Cisco Application Control Engine (ACE) before A4(2.3) and A5 before A5(1.1), when multicontext mode is enabled, does not properly share a management IP address among multiple contexts, which allows remote authenticated administrators to bypass intended access restrictions in opportunistic circumstances, and read or modify configuration settings, via a login attempt to a context, aka Bug ID CSCts30631, a different vulnerability than CVE-2012-3058.
This is a vulnerability exploitable with network access which means the vulnerable software is bound to
the network stack and the attacker does not require local network access or local access to exploit it.
Such a vulnerability is often termed “remotely exploitable”.
Specialized access conditions exist. For example,
in most configurations, the attacking party must already have elevated privileges or spoof additional systems
in addition to the attacking system (e.g., DNS hijacking).
The attack depends on social engineering methods that would be easily detected by knowledgeable people.
For example, the victim must perform several suspicious or atypical actions.
The vulnerable configuration is seen very rarely in practice.
If a race condition exists, the window is very narrow.
One instance of authentication is required to access and exploit the vulnerability.
There is total information disclosure, resulting in all system files being revealed. The
attacker is able to read all of the system's data (memory, files, etc.).
There is a total compromise of system integrity. There is a complete loss of system
protection, resulting in the entire system being compromised. The attacker is able to
modify any files on the target system.
There is a total shutdown of the affected resource. The attacker can render the
resource completely unavailable.