Cisco Nexus Dashboard LDAP Username Enumeration Vulnerability

A vulnerability exists in Cisco Nexus Dashboard that allows an unauthenticated, remote attacker to enumerate LDAP user accounts. This issue arises from improper handling of LDAP authentication requests. By sending authentication requests to an affected system, an attacker could exploit this vulnerability to determine which usernames correspond to valid LDAP user accounts. The vulnerability affects Cisco Nexus Dashboard versions 3.1 and earlier, as well as 3.2, but not all 3.2 versions are vulnerable. At the time of publication, this vulnerability affected Cisco Nexus Dashboard if LDAP was configured as a remote authentication provider.

Impact

Exploitation of this vulnerability could lead to unauthorized enumeration of LDAP user accounts, allowing an attacker to identify valid usernames.

Remediation

Users can upgrade to Cisco Nexus Dashboard 3.2(2f) or migrate to a fixed release. For versions 3.1 and earlier, customers should consult the Cisco Security Advisories page for upgrade instructions.