First published: Fri Oct 05 2018(Updated: )
A vulnerability in the Cisco Network Plug and Play server component of Cisco Network Services Orchestrator (NSO) could allow an unauthenticated, remote attacker to gain unauthorized access to configuration data that is stored on an affected NSO system. The vulnerability exists because the Network Plug and Play component performs incomplete validation when configured to use secure unique device identifiers (SUDI) for authentication. An attacker who controls a Cisco device that supports SUDI authentication and has connectivity to an affected NSO system could exploit this vulnerability. The attacker would need to leverage information about the devices that are being registered on the NSO server to send crafted Cisco Network Plug and Play authentication packets to an affected system. A successful exploit could allow the attacker to gain unauthorized access to configuration data for devices that will be managed by the NSO system.
Credit: ykramarz@cisco.com
Affected Software | Affected Version | How to fix |
---|---|---|
Cisco Network Services Orchestrator | =1.2.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2018-0463 is a vulnerability in the Cisco Network Plug and Play server component of Cisco Network Services Orchestrator (NSO) that could allow an unauthenticated, remote attacker to gain unauthorized access to configuration data stored on an affected NSO system.
CVE-2018-0463 has a severity rating of 7.5, which is considered high.
The affected software for CVE-2018-0463 is Cisco Network Services Orchestrator (NSO) version 1.2.0.
An attacker can exploit CVE-2018-0463 by sending malicious requests to the Cisco Network Plug and Play server component of the affected NSO system, allowing them to gain unauthorized access to configuration data.
Yes, Cisco has released a security advisory with recommended updates and mitigations to address the vulnerability. Please refer to the official Cisco Security Advisory for more information.