CUCM, Cisco Manager Attendant Console, Cisco Unified CCX, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, Cisco Unity ~ precise, Cisco WSA, Debian, BIG-IP Hardware, TMOS, Fedora, FileZilla Server, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiClient, FortiManager, FortiManager Virtual Appliance, FortiOS, FreeBSD, HP Operations, HP Switch, HP-UX, AIX, IRAD, Tivoli Storage Manager, Tivoli Workload Scheduler, WebSphere MQ, Juniper J-Series, Junos OS, Junos Pulse, Juniper Network Connect, Juniper SBR, McAfee Email and Web Security, McAfee Email Gateway, McAfee Web Gateway, Data ONTAP, Snap Creator Framework, SnapManager, NetBSD, NetScreen Firewall, ScreenOS, Nodejs Core, OpenSSL, openSUSE, openSUSE Leap, Oracle Communications, Solaris, Palo Alto Firewall PA***, PAN-OS, pfSense, Pulse Connect Secure, Puppet, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DS***, Synology RS***, Ubuntu, WinSCP.
Severity: 2/4.
Consequences: user access/rights, denial of service on client.
Provenance: internet client.
Creation date: 04/06/2015.
Identifiers: 1961569, 1964113, 1970103, 2003480, 2003620, 2003673, 9010038, 9010039, bulletinjul2015, c04760669, c05184351, c05353965, CERTFR-2015-AVI-431, CERTFR-2016-AVI-128, CERTFR-2016-AVI-303, cisco-sa-20150612-openssl, cpuapr2017, cpuoct2016, cpuoct2017, CTX216642, CVE-2015-1791, DSA-3287-1, FEDORA-2015-10047, FEDORA-2015-10108, FreeBSD-SA-15:10.openssl, HPSBGN03678, HPSBHF03613, HPSBUX03388, JSA10694, JSA10733, NetBSD-SA2015-008, NTAP-20150616-0001, openSUSE-SU-2015:1139-1, openSUSE-SU-2016:0640-1, PAN-SA-2016-0020, PAN-SA-2016-0028, RHSA-2015:1115-01, SA40002, SA98, SB10122, SOL16914, SSA:2015-162-01, SSRT102180, SUSE-SU-2015:1143-1, SUSE-SU-2015:1150-1, SUSE-SU-2015:1182-2, SUSE-SU-2015:1184-1, SUSE-SU-2015:1184-2, SUSE-SU-2015:1185-1, TSB16728, USN-2639-1, VIGILANCE-VUL-17062.

Description of the vulnerability

The TLS protocol uses the NewSessionTicket message to obtain a new session ticket (RFC 5077).

The ssl3_get_new_session_ticket() function of the ssl/s3_clnt.c file implements NewSessionTicket in an OpenSSL client. However, if the client is multi-threaded, this function frees a memory area before reusing it.

An attacker, who own a malicious TLS server, can therefore send the NewSessionTicket message, to force the usage of a freed memory area in a client linked to OpenSSL, in order to trigger a denial of service, and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2015-0746

Cisco Secure Access Control Server: denial of service via REST

Synthesis of the vulnerability

An attacker can craft network traffic to the REST API of Cisco Secure Access Control Server, in order to trigger a denial of service.
Impacted products: Secure ACS.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: intranet client.
Creation date: 22/05/2015.
Identifiers: 38946, CSCut62022, CVE-2015-0746, VIGILANCE-VUL-16974.

Description of the vulnerability

The Cisco Secure Access Control Server product offers a web service.

This web service exposes a REST API. However, a network traffic overload on the API can trigger a denial of service.

An attacker can therefore craft network traffic to the REST API of Cisco Secure Access Control Server, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2015-0729

Cisco Secure ACS: code execution

Synthesis of the vulnerability

An attacker can use Cisco Secure ACS, in order to execute code.
Impacted products: Secure ACS.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights.
Provenance: document.
Creation date: 18/05/2015.
Identifiers: 38864, CSCuu11005, CVE-2015-0729, VIGILANCE-VUL-16930.

Description of the vulnerability

The Cisco Secure ACS product offers a web service.

However, an attacker can invite the victim to click on a link, in order to inject code on the server.

An attacker can therefore use Cisco Secure ACS, in order to execute code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2015-0728

Cisco Secure ACS: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Cisco Secure ACS, in order to execute JavaScript code in the context of the web site.
Impacted products: Secure ACS.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 18/05/2015.
Identifiers: 38808, CSCuu11002, CVE-2015-0728, VIGILANCE-VUL-16929.

Description of the vulnerability

The Cisco Secure ACS product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Cisco Secure ACS, in order to execute JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2015-0700

Cisco Secure Access Control Serve: Cross Site Scripting of Dashboard

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting in the Dashboard page of Cisco Secure Access Control Serve, in order to execute JavaScript code in the context of the web site.
Impacted products: Secure ACS.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 17/04/2015.
Identifiers: CSCuj62924, CVE-2015-0700, VIGILANCE-VUL-16648.

Description of the vulnerability

The Cisco Secure Access Control Serve product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting in Dashboard of Cisco Secure Access Control Serve, in order to execute JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2015-1798 CVE-2015-1799

NTP.org: two vulnerabilities of Crypto

Synthesis of the vulnerability

An attacker can use two vulnerabilities related to cryptographic features of NTP.org.
Impacted products: Cisco ASR, Cisco ACE, ASA, Cisco Catalyst, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, Nexus by Cisco, NX-OS, Prime Infrastructure, Cisco PRSM, Cisco Router, Secure ACS, Debian, Black Diamond, ExtremeXOS, Summit, BIG-IP Hardware, TMOS, Fedora, FreeBSD, HP Switch, HP-UX, AIX, Meinberg NTP Server, NTP.org, openSUSE, Solaris, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: data reading, data creation/edition, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 07/04/2015.
Identifiers: 2779, 2781, bulletinapr2015, c04679309, c05033748, cisco-sa-20150408-ntpd, CVE-2015-1798, CVE-2015-1799, DSA-3223-1, FEDORA-2015-5830, FEDORA-2015-5874, FreeBSD-SA-15:07.ntp, HPSBHF03557, HPSBUX03333, MDVSA-2015:202, ntp4_advisory, ntp_advisory3, openSUSE-SU-2015:0775-1, RHSA-2015:1459-01, RHSA-2015:2231-04, SOL16505, SOL16506, SSA:2015-111-08, SSRT102029, SUSE-SU-2015:1173-1, SUSE-SU-2016:1912-1, SUSE-SU-2016:2094-1, USN-2567-1, VIGILANCE-VUL-16548, VN-2015-006-NTP, VU#374268.

Description of the vulnerability

Several vulnerabilities were announced in NTP.org.

An attacker can use a message without MAC (Message Authentication Code), in order to bypass the authentication using a symmetric key. [severity:2/4; 2779, CVE-2015-1798]

An attacker can spoof a packet between two servers paired with a symmetric association, in order to trigger a denial of service. [severity:2/4; 2781, CVE-2015-1799]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2015-0286 CVE-2015-0287 CVE-2015-0289

OpenSSL 0.9/1.0.0/1.0.1: five vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of OpenSSL 0.9/1.0.0/1.0.1.
Impacted products: Arkoon FAST360, ArubaOS, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, FabricOS, Brocade Network Advisor, Cisco ASR, AnyConnect VPN Client, Cisco ACE, ASA, AsyncOS, Cisco CSS, Cisco ESA, IOS XE Cisco, Cisco IPS, IronPort Email, IronPort Web, Nexus by Cisco, NX-OS, Prime Infrastructure, Cisco PRSM, Cisco Router, Secure ACS, Cisco CUCM, Cisco Unified CCX, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, WebNS, Cisco WSA, Debian, BIG-IP Hardware, TMOS, Fedora, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiClient, FortiManager, FortiManager Virtual Appliance, FreeBSD, hMailServer, HP-UX, AIX, IRAD, Tivoli Storage Manager, Tivoli Workload Scheduler, WebSphere MQ, Juniper J-Series, Junos OS, Junos Space, Junos Space Network Management Platform, NSM Central Manager, NSMXpress, Juniper SBR, McAfee Email Gateway, ePO, McAfee NTBA, McAfee NGFW, VirusScan, McAfee Web Gateway, Data ONTAP, NetBSD, NetScreen Firewall, ScreenOS, Nodejs Core, OpenBSD, OpenSSL, openSUSE, openSUSE Leap, Oracle Communications, Solaris, pfSense, Puppet, RHEL, JBoss EAP by Red Hat, Base SAS Software, SAS SAS/CONNECT, Slackware, Splunk Enterprise, Stonesoft NGFW/VPN, SUSE Linux Enterprise Desktop, SLES, Nessus, Ubuntu, Unix (platform) ~ not comprehensive, WinSCP.
Severity: 3/4.
Consequences: user access/rights, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 5.
Creation date: 19/03/2015.
Identifiers: 1701334, 1902519, 1960491, 1964410, 1975397, 55767, 7043086, 9010031, ARUBA-PSA-2015-007, bulletinapr2015, c04679334, CERTFR-2015-AVI-117, CERTFR-2015-AVI-146, CERTFR-2015-AVI-169, CERTFR-2015-AVI-177, CERTFR-2015-AVI-259, CERTFR-2016-AVI-303, cisco-sa-20150320-openssl, cisco-sa-20150408-ntpd, cpuapr2017, cpuoct2016, cpuoct2017, CTX216642, CVE-2015-0286, CVE-2015-0287, CVE-2015-0289, CVE-2015-0292, CVE-2015-0293, DSA-3197-1, DSA-3197-2, FEDORA-2015-4300, FEDORA-2015-4303, FG-IR-15-008, FreeBSD-SA-15:06.openssl, HPSBUX03334, JSA10680, MDVSA-2015:062, MDVSA-2015:063, NetBSD-SA2015-007, NTAP-20150323-0002, openSUSE-SU-2015:0554-1, openSUSE-SU-2015:1277-1, openSUSE-SU-2015:2243-1, openSUSE-SU-2016:0638-1, openSUSE-SU-2016:0640-1, RHSA-2015:0715-01, RHSA-2015:0716-01, RHSA-2015:0752-01, RHSA-2015:0800-01, RHSA-2016:0372-01, RHSA-2016:0445-01, RHSA-2016:0446-01, RHSA-2016:0490-01, SA40001, SA92, SB10110, SOL16301, SOL16302, SOL16317, SOL16319, SOL16320, SOL16321, SOL16323, SPL-98351, SPL-98531, SSA:2015-111-09, SSRT102000, SUSE-SU-2015:0541-1, SUSE-SU-2015:0553-1, SUSE-SU-2015:0553-2, SUSE-SU-2015:0578-1, SUSE-SU-2016:0678-1, TNS-2015-04, USN-2537-1, VIGILANCE-VUL-16429.

Description of the vulnerability

Several vulnerabilities were announced in OpenSSL 0.9/1.0.0/1.0.1.

An attacker can force a read at an invalid address in ASN1_TYPE_cmp, in order to trigger a denial of service. [severity:2/4; CVE-2015-0286]

An attacker can generate a memory corruption in ASN.1, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-0287]

An attacker can force a NULL pointer to be dereferenced in PKCS#7, in order to trigger a denial of service. [severity:2/4; CVE-2015-0289]

An attacker can generate a memory corruption with base64 data, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-0292]

An attacker can generate an OPENSSL_assert, in order to trigger a denial of service. [severity:2/4; CVE-2015-0293]
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2015-0288

OpenSSL: NULL pointer dereference via X509_to_X509_REQ

Synthesis of the vulnerability

An attacker can force a NULL pointer to be dereferenced in X509_to_X509_REQ() of OpenSSL, in order to trigger a denial of service.
Impacted products: Arkoon FAST360, ProxySG par Blue Coat, SGOS by Blue Coat, FabricOS, Brocade Network Advisor, Cisco ASR, AnyConnect VPN Client, Cisco ACE, ASA, AsyncOS, Cisco CSS, Cisco ESA, IOS XE Cisco, Cisco IPS, IronPort Email, IronPort Web, Nexus by Cisco, NX-OS, Prime Infrastructure, Cisco PRSM, Cisco Router, Secure ACS, Cisco CUCM, Cisco Unified CCX, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, WebNS, Cisco WSA, Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, hMailServer, HP-UX, AIX, IRAD, Tivoli Workload Scheduler, Juniper J-Series, Junos OS, Junos Space, Junos Space Network Management Platform, NSM Central Manager, NSMXpress, Juniper SBR, McAfee Email Gateway, ePO, McAfee NTBA, McAfee NGFW, VirusScan, McAfee Web Gateway, Data ONTAP, NetBSD, NetScreen Firewall, ScreenOS, OpenBSD, OpenSSL, openSUSE, openSUSE Leap, Oracle Communications, Solaris, pfSense, RHEL, Base SAS Software, SAS SAS/CONNECT, Slackware, Splunk Enterprise, Stonesoft NGFW/VPN, SUSE Linux Enterprise Desktop, SLES, Nessus, Ubuntu, Unix (platform) ~ not comprehensive, WinSCP.
Severity: 2/4.
Consequences: denial of service on service, denial of service on client.
Provenance: document.
Creation date: 09/03/2015.
Identifiers: 1701334, 1964410, 55767, 9010031, c04679334, CERTFR-2015-AVI-089, CERTFR-2015-AVI-117, CERTFR-2015-AVI-146, CERTFR-2015-AVI-177, CERTFR-2015-AVI-259, CERTFR-2016-AVI-303, cisco-sa-20150320-openssl, cisco-sa-20150408-ntpd, cpuoct2017, CTX216642, CVE-2015-0288, DSA-3197-1, DSA-3197-2, FEDORA-2015-4300, FEDORA-2015-4303, FEDORA-2015-6855, FreeBSD-SA-15:06.openssl, HPSBUX03334, JSA10680, MDVSA-2015:062, MDVSA-2015:063, NetBSD-SA2015-007, NTAP-20150323-0002, openSUSE-SU-2015:0554-1, openSUSE-SU-2015:1277-1, openSUSE-SU-2015:2243-1, openSUSE-SU-2016:0640-1, RHSA-2015:0715-01, RHSA-2015:0716-01, RHSA-2015:0752-01, RHSA-2015:0800-01, SA40001, SB10110, SOL16301, SOL16302, SOL16317, SOL16319, SOL16320, SOL16321, SOL16323, SPL-98351, SPL-98531, SSA:2015-111-09, SSRT102000, SUSE-SU-2015:0541-1, SUSE-SU-2015:0553-1, SUSE-SU-2015:0553-2, SUSE-SU-2015:0578-1, TNS-2015-04, USN-2537-1, VIGILANCE-VUL-16342.

Description of the vulnerability

The OpenSSL product processes X.509 certificates.

However, the X509_to_X509_REQ() function does not check if a pointer is NULL, before using it.

An attacker can therefore force a NULL pointer to be dereferenced in X509_to_X509_REQ() of OpenSSL, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2015-0209

OpenSSL: use after free via d2i_ECPrivateKey

Synthesis of the vulnerability

An attacker can force the usage of a freed memory area in d2i_ECPrivateKey of OpenSSL, in order to trigger a denial of service, and possibly to execute code.
Impacted products: ArubaOS, ProxySG par Blue Coat, SGOS by Blue Coat, FabricOS, Brocade Network Advisor, Cisco ASR, AnyConnect VPN Client, Cisco ACE, ASA, AsyncOS, Cisco CSS, Cisco ESA, IOS XE Cisco, Cisco IPS, IronPort Email, IronPort Web, Nexus by Cisco, NX-OS, Prime Infrastructure, Cisco PRSM, Cisco Router, Secure ACS, Cisco CUCM, Cisco Unified CCX, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, WebNS, Cisco WSA, Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, hMailServer, HP-UX, AIX, IRAD, Security Directory Server, Tivoli Directory Server, Tivoli Workload Scheduler, WebSphere MQ, Juniper J-Series, Junos OS, Junos Pulse, Junos Space, Junos Space Network Management Platform, Juniper Network Connect, NSM Central Manager, NSMXpress, Juniper SBR, Data ONTAP, NetBSD, NetScreen Firewall, ScreenOS, OpenBSD, OpenSSL, openSUSE, openSUSE Leap, Oracle Communications, Solaris, pfSense, RHEL, Base SAS Software, SAS SAS/CONNECT, Slackware, Splunk Enterprise, SUSE Linux Enterprise Desktop, SLES, Nessus, Ubuntu, Unix (platform) ~ not comprehensive, WinSCP.
Severity: 3/4.
Consequences: user access/rights, denial of service on service, denial of service on client.
Provenance: document.
Creation date: 09/03/2015.
Identifiers: 1698703, 1701334, 1902519, 1960491, 1964410, 55767, 7043086, 9010031, ARUBA-PSA-2015-007, c04679334, CERTFR-2015-AVI-089, CERTFR-2015-AVI-117, CERTFR-2015-AVI-146, CERTFR-2015-AVI-177, CERTFR-2015-AVI-259, CERTFR-2016-AVI-303, cisco-sa-20150320-openssl, cisco-sa-20150408-ntpd, cpuoct2017, CTX216642, CVE-2015-0209, DSA-3197-1, DSA-3197-2, FEDORA-2015-10047, FEDORA-2015-10108, FEDORA-2015-4300, FEDORA-2015-4303, FEDORA-2015-6855, FreeBSD-SA-15:06.openssl, HPSBUX03334, JSA10680, MDVSA-2015:062, MDVSA-2015:063, NetBSD-SA2015-007, NTAP-20150323-0002, openSUSE-SU-2015:0554-1, openSUSE-SU-2015:1277-1, openSUSE-SU-2016:0640-1, RHSA-2015:0715-01, RHSA-2015:0716-01, RHSA-2015:0752-01, RHSA-2016:1087-01, RHSA-2016:1088-01, RHSA-2016:1089-01, SA40001, SOL16301, SOL16302, SOL16317, SOL16319, SOL16320, SOL16321, SOL16323, SPL-98351, SPL-98531, SSA:2015-111-09, SSRT102000, SUSE-SU-2015:0541-1, SUSE-SU-2015:0553-1, SUSE-SU-2015:0553-2, SUSE-SU-2015:0578-1, TNS-2015-04, TSB16661, USN-2537-1, VIGILANCE-VUL-16341.

Description of the vulnerability

The OpenSSL product implements the Elliptic Curves algorithm.

However, the d2i_ECPrivateKey() function frees a memory area before reusing it.

An attacker can therefore force the usage of a freed memory area in d2i_ECPrivateKey() of OpenSSL, in order to trigger a denial of service, and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2014-2130

Cisco Secure ACS: privilege escalation via Tomcat

Synthesis of the vulnerability

An authenticated attacker can use the Tomcat administration interface of Cisco Secure ACS, in order to escalate his privileges.
Impacted products: Secure ACS.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user account.
Creation date: 05/03/2015.
Identifiers: CSCuj83189, CVE-2014-2130, VIGILANCE-VUL-16324.

Description of the vulnerability

The Cisco Secure ACS product offers a web service.

However, an authenticated user can access to the Tomcat administration interface.

An authenticated attacker can therefore use the Tomcat administration interface of Cisco Secure ACS, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Cisco Secure Access Control Server: