==================================================================== CERT-Renater Note d'Information No. 2016/VULN047 _____________________________________________________________________ DATE : 04/02/2016 HARDWARE PLATFORM(S): Cisco ASA-CX, Cisco Prime Security Manager. OPERATING SYSTEM(S): Cisco ASA-CX software, Cisco Prime Security Manager software. ====================================================================== http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160203-prsm _____________________________________________________________________ Cisco Security Advisory: Cisco ASA-CX and Cisco Prime Security Manager Privilege Escalation Vulnerability Advisory ID: cisco-sa-20160203-prsm Revision: 1.0 For Public Release 2016 February 03 16:00 UTC (GMT) +--------------------------------------------------------------------- Summary ======= A vulnerability in the role-based access control of Cisco ASA-CX and Cisco Prime Security Manager (PRSM) could allow an authenticated, remote attacker to change the password of any user on the system. The vulnerability exists because the password change request is not fully qualified. An authenticated attacker with a user role other than Administrator could exploit this vulnerability by sending a specially crafted HTTP request to the Cisco PRSM. An exploit could allow the attacker to change the password of any user on the system, including users with the Administrator role. Cisco has released software updates that address this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160203-prsm ========================================================== Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================