Cisco Vision Dynamic Signage Director Role-Based Access Control Vulnerability

A vulnerability in the role-based access control (RBAC) functionality of the web management software of Cisco Vision Dynamic Signage Director could allow an authenticated, remote attacker to access resources that they should not be able to access and perform actions that they should not be able to perform.

The vulnerability exists because the web management software does not properly handle RBAC. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to view and delete certain screen content on the system that the attacker would not normally have privileges to access.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cvdsd-rbac-y9LM5jw4

Security Impact Rating: Medium

CVE: CVE-2020-3485

Related:

  • No Related Posts

Untitled

ERROR: -16049Failed to retrieve data in login config with tag: ChallengeResponseQuestions

ERROR: -16060Failed to decrypt password history value

ERROR: -16060Failed check password for CN=ATS004.OU=Users.OU=Internal.O=UMB

-160490xFFFFC14F NMAS_E_ENTRY_ATTRIBUTE_NOT_FOUND The requested attribute does notexist on the specified object.

-160600xFFFFC144 NMAS_E_CRYPTO_FAILURE If you upgrade your eDirectory server to 9.2from any previous version and the tree has any users with Universal Passwordencrypted with DES tree key, then for such users login or password change mightfail with this error.





NOTE2: In some cases a customer may be on a pure 9.x environment and want to upgrade to a 3DES key. eDirectory 9.x’s sdidiag will only generate AES tree keys. However, there is a manual workaround:

Option 1: Install an eDirectory 8.8 SP8 server into the tree, give it a copy of root and use sdidiag from there to generate the key.

Option 2: Force a server holding root to think there are no tree keys.

a. On every server holding a copy of root perform: ndstrace -c “unload niciext”

b. On one of these servers, move the /var/opt/novell/nici/0/nicisdi.key and /var/opt/novell/nici/0/backup to a safe place.

c. For that same server remove all it’s rights to the W0 object.

d. Have two shells open: one to run ndstrace with the +nici flag and another to reload niciext on that same server: ndstrace -c “load niciext”.

You should see in the shell running ndstrace that no tree key is found and a new 3DES key is created. Give the server RW and all attribute rights to the W0 object and unload, reload niciext once again. Now load niciext on the other servers holding root. At this point the old 56 bit and the new 3DES key will be synch’d across the servers.

Related:

  • No Related Posts

Untitled

ERROR: -16049Failed to retrieve data in login config with tag: ChallengeResponseQuestions

ERROR: -16060Failed to decrypt password history value

ERROR: -16060Failed check password for CN=ATS004.OU=Users.OU=Internal.O=UMB

-160490xFFFFC14F NMAS_E_ENTRY_ATTRIBUTE_NOT_FOUND The requested attribute does notexist on the specified object.

-160600xFFFFC144 NMAS_E_CRYPTO_FAILURE If you upgrade your eDirectory server to 9.2from any previous version and the tree has any users with Universal Passwordencrypted with DES tree key, then for such users login or password change mightfail with this error.





NOTE2: In some cases a customer may be on a pure 9.x environment and want to upgrade to a 3DES key. eDirectory 9.x’s sdidiag will only generate AES tree keys. However, there is a manual workaround:

Option 1: Install an eDirectory 8.8 SP8 server into the tree, give it a copy of root and use sdidiag from there to generate the key.

Option 2: Force a server holding root to think there are no tree keys.

a. On every server holding a copy of root perform: ndstrace -c “unload niciext”

b. On one of these servers, move the /var/opt/novell/nici/0/nicisdi.key and /var/opt/novell/nici/0/backup to a safe place.

c. For that same server remove all it’s rights to the W0 object.

d. Have two shells open: one to run ndstrace with the +nici flag and another to reload niciext on that same server: ndstrace -c “load niciext”.

You should see in the shell running ndstrace that no tree key is found and a new 3DES key is created. Give the server RW and all attribute rights to the W0 object and unload, reload niciext once again. Now load niciext on the other servers holding root. At this point the old 56 bit and the new 3DES key will be synch’d across the servers.

Related:

  • No Related Posts

Untitled

ERROR: -16049Failed to retrieve data in login config with tag: ChallengeResponseQuestions

ERROR: -16060Failed to decrypt password history value

ERROR: -16060Failed check password for CN=ATS004.OU=Users.OU=Internal.O=UMB

-160490xFFFFC14F NMAS_E_ENTRY_ATTRIBUTE_NOT_FOUND The requested attribute does notexist on the specified object.

-160600xFFFFC144 NMAS_E_CRYPTO_FAILURE If you upgrade your eDirectory server to 9.2from any previous version and the tree has any users with Universal Passwordencrypted with DES tree key, then for such users login or password change mightfail with this error.





NOTE2: In some cases a customer may be on a pure 9.x environment and want to upgrade to a 3DES key. eDirectory 9.x’s sdidiag will only generate AES tree keys. However, there is a manual workaround:

Option 1: Install an eDirectory 8.8 SP8 server into the tree, give it a copy of root and use sdidiag from there to generate the key.

Option 2: Force a server holding root to think there are no tree keys.

a. On every server holding a copy of root perform: ndstrace -c “unload niciext”

b. On one of these servers, move the /var/opt/novell/nici/0/nicisdi.key and /var/opt/novell/nici/0/backup to a safe place.

c. For that same server remove all it’s rights to the W0 object.

d. Have two shells open: one to run ndstrace with the +nici flag and another to reload niciext on that same server: ndstrace -c “load niciext”.

You should see in the shell running ndstrace that no tree key is found and a new 3DES key is created. Give the server RW and all attribute rights to the W0 object and unload, reload niciext once again. Now load niciext on the other servers holding root. At this point the old 56 bit and the new 3DES key will be synch’d across the servers.

Related:

  • No Related Posts

Untitled

ERROR: -16049Failed to retrieve data in login config with tag: ChallengeResponseQuestions

ERROR: -16060Failed to decrypt password history value

ERROR: -16060Failed check password for CN=ATS004.OU=Users.OU=Internal.O=UMB

-160490xFFFFC14F NMAS_E_ENTRY_ATTRIBUTE_NOT_FOUND The requested attribute does notexist on the specified object.

-160600xFFFFC144 NMAS_E_CRYPTO_FAILURE If you upgrade your eDirectory server to 9.2from any previous version and the tree has any users with Universal Passwordencrypted with DES tree key, then for such users login or password change mightfail with this error.





NOTE2: In some cases a customer may be on a pure 9.x environment and want to upgrade to a 3DES key. eDirectory 9.x’s sdidiag will only generate AES tree keys. However, there is a manual workaround:

Option 1: Install an eDirectory 8.8 SP8 server into the tree, give it a copy of root and use sdidiag from there to generate the key.

Option 2: Force a server holding root to think there are no tree keys.

a. On every server holding a copy of root perform: ndstrace -c “unload niciext”

b. On one of these servers, move the /var/opt/novell/nici/0/nicisdi.key and /var/opt/novell/nici/0/backup to a safe place.

c. For that same server remove all it’s rights to the W0 object.

d. Have two shells open: one to run ndstrace with the +nici flag and another to reload niciext on that same server: ndstrace -c “load niciext”.

You should see in the shell running ndstrace that no tree key is found and a new 3DES key is created. Give the server RW and all attribute rights to the W0 object and unload, reload niciext once again. Now load niciext on the other servers holding root. At this point the old 56 bit and the new 3DES key will be synch’d across the servers.

Related:

  • No Related Posts

Untitled

ERROR: -16049Failed to retrieve data in login config with tag: ChallengeResponseQuestions

ERROR: -16060Failed to decrypt password history value

ERROR: -16060Failed check password for CN=ATS004.OU=Users.OU=Internal.O=UMB

-160490xFFFFC14F NMAS_E_ENTRY_ATTRIBUTE_NOT_FOUND The requested attribute does notexist on the specified object.

-160600xFFFFC144 NMAS_E_CRYPTO_FAILURE If you upgrade your eDirectory server to 9.2from any previous version and the tree has any users with Universal Passwordencrypted with DES tree key, then for such users login or password change mightfail with this error.





NOTE2: In some cases a customer may be on a pure 9.x environment and want to upgrade to a 3DES key. eDirectory 9.x’s sdidiag will only generate AES tree keys. However, there is a manual workaround:

Option 1: Install an eDirectory 8.8 SP8 server into the tree, give it a copy of root and use sdidiag from there to generate the key.

Option 2: Force a server holding root to think there are no tree keys.

a. On every server holding a copy of root perform: ndstrace -c “unload niciext”

b. On one of these servers, move the /var/opt/novell/nici/0/nicisdi.key and /var/opt/novell/nici/0/backup to a safe place.

c. For that same server remove all it’s rights to the W0 object.

d. Have two shells open: one to run ndstrace with the +nici flag and another to reload niciext on that same server: ndstrace -c “load niciext”.

You should see in the shell running ndstrace that no tree key is found and a new 3DES key is created. Give the server RW and all attribute rights to the W0 object and unload, reload niciext once again. Now load niciext on the other servers holding root. At this point the old 56 bit and the new 3DES key will be synch’d across the servers.

Related:

  • No Related Posts

Untitled

ERROR: -16049Failed to retrieve data in login config with tag: ChallengeResponseQuestions

ERROR: -16060Failed to decrypt password history value

ERROR: -16060Failed check password for CN=ATS004.OU=Users.OU=Internal.O=UMB

-160490xFFFFC14F NMAS_E_ENTRY_ATTRIBUTE_NOT_FOUND The requested attribute does notexist on the specified object.

-160600xFFFFC144 NMAS_E_CRYPTO_FAILURE If you upgrade your eDirectory server to 9.2from any previous version and the tree has any users with Universal Passwordencrypted with DES tree key, then for such users login or password change mightfail with this error.





NOTE2: In some cases a customer may be on a pure 9.x environment and want to upgrade to a 3DES key. eDirectory 9.x’s sdidiag will only generate AES tree keys. However, there is a manual workaround:

Option 1: Install an eDirectory 8.8 SP8 server into the tree, give it a copy of root and use sdidiag from there to generate the key.

Option 2: Force a server holding root to think there are no tree keys.

a. On every server holding a copy of root perform: ndstrace -c “unload niciext”

b. On one of these servers, move the /var/opt/novell/nici/0/nicisdi.key and /var/opt/novell/nici/0/backup to a safe place.

c. For that same server remove all it’s rights to the W0 object.

d. Have two shells open: one to run ndstrace with the +nici flag and another to reload niciext on that same server: ndstrace -c “load niciext”.

You should see in the shell running ndstrace that no tree key is found and a new 3DES key is created. Give the server RW and all attribute rights to the W0 object and unload, reload niciext once again. Now load niciext on the other servers holding root. At this point the old 56 bit and the new 3DES key will be synch’d across the servers.

Related:

  • No Related Posts

Untitled

ERROR: -16049Failed to retrieve data in login config with tag: ChallengeResponseQuestions

ERROR: -16060Failed to decrypt password history value

ERROR: -16060Failed check password for CN=ATS004.OU=Users.OU=Internal.O=UMB

-160490xFFFFC14F NMAS_E_ENTRY_ATTRIBUTE_NOT_FOUND The requested attribute does notexist on the specified object.

-160600xFFFFC144 NMAS_E_CRYPTO_FAILURE If you upgrade your eDirectory server to 9.2from any previous version and the tree has any users with Universal Passwordencrypted with DES tree key, then for such users login or password change mightfail with this error.





NOTE2: In some cases a customer may be on a pure 9.x environment and want to upgrade to a 3DES key. eDirectory 9.x’s sdidiag will only generate AES tree keys. However, there is a manual workaround:

Option 1: Install an eDirectory 8.8 SP8 server into the tree, give it a copy of root and use sdidiag from there to generate the key.

Option 2: Force a server holding root to think there are no tree keys.

a. On every server holding a copy of root perform: ndstrace -c “unload niciext”

b. On one of these servers, move the /var/opt/novell/nici/0/nicisdi.key and /var/opt/novell/nici/0/backup to a safe place.

c. For that same server remove all it’s rights to the W0 object.

d. Have two shells open: one to run ndstrace with the +nici flag and another to reload niciext on that same server: ndstrace -c “load niciext”.

You should see in the shell running ndstrace that no tree key is found and a new 3DES key is created. Give the server RW and all attribute rights to the W0 object and unload, reload niciext once again. Now load niciext on the other servers holding root. At this point the old 56 bit and the new 3DES key will be synch’d across the servers.

Related:

  • No Related Posts

Untitled

ERROR: -16049Failed to retrieve data in login config with tag: ChallengeResponseQuestions

ERROR: -16060Failed to decrypt password history value

ERROR: -16060Failed check password for CN=ATS004.OU=Users.OU=Internal.O=UMB

-160490xFFFFC14F NMAS_E_ENTRY_ATTRIBUTE_NOT_FOUND The requested attribute does notexist on the specified object.

-160600xFFFFC144 NMAS_E_CRYPTO_FAILURE If you upgrade your eDirectory server to 9.2from any previous version and the tree has any users with Universal Passwordencrypted with DES tree key, then for such users login or password change mightfail with this error.





NOTE2: In some cases a customer may be on a pure 9.x environment and want to upgrade to a 3DES key. eDirectory 9.x’s sdidiag will only generate AES tree keys. However, there is a manual workaround:

Option 1: Install an eDirectory 8.8 SP8 server into the tree, give it a copy of root and use sdidiag from there to generate the key.

Option 2: Force a server holding root to think there are no tree keys.

a. On every server holding a copy of root perform: ndstrace -c “unload niciext”

b. On one of these servers, move the /var/opt/novell/nici/0/nicisdi.key and /var/opt/novell/nici/0/backup to a safe place.

c. For that same server remove all it’s rights to the W0 object.

d. Have two shells open: one to run ndstrace with the +nici flag and another to reload niciext on that same server: ndstrace -c “load niciext”.

You should see in the shell running ndstrace that no tree key is found and a new 3DES key is created. Give the server RW and all attribute rights to the W0 object and unload, reload niciext once again. Now load niciext on the other servers holding root. At this point the old 56 bit and the new 3DES key will be synch’d across the servers.

Related:

  • No Related Posts

Untitled

ERROR: -16049Failed to retrieve data in login config with tag: ChallengeResponseQuestions

ERROR: -16060Failed to decrypt password history value

ERROR: -16060Failed check password for CN=ATS004.OU=Users.OU=Internal.O=UMB

-160490xFFFFC14F NMAS_E_ENTRY_ATTRIBUTE_NOT_FOUND The requested attribute does notexist on the specified object.

-160600xFFFFC144 NMAS_E_CRYPTO_FAILURE If you upgrade your eDirectory server to 9.2from any previous version and the tree has any users with Universal Passwordencrypted with DES tree key, then for such users login or password change mightfail with this error.





NOTE2: In some cases a customer may be on a pure 9.x environment and want to upgrade to a 3DES key. eDirectory 9.x’s sdidiag will only generate AES tree keys. However, there is a manual workaround:

Option 1: Install an eDirectory 8.8 SP8 server into the tree, give it a copy of root and use sdidiag from there to generate the key.

Option 2: Force a server holding root to think there are no tree keys.

a. On every server holding a copy of root perform: ndstrace -c “unload niciext”

b. On one of these servers, move the /var/opt/novell/nici/0/nicisdi.key and /var/opt/novell/nici/0/backup to a safe place.

c. For that same server remove all it’s rights to the W0 object.

d. Have two shells open: one to run ndstrace with the +nici flag and another to reload niciext on that same server: ndstrace -c “load niciext”.

You should see in the shell running ndstrace that no tree key is found and a new 3DES key is created. Give the server RW and all attribute rights to the W0 object and unload, reload niciext once again. Now load niciext on the other servers holding root. At this point the old 56 bit and the new 3DES key will be synch’d across the servers.

Related:

  • No Related Posts