Cisco IOS Software Command Authorization Bypass (cisco-sa-20120328-pai)

This script is Copyright (C) 2012-2014 Tenable Network Security, Inc.


Synopsis :

The remote device is missing a vendor-supplied security patch.

Description :

A vulnerability exists in the Cisco IOS Software that may allow a
remote application or device to exceed its authorization level when
authentication, authorization, and accounting (AAA) authorization is
used. This vulnerability requires that the HTTP or HTTPS server is
enabled on the Cisco IOS device. Products that are not running Cisco
IOS Software are not vulnerable. Cisco has released free software
updates that address these vulnerabilities. The HTTP server may be
disabled as a workaround for the vulnerability described in this
advisory.

See also :

http://www.nessus.org/u?f55ac305

Solution :

Apply the relevant patch referenced in Cisco Security Advisory
cisco-sa-20120328-pai.

Risk factor :

High / CVSS Base Score : 8.5
(CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C)
CVSS Temporal Score : 6.3
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: CISCO

Nessus Plugin ID: 58570 ()

Bugtraq ID: 52755

CVE ID: CVE-2012-0384