====================================================================

                             CERT-Renater

                 Note d'Information No. 2018/VULN187
_____________________________________________________________________

DATE                : 17/05/2018

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Connected Grid Network Management
                                  System software,
               IoT Field Network Director software versions prior to
                                  4.1.1-6, 4.2.0-123.

=====================================================================
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180516-fnd
_____________________________________________________________________

Cisco Security Advisory: Cisco IoT Field Network Director Cross-Site
Request Forgery Vulnerability

Advisory ID: cisco-sa-20180516-fnd

Revision: 1.0

For Public Release: 2018 May 16 16:00 GMT

Last Updated: 2018 May 16 16:00 GMT

CVE ID(s): CVE-2018-0270

CVSS Score v(3): 8.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

+---------------------------------------------------------------------

Summary

=======

A vulnerability in the web-based management interface of Cisco IoT Field
Network Director (IoT-FND) could allow an unauthenticated, remote
attacker to conduct a cross-site request forgery (CSRF) attack and alter
the data of existing users and groups on an affected device.

The vulnerability is due to insufficient CSRF protections for the
web-based management interface on an affected device. An attacker could
exploit this vulnerability by persuading a user of the interface to
follow a malicious link. A successful exploit could allow the attacker
to perform arbitrary actions with the privilege level of the affected
user. If the user has administrative privileges, the attacker could
create a new, privileged account to obtain full control over the device
interface.

Cisco has released software updates that address this vulnerability.
There are no workarounds that address this vulnerability.

This advisory is available at the following link:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180516-fnd
["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180516-fnd"]

==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================