Sign-up

ID

VAR-201902-0428


CVE

CVE-2019-1664


TITLE

Cisco HyperFlex Software access control vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-001948

DESCRIPTION

A vulnerability in the hxterm service of Cisco HyperFlex Software could allow an unauthenticated, local attacker to gain root access to all nodes in the cluster. The vulnerability is due to insufficient authentication controls. An attacker could exploit this vulnerability by connecting to the hxterm service as a non-privileged, local user. A successful exploit could allow the attacker to gain root access to all member nodes of the HyperFlex cluster. This vulnerability affects Cisco HyperFlex Software Releases prior to 3.5(2a). Successfully exploiting this issue may allow an attacker to bypass certain security restrictions and perform unauthorized actions. This issue is being tracked by Cisco Bug ID CSCvk31047. The system provides unified computing, storage and network through cloud management, and provides enterprise-level data management and optimization services

Trust: 1.98

sources: NVD: CVE-2019-1664 // JVNDB: JVNDB-2019-001948 // BID: 107103 // VULHUB: VHN-148806

AFFECTED PRODUCTS

vendor:ciscomodel:hyperflex hx data platformscope:eqversion:2.6\(1e\)

Trust: 1.0

vendor:ciscomodel:hyperflex hx data platformscope:eqversion:3.5\(1a\)

Trust: 1.0

vendor:ciscomodel:hyperflex hx data platformscope:eqversion:3.0\(1b\)

Trust: 1.0

vendor:ciscomodel:hyperflex hx data platformscope:eqversion:3.0\(1d\)

Trust: 1.0

vendor:ciscomodel:hyperflex hx data platformscope:eqversion:2.6\(1a\)

Trust: 1.0

vendor:ciscomodel:hyperflex hx data platformscope:eqversion:3.0\(1e\)

Trust: 1.0

vendor:ciscomodel:hyperflex hx data platformscope:eqversion:3.0\(1h\)

Trust: 1.0

vendor:ciscomodel:hyperflex hx data platformscope:eqversion:3.0\(1i\)

Trust: 1.0

vendor:ciscomodel:hyperflex hx data platformscope:eqversion:3.0\(1c\)

Trust: 1.0

vendor:ciscomodel:hyperflex hx data platformscope:eqversion:3.0\(1a\)

Trust: 1.0

vendor:ciscomodel:hyperflex hx data platformscope:eqversion:2.6\(1d\)

Trust: 1.0

vendor:ciscomodel:hyperflex hx data platformscope:eqversion:2.6\(1b\)

Trust: 1.0

vendor:ciscomodel:hyperflexscope:ltversion:3.5(2a)

Trust: 0.8

vendor:ciscomodel:hyperflex software 3.5scope: - version: -

Trust: 0.3

vendor:ciscomodel:hyperflex software 3.0scope: - version: -

Trust: 0.3

vendor:ciscomodel:hyperflex software 3.5scope:neversion: -

Trust: 0.3

sources: BID: 107103 // JVNDB: JVNDB-2019-001948 // NVD: CVE-2019-1664

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-1664
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2019-1664
value: HIGH

Trust: 1.0

NVD: CVE-2019-1664
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201902-793
value: HIGH

Trust: 0.6

VULHUB: VHN-148806
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-1664
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-148806
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-1664
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

ykramarz@cisco.com: CVE-2019-1664
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.4
impactScore: 6.0
version: 3.0

Trust: 1.0

NVD: CVE-2019-1664
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-148806 // JVNDB: JVNDB-2019-001948 // CNNVD: CNNVD-201902-793 // NVD: CVE-2019-1664 // NVD: CVE-2019-1664

PROBLEMTYPE DATA

problemtype:CWE-284

Trust: 1.9

problemtype:CWE-287

Trust: 1.1

sources: VULHUB: VHN-148806 // JVNDB: JVNDB-2019-001948 // NVD: CVE-2019-1664

THREAT TYPE

local

Trust: 0.9

sources: BID: 107103 // CNNVD: CNNVD-201902-793

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201902-793

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-001948

PATCH
title:cisco-sa-20190220-chn-root-accessurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190220-chn-root-access
Trust: 0.8
title:Cisco HyperFlex Software Fixes for access control error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=89587
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-001948 // 
            
            
            
            CNNVD: CNNVD-201902-793

EXTERNAL IDS
db:NVDid:CVE-2019-1664
Trust: 2.8
db:BIDid:107103
Trust: 2.0
db:JVNDBid:JVNDB-2019-001948
Trust: 0.8
db:CNNVDid:CNNVD-201902-793
Trust: 0.7
db:NSFOCUSid:42796
Trust: 0.6
db:AUSCERTid:ESB-2019.0532.3
Trust: 0.6
db:CNVDid:CNVD-2020-12738
Trust: 0.1
db:VULHUBid:VHN-148806
Trust: 0.1
sources:
            
            
            VULHUB: VHN-148806 // 
            
            
            
            BID: 107103 // 
            
            
            
            JVNDB: JVNDB-2019-001948 // 
            
            
            
            CNNVD: CNNVD-201902-793 // 
            
            
            
            NVD: CVE-2019-1664

REFERENCES
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190220-chn-root-access
Trust: 2.6
url:http://www.securityfocus.com/bid/107103
Trust: 2.3
url:https://nvd.nist.gov/vuln/detail/cve-2019-1664
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1664
Trust: 0.8
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190220-hyper-xss
Trust: 0.6
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190220-hyper-retrieve
Trust: 0.6
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190220-hyperflex-injection
Trust: 0.6
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190220-hyper-write
Trust: 0.6
url:https://www.auscert.org.au/bulletins/75874
Trust: 0.6
url:http://www.nsfocus.net/vulndb/42796
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2019.0532.3/
Trust: 0.6
url:http://www.cisco.com/
Trust: 0.3
sources:
            
            
            VULHUB: VHN-148806 // 
            
            
            
            BID: 107103 // 
            
            
            
            JVNDB: JVNDB-2019-001948 // 
            
            
            
            CNNVD: CNNVD-201902-793 // 
            
            
            
            NVD: CVE-2019-1664

CREDITS
This vulnerability was found during internal security testing.,Cisco,vendor ?? ??
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201902-793

SOURCES
db:VULHUBid:VHN-148806
db:BIDid:107103
db:JVNDBid:JVNDB-2019-001948
db:CNNVDid:CNNVD-201902-793
db:NVDid:CVE-2019-1664

LAST UPDATE DATE
2024-11-23T21:52:30.380000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-148806date:2020-10-05T00:00:00
db:BIDid:107103date:2019-02-20T00:00:00
db:JVNDBid:JVNDB-2019-001948date:2019-03-29T00:00:00
db:CNNVDid:CNNVD-201902-793date:2020-10-09T00:00:00
db:NVDid:CVE-2019-1664date:2024-11-21T04:37:02.840

SOURCES RELEASE DATE
db:VULHUBid:VHN-148806date:2019-02-21T00:00:00
db:BIDid:107103date:2019-02-20T00:00:00
db:JVNDBid:JVNDB-2019-001948date:2019-03-29T00:00:00
db:CNNVDid:CNNVD-201902-793date:2019-02-21T00:00:00
db:NVDid:CVE-2019-1664date:2019-02-21T19:29:00.367