Cisco IOS Software Command Security Bypass (cisco-sa-20120328-pai)

This script is Copyright (C) 2012-2016 Tenable Network Security, Inc.


Synopsis :

The remote device is missing a vendor-supplied security patch.

Description :

According to its self-reported version and configuration, the Cisco
IOS software running on the remote device is affected by a security
bypass vulnerability in the Authentication, Authorization, and
Accounting (AAA) feature. An authenticated, remote attacker can
exploit this, via an HTTP or HTTPS session, to bypass access
restrictions and execute any IOS command that is configured for the
authorization level. This vulnerability requires that the HTTP or
HTTPS server is enabled on the Cisco IOS device.

See also :

http://www.nessus.org/u?f55ac305

Solution :

Apply the relevant patch referenced in Cisco Security Advisory
cisco-sa-20120328-pai. Alternatively, the HTTP server may be disabled
as a workaround.

Risk factor :

High / CVSS Base Score : 8.5
(CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C)
CVSS Temporal Score : 6.3
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: CISCO

Nessus Plugin ID: 58570 ()

Bugtraq ID: 52755

CVE ID: CVE-2012-0384

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now