lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-id: <201610051206.6.nxaaa@psirt.cisco.com>
Date: Wed,  5 Oct 2016 12:06:31 -0400
From: Cisco Systems Product Security Incident Response Team <psirt@...co.com>
To: bugtraq@...urityfocus.com
Cc: psirt@...co.com
Subject: Cisco Security Advisory: Cisco NX-OS Software-Based Products Authentication, Authorization, and Accounting Bypass Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Cisco Security Advisory: Cisco NX-OS Software-Based Products Authentication, Authorization, and Accounting Bypass Vulnerability

Advisory ID:  cisco-sa-20161005-nxaaa

Revision: 1.0

For Public Release: 2016 October 5 16:00  GMT

+------------------------------------------------------------------------------

Summary
=======
A vulnerability in the SSH subsystem of the Cisco Nexus family of products could allow an authenticated, remote attacker to bypass authentication, authorization, and accounting (AAA) restrictions.

The vulnerability is due to the improper processing of certain parameters that are passed to an affected device during the negotiation of an SSH connection. An attacker could exploit this vulnerability by authenticating to an affected device and passing a malicious value as part of the login procedure. A successful exploit could allow an attacker to bypass AAA restrictions and execute commands on the device command-line interface (CLI) that should be restricted to a different privileged user role.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-nxaaa

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJX9RRvAAoJEK89gD3EAJB50dgQAIrB5QpyIh8qhoZ2M5E5tHaU
8kp4One/3FfMzgACfWpMGR51Cwuz6janS3CvjsXdVv5G6NNlUmQr2DTq1/WOy18+
ZLPdrDUo9CCwOxCm8Xg4dWIud6KbioaVMTNdC5Ut7OvgkjxWkjkBZ2ZqELai5G9G
eZQ13hvNmUvNt0FH2Cd+fN+jyVv2Q4YYtPrwQ5028vSn/eESfxXi1/NZq5v/Qw9c
YYEonqDugjCEj0i3YfQU7gfSsOzSdZ3BG8l3LAFr4Ciw7yETDdm18oSUWM/D/1gf
O7bqpoEZ6lxBNEumfSJG/HHVMqVvYrORjmy4pSbtHq7gVCigqNCv7Bh9LaWnoy5g
E2bunRgPR1dtp+9a9mSFdrhyNYI04Eg7HcIcLSaDtdAHJVTNPJzFIZLF11qGpuQv
Fmy+F14rftAt6jOmuuBbYKh01bK+nfVSMATy4oLh8eCoxjwzHigbYG9gz3Ma9xEg
JZn4EytMq7PHeU8rlUS6BaeG4/SZJ5y9giXRmwFkkKtdXRWIIK54KZalYvgjz8GG
/5NqnoVJvL2ehr/c1E8c4x0XKKwkCd+6MwzXXfR3rgyXa35wLl7vbM0jI+RfJybS
Qiw8wDZ44v05TP91vxz6q/bh0KBUo+A0PmU9GDqQoJ5xAEUeYl5K+ugWGKAauDKR
WgrVbP4KcUSdQAj1zgZ0
=NOCy
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ