CVE-2018-0226

Severity Score

7.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A vulnerability in the assignment and management of default user accounts for Secure Shell (SSH) access to Cisco Aironet 1800, 2800, and 3800 Series Access Points that are running Cisco Mobility Express Software could allow an authenticated, remote attacker to gain elevated privileges on an affected access point. The vulnerability exists because the Cisco Mobility Express controller of the affected software configures the default SSH user account for an access point to be the first SSH user account that was created for the Mobility Express controller, if an administrator added user accounts directly to the controller instead of using the default configuration or the SSH username creation wizard. Although the user account has read-only privileges for the Mobility Express controller, the account could have administrative privileges for an associated access point. An attacker who has valid user credentials for an affected controller could exploit this vulnerability by using the default SSH user account to authenticate to an affected access point via SSH. A successful exploit could allow the attacker to log in to the affected access point with administrative privileges and perform arbitrary administrative actions. This vulnerability affects the following Cisco products: Aironet 1800 Series Access Points that are running Cisco Mobility Express Software Releases 8.2.121.0 through 8.5.105.0, Aironet 2800 Series Access Points that are running Cisco Mobility Express Software Releases 8.3.102.0 through 8.5.105.0, Aironet 3800 Series Access Points that are running Cisco Mobility Express Software Releases 8.3.102.0 through 8.5.105.0. Cisco Bug IDs: CSCva68116.

Una vulnerabilidad en la asignación y gestión de cuentas de usuario por defecto para el acceso SSH (Secure Shell) a puntos de acceso de Cisco Aironet de las series 1800, 2800 y 3800 que ejecutan Cisco Mobility Express Software podría permitir que un atacante remoto autenticado obtenga privilegios en un punto de acceso afectado. Esta vulnerabilidad existe porque el controlador de Cisco Mobility Express del software afectado configura la cuenta de usuario SSH para un punto de acceso para que sea la primera cuenta de usuario SSH en crearse para el controlador Mobility Express, si un administrador añade cuentas de usuario directamente al controlador en vez de utilizar la configuración por defecto o el asistente de creación de nombres de usuario SSH. Aunque la cuenta de usuario tiene privilegios de solo lectura para el controlador Mobility Express, la cuenta podría tener privilegios de administración para un punto de acceso. Un atacante que tenga credenciales de usuario válidas para un controlador afectado podría explotar esta vulnerabilidad utilizando la cuenta de usuario SSH por defecto para autenticarse en un punto de acceso afectado mediante SSH. Un exploit con éxito podría permitir que el atacante consiga iniciar sesión en el punto de acceso afectado con privilegios administrativos y realizar acciones administrativas arbitrarias. Esta vulnerabilidad afecta a los siguientes productos Cisco: Aironet 1800 Series Access Points que ejecuten Cisco Mobility Express Software Releases desde la versión 8.2.121.0 hasta la 8.5.105.0, Aironet 2800 Series Access Points que ejecuten Cisco Mobility Express Software Releases desde la versión 8.3.102.0 hasta la8.5.105.0, Aironet 3800 Series Access Points que ejecuten Cisco Mobility Express Software Releases desde la versión 8.3.102.0 hasta la8.5.105.0. Cisco Bug IDs: CSCva68116.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-11-27 CVE Reserved
2018-05-02 CVE Published
2024-06-27 EPSS Updated
2024-08-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-255: Credentials Management Errors

CAPEC

References (3)

URL	Tag	Source
http://www.securityfocus.com/bid/104124	Third Party Advisory
http://www.securitytracker.com/id/1040817	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180502-aironet-ssh	2019-10-09

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Cisco Search vendor "Cisco"		Mobility Express Software Search vendor "Cisco" for product "Mobility Express Software"				8.3\(90.65\) Search vendor "Cisco" for product "Mobility Express Software" and version "8.3\(90.65\)"		-		Affected
Cisco Search vendor "Cisco"		Mobility Express Software Search vendor "Cisco" for product "Mobility Express Software"				8.4\(1.65\) Search vendor "Cisco" for product "Mobility Express Software" and version "8.4\(1.65\)"		-		Affected