Vigil@nce - Cisco ACE 4710: code execution via Device Manager GUI
April 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An authenticated attacker can use the Device Manager GUI of Cisco
ACE 4710, in order to run privileged code.
Impacted products: Cisco ACE.
Severity: 2/4.
Creation date: 24/02/2016.
DESCRIPTION OF THE VULNERABILITY
The Cisco ACE 4710 product offers a Device Manager GUI service.
However, an attacker can inject CLI commands in a POST query,
which are executed with privileges of the "admin" user.
An authenticated attacker can therefore use the Device Manager GUI
of Cisco ACE 4710, in order to run privileged code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/Cisco-ACE-4710-code-execution-via-Device-Manager-GUI-19024