Vulnerabilities > CVE-2009-0742 - Cryptographic Issues vulnerability in Cisco ACE 4710 and Application Control Engine Module

CVSS 7.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

NONE

Availability impact

NONE

network

low complexity

cisco

CWE-310

NVD

Published: 2009-02-26

Updated: 2009-02-27

Summary

The username command in Cisco ACE Application Control Engine Module for Catalyst 6500 Switches and 7600 Routers and Cisco ACE 4710 Application Control Engine Appliance stores a cleartext password by default, which allows context-dependent attackers to obtain sensitive information. Note that CVE-2009-0742 is not referenced on the vendor advisory page at: http://www.cisco.com/en/US/products/products_security_advisory09186a0080a7bc82.shtml

Vulnerable Configurations

Part	Description	Count
Hardware	Cisco Cisco Application Control Engine Module * Cisco Catalyst 6500 * Cisco Catalyst 7600 * Cisco ACE 4710 *	4

Common Weakness Enumeration (CWE)

CWE-310 - Cryptographic Issues

Common Attack Pattern Enumeration and Classification (CAPEC)

Signature Spoofing by Key Recreation
An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

References

http://www.cisco.com/en/US/products/products_security_advisory09186a0080a7bc82.shtml