CVE-2018-15372Improper Access Control in Cisco IOS XE Software

CWE-284Improper Access Control4 documents4 sources
Severity
8.1HIGHNVD
EPSS
0.2%
top 54.42%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco IOS XE SoftwareCisco IOS XE
Timeline
PublishedOct 5
Latest updateMay 13

Description

A vulnerability in the MACsec Key Agreement (MKA) using Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) functionality of Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to bypass authentication and pass traffic through a Layer 3 interface of an affected device. The vulnerability is due to a logic error in the affected software. An attacker could exploit this vulnerability by connecting to and passing traffic through a Layer 3 interface of an affected

CVSS vector

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages2 packages

NVDcisco/ios_xe16.8.1, 16.9.1+1

🔴Vulnerability Details

2
GHSA
GHSA-mv8q-r8fx-2m57: A vulnerability in the MACsec Key Agreement (MKA) using Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) functionality of Cisco I2022-05-13
CVEList
Cisco IOS XE Software MACsec MKA Using EAP-TLS Authentication Bypass Vulnerability2018-10-05

📋Vendor Advisories

1
Cisco
Cisco IOS XE Software MACsec MKA Using EAP-TLS Authentication Bypass Vulnerability2018-09-26
CVE-2018-15372 — Improper Access Control in Cisco | cvebase