Vigil@nce - Cisco Secure ACS: privilege escalation via Report Generation
December 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An authenticated attacker can create a report on Cisco Secure ACS,
in order to escalate his privileges.
Impacted products: Secure ACS.
Severity: 2/4.
Creation date: 26/10/2015.
DESCRIPTION OF THE VULNERABILITY
The Cisco Secure ACS product uses RBAC (role-based access control).
However, RBAC rules allow the access to the Report Generation
interface.
An authenticated attacker can therefore create a report on Cisco
Secure ACS, in order to escalate his privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Cisco-Secure-ACS-privilege-escalation-via-Report-Generation-18184