CVE-2011-2054

19.02.2020, 03:15

A vulnerability in the Cisco ASA that could allow a remote attacker to successfully authenticate using the Cisco AnyConnect VPN client if the Secondary Authentication type is LDAP and the password is left blank, providing the primary credentials are correct. The vulnerabilities is due to improper input validation of certain parameters passed to the affected software. An attacker must have the correct primary credentials in order to successfully exploit this vulnerability.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	4.3 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
cisco	CNA	4.3 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 38%

Vendor	Product	Version
cisco	asa_5500_firmware	8.4\(1\)
cisco	asa_5510_firmware	8.4\(1\)
cisco	asa_5512-x_firmware	8.4\(1\)
cisco	asa_5515-x_firmware	8.4\(1\)
cisco	asa_5520_firmware	8.4\(1\)
cisco	asa_5525-x_firmware	8.4\(1\)
cisco	asa_5540_firmware	8.4\(1\)
cisco	asa_5545-x_firmware	8.4\(1\)
cisco	asa_5550_firmware	8.4\(1\)
cisco	asa_5555-x_firmware	8.4\(1\)
cisco	asa_5580_firmware	8.4\(1\)
cisco	asa_5585-x_firmware	8.4\(1\)

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-287 - Improper Authentication
When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

References

https://quickview.cloudapps.cisco.com/quickview/bug/CSCtq58884