发布时间 :2000-04-20 00:00:00
修订时间 :2008-09-10 15:03:47

[原文]Cisco Catalyst 5.4.x allows a user to gain access to the "enable" mode without a password.

[CNNVD]Cisco Catalyst使能密码旁路漏洞(CNNVD-200004-054)

        Cisco Catalyst 5.4.x存在漏洞,用户可以访问“使能”模式而无需密码。

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(VENDOR_ADVISORY)  CISCO  20000419 Cisco Catalyst Enable Password Bypass Vulnerability
(UNKNOWN)  BID  1122

- 漏洞信息

Cisco Catalyst使能密码旁路漏洞
中危 访问验证错误
2000-04-20 00:00:00 2005-10-12 00:00:00
        Cisco Catalyst 5.4.x存在漏洞,用户可以访问“使能”模式而无需密码。

- 公告与补丁

        The following information has been copied from the Cisco security advisory on this topic, the advisory itself is attached in the 'Credit' section of this vulnerability entry:
        Cisco is offering free software upgrades to remedy this vulnerability for all affected customers.
        Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained via the Software Center on Cisco's Worldwide Web site at:
         Customers without contracts should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows:
        * +1 800 553 2447 (toll-free from within North America)
         * +1 408 526 7209 (toll call from anywhere in the world)
         * e-mail:
         Give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Please do not contact either "" or "" for software upgrades.

- 漏洞信息

Cisco Catalyst Enable Password Bypass

- 漏洞描述

CatOS contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when a local user is allowed to enter enable mode without a password. This flaw may lead to a loss of confidentiality, integrity and/or availability.

- 时间线

2000-04-19 2000-04-19
Unknow Unknow

- 解决方案

Upgrade to version 5.4(2) or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete