CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:L/AC:M/Au:S/C:P/I:P/A:N
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS
Percentile
5.1%
A vulnerability in Cisco Prime LAN Management Solution (LMS) could allow an authenticated, local attacker to decrypt and access data fields in LMS databases that are used to manage devices in Cisco networks.
The vulnerability is due to the presence of a default database decryption key that is shared across installations of Cisco Prime LMS. An authenticated, local attacker who has both local connectivity to the console and a valid account on the operating system of a device on which LMS is installed could exploit this vulnerability by obtaining the default, hard-coded key from the device file system. The attacker could use the key to connect to and decrypt all the data in the LMS database that is used to managed devices in the network, and access all the fields in the database. After obtaining the key, the attacker can use the key to access the database locally or via a remote connection to LMS.
Cisco has not released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160310-prime-lms[“https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160310-prime-lms”]
Vendor | Product | Version | CPE |
---|---|---|---|
cisco | prime_lan_management_solution | any | cpe:2.3:a:cisco:prime_lan_management_solution:any:*:*:*:*:*:*:* |
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:L/AC:M/Au:S/C:P/I:P/A:N
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS
Percentile
5.1%