Lucene search

CiscoCVE-2016-1404

HistoryMay 29, 2016 - 10:59 p.m.

CVE-2016-1404

2016-05-2922:59:00

CWE-200

cisco

web.nvd.nist.gov

cisco

ucs

invicta

4.3

4.5

5.0.1

gnupg

encryption key

vulnerability

remote attackers

cryptographic protection mechanisms

network traffic

autosupport server

bug id

cscur85504

cve-2016-1404

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.002

Percentile

55.1%

JSON

Cisco UCS Invicta 4.3, 4.5, and 5.0.1 on Invicta appliances and Invicta Scaling System uses the same hardcoded GnuPG encryption key across different customers’ installations, which allows remote attackers to defeat cryptographic protection mechanisms by sniffing network traffic to an Autosupport server and leveraging knowledge of this key from another installation, aka Bug ID CSCur85504.

Affected configurations

Nvd

Node

ciscoucs_invicta_c3124sa_applianceMatch4.3.1

ciscoucs_invicta_c3124sa_applianceMatch4.3_base

ciscoucs_invicta_c3124sa_applianceMatch4.5.0

ciscoucs_invicta_c3124sa_applianceMatch4.5_base

ciscoucs_invicta_c3124sa_applianceMatch5.0.1

ciscoucs_invicta_c3124sa_applianceMatch5.0_base

VendorProductVersionCPE
ciscoucs_invicta_c3124sa_appliance4.3.1cpe:2.3:a:cisco:ucs_invicta_c3124sa_appliance:4.3.1:*:*:*:*:*:*:*
ciscoucs_invicta_c3124sa_appliance4.3_basecpe:2.3:a:cisco:ucs_invicta_c3124sa_appliance:4.3_base:*:*:*:*:*:*:*
ciscoucs_invicta_c3124sa_appliance4.5.0cpe:2.3:a:cisco:ucs_invicta_c3124sa_appliance:4.5.0:*:*:*:*:*:*:*
ciscoucs_invicta_c3124sa_appliance4.5_basecpe:2.3:a:cisco:ucs_invicta_c3124sa_appliance:4.5_base:*:*:*:*:*:*:*
ciscoucs_invicta_c3124sa_appliance5.0.1cpe:2.3:a:cisco:ucs_invicta_c3124sa_appliance:5.0.1:*:*:*:*:*:*:*
ciscoucs_invicta_c3124sa_appliance5.0_basecpe:2.3:a:cisco:ucs_invicta_c3124sa_appliance:5.0_base:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cisco	ucs_invicta_c3124sa_appliance	4.3.1	cpe:2.3:a:cisco:ucs_invicta_c3124sa_appliance:4.3.1:::::::*
cisco	ucs_invicta_c3124sa_appliance	4.3_base	cpe:2.3:a:cisco:ucs_invicta_c3124sa_appliance:4.3_base:::::::*
cisco	ucs_invicta_c3124sa_appliance	4.5.0	cpe:2.3:a:cisco:ucs_invicta_c3124sa_appliance:4.5.0:::::::*
cisco	ucs_invicta_c3124sa_appliance	4.5_base	cpe:2.3:a:cisco:ucs_invicta_c3124sa_appliance:4.5_base:::::::*
cisco	ucs_invicta_c3124sa_appliance	5.0.1	cpe:2.3:a:cisco:ucs_invicta_c3124sa_appliance:5.0.1:::::::*
cisco	ucs_invicta_c3124sa_appliance	5.0_base	cpe:2.3:a:cisco:ucs_invicta_c3124sa_appliance:5.0_base:::::::*

References

tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160524-ucs-inv

www.securitytracker.com/id/1035957

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.002

Percentile

55.1%

JSON

Related for CVE-2016-1404