#VU7342 Information disclosure in Cisco Ultra Services Framework - CVE-2017-6709
Vulnerability identifier: #VU7342
Vulnerability risk: Low
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID:
CWE-ID:
CWE-200
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Cisco Ultra Services Framework
Server applications /
Frameworks for developing and running applications
Vendor: Cisco Systems, Inc
Description
The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information.
The vulnerability exists in the AutoVNF tool for the Cisco Ultra Services Framework due to logging of administrative credentials for Cisco ESC and Cisco OpenStack deployment purposes in clear text. A remote attacker can access the AutoVNF URL for the location where the log files are stored and subsequently access the administrative credential.
Successful exploitation of the vulnerability may result in information disclosure.
Mitigation
The vulnerability is addressed in the following versions:
5.0.3, 5.1.
Vulnerable software versions
Cisco Ultra Services Framework: All versions
External links
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170705-usf2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
