The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of Cisco ASA-CX, Prime Security Manager: privilege escalation via the password changing function

Synthesis of the vulnerability

An attacker can define the password of any user of of Cisco ASA and Prime Security Manager, in order to escalate his privileges.
Severity of this computer vulnerability: 3/4.
Creation date: 04/02/2016.
Références of this announce: CERTFR-2016-AVI-047, cisco-sa-20160203-prsm, CVE-2016-1301, VIGILANCE-VUL-18868.

Description of the vulnerability

The products Cisco ASA and Prime Security Manager manage user accounts the password of which may be defined with a web service.

However, the code that implements the password changing function does not fully check the HTTP request, and some requests allow any user to define the password of any user, including the one for administrative accounts.

An attacker can therefore define the password of any user of of Cisco ASA and Prime Security Manager, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

This security bulletin impacts software or systems such as ASA, Cisco PRSM.

Our Vigil@nce team determined that the severity of this cybersecurity announce is important.

The trust level is of type confirmed by the editor, with an origin of internet client.

An attacker with a expert ability can exploit this vulnerability alert.

Solutions for this threat

Cisco ASA, Prime Security Manager: solution CSCuo94842.
The solution CSCuo94842 is available:
  https://tools.cisco.com/bugsearch/bug/CSCuo94842
  https://tools.cisco.com/quickview/bug/CSCuo94842
Fixed versiosn are available:
  ASA-CX Context-Aware : http://www.cisco.com/cisco/pub/software/portal/select.html?&mdfid=284325223&softwareid=284399944
  Prime Security Manager : http://www.cisco.com/cisco/pub/software/portal/select.html?&mdfid=284397197&flowid=33362&softwareid=284399945
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a network vulnerability patch. The Vigil@nce vulnerability database contains several thousand vulnerabilities.