SB2019011004 - Multiple vulnerabilities in Cisco Policy Suite 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2019011004

SB2019011004 - Multiple vulnerabilities in Cisco Policy Suite

Published: January 10, 2019

Security Bulletin ID SB2019011004
Severity
Low
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Information disclosure (CVE-ID: CVE-2018-15466)

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists in the Graphite web interface of the Policy and Charging Rules Function (PCRF) due to lack of authentication. A remote attacker with access to the internal VLAN where CPS is deployed can directly connect to the Graphite web interface and access various statistics and Key Performance Indicators (KPIs) regarding the Cisco Policy Suite environment.


2) Improper authentication (CVE-ID: CVE-2018-0181)

The vulnerability allows a remote attacker to bypass authentication.

The vulnerability exists in the Redis implementation due to improper authentication when accessing the Redis server. A remote attacker can modify key-value pairs stored within the Redis server database and reduce the efficiency of the software.


Remediation

Install update from vendor's website.

References