Lucene search

CiscoCVE-2018-0150

HistoryMar 28, 2018 - 10:29 p.m.

CVE-2018-0150

2018-03-2822:29:00

CWE-798

cisco

web.nvd.nist.gov

cisco

ios xe

software

vulnerability

remote login

default credentials

security

cisco bug

cscve89880

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.4

Confidence

High

EPSS

0.004

Percentile

72.5%

JSON

A vulnerability in Cisco IOS XE Software could allow an unauthenticated, remote attacker to log in to a device running an affected release of Cisco IOS XE Software with the default username and password that are used at initial boot, aka a Static Credential Vulnerability. The vulnerability is due to an undocumented user account with privilege level 15 that has a default username and password. An attacker could exploit this vulnerability by using this account to remotely connect to an affected device. A successful exploit could allow the attacker to log in to the device with privilege level 15 access. This vulnerability affects Cisco devices that are running a vulnerable release of Cisco IOS XE Software Release 16.x. This vulnerability does not affect Cisco IOS XE Software releases prior to Release 16.x. Cisco Bug IDs: CSCve89880.

Affected configurations

Nvd

Node

cisco4431_integrated_services_routerMatch-

cisco4451_integrated_services_routerMatch-

AND

ciscoios_xeMatch16.5.1

VendorProductVersionCPE
cisco4431_integrated_services_router-cpe:2.3:h:cisco:4431_integrated_services_router:-:*:*:*:*:*:*:*
cisco4451_integrated_services_router-cpe:2.3:h:cisco:4451_integrated_services_router:-:*:*:*:*:*:*:*
ciscoios_xe16.5.1cpe:2.3:o:cisco:ios_xe:16.5.1:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cisco	4431_integrated_services_router	-	cpe:2.3:h:cisco:4431_integrated_services_router:-:::::::*
cisco	4451_integrated_services_router	-	cpe:2.3:h:cisco:4451_integrated_services_router:-:::::::*
cisco	ios_xe	16.5.1	cpe:2.3:o:cisco:ios_xe:16.5.1:::::::*

CNA Affected

[
  {
    "product": "Cisco IOS XE",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "Cisco IOS XE"
      }
    ]
  }
]

References

www.securityfocus.com/bid/103539

www.securitytracker.com/id/1040579

tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-xesc

Social References

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.4

Confidence

High

EPSS

0.004

Percentile

72.5%

JSON

Related for CVE-2018-0150