Details of VAR-201903-0539

ID

VAR-201903-0539

CVE

CVE-2019-1601

TITLE

Cisco NX-OS Software access control vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-002530

DESCRIPTION

A vulnerability in the filesystem permissions of Cisco NX-OS Software could allow an authenticated, local attacker to gain read and write access to a critical configuration file. The vulnerability is due to a failure to impose strict filesystem permissions on the targeted device. An attacker could exploit this vulnerability by accessing and modifying restricted files. A successful exploit could allow an attacker to use the content of this configuration file to bypass authentication and log in as any user of the device. MDS 9000 Series Multilayer Switches are affected in versions prior to 6.2(25), 8.1(1b), and 8.3(1). Nexus 3000 Series Switches are affected in versions prior to 7.0(3)I4(9) and 7.0(3)I7(4). Nexus 3500 Platform Switches are affected in versions prior to 6.0(2)A8(10) and 7.0(3)I7(4). Nexus 3600 Platform Switches are affected in versions prior to 7.0(3)F3(5). Nexus 2000, 5500, 5600, and 6000 Series Switches are affected in versions prior to 7.1(5)N1(1b) and 7.3(3)N1(1). Nexus 7000 and 7700 Series Switches are affected in versions prior to 6.2(22), 7.3(3)D1(1), and 8.2(3). Nexus 9000 Series Switches-Standalone are affected in versions prior to 7.0(3)I4(9) and 7.0(3)I7(4). Nexus 9500 R-Series Line Cards and Fabric Modules are affected in versions prior to 7.0(3)F3(5). Cisco NX-OS There is an access control vulnerability in the software.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Cisco NX-OS Software is a data center-level operating system software used by a set of switches of Cisco

Trust: 1.71

sources: NVD: CVE-2019-1601 // JVNDB: JVNDB-2019-002530 // VULHUB: VHN-148113

AFFECTED PRODUCTS

vendor:	cisco	model:	nx-os	scope:	lt	version:	8.1\(1b\)	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	lt	version:	8.3\(1\)	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	gte	version:	7.0\(3\)f3	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	gte	version:	7.0\(3\)i5	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	lt	version:	7.0\(3\)i7\(4\)	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	lt	version:	7.3\(3\)n1\(1\)	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	lt	version:	7.0\(3\)f3\(5\)	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	lt	version:	6.0\(2\)a8\(10\)	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	gte	version:	7.2	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	lt	version:	7.3\(3\)d1\(1\)	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	gte	version:	7.0\(3\)f1	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	lt	version:	7.1\(5\)n1\(1b\)	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	gte	version:	7.0\(3\)	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	gte	version:	7.3	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	lt	version:	7.0\(3\)i4\(9\)	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	gte	version:	8.2	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	lt	version:	6.2\(22\)	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	gte	version:	8.0	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	lt	version:	6.2\(25\)	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	lt	version:	8.1\(2\)	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2019-002530 // NVD: CVE-2019-1601

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-1601
value:	HIGH
Trust: 1.0
ykramarz@cisco.com:	CVE-2019-1601
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-1601
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201903-183
value:	HIGH
Trust: 0.6
VULHUB:	VHN-148113
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2019-1601
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-148113
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

ykramarz@cisco.com:	CVE-2019-1601
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.0
Trust: 1.8
nvd@nist.gov:	CVE-2019-1601
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 1.0

sources: VULHUB: VHN-148113 // JVNDB: JVNDB-2019-002530 // CNNVD: CNNVD-201903-183 // NVD: CVE-2019-1601 // NVD: CVE-2019-1601

PROBLEMTYPE DATA

problemtype:	CWE-284	Trust: 1.9
problemtype:	CWE-732	Trust: 1.1

sources: VULHUB: VHN-148113 // JVNDB: JVNDB-2019-002530 // NVD: CVE-2019-1601

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201903-183

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-201903-183

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-002530

PATCH

title:	cisco-sa-20190306-nxos-file-access	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-nxos-file-access	Trust: 0.8
title:	Cisco NX-OS Software Fixes for access control error vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=89855	Trust: 0.6

sources: JVNDB: JVNDB-2019-002530 // CNNVD: CNNVD-201903-183

EXTERNAL IDS

db:	NVD	id:	CVE-2019-1601	Trust: 2.5
db:	BID	id:	107404	Trust: 1.7
db:	JVNDB	id:	JVNDB-2019-002530	Trust: 0.8
db:	CNNVD	id:	CNNVD-201903-183	Trust: 0.7
db:	NSFOCUS	id:	42899	Trust: 0.6
db:	AUSCERT	id:	ESB-2019.0704.5	Trust: 0.6
db:	VULHUB	id:	VHN-148113	Trust: 0.1

sources: VULHUB: VHN-148113 // JVNDB: JVNDB-2019-002530 // CNNVD: CNNVD-201903-183 // NVD: CVE-2019-1601

REFERENCES

url:	http://www.securityfocus.com/bid/107404	Trust: 2.3
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190306-nxos-file-access	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-1601	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1601	Trust: 0.8
url:	http://www.nsfocus.net/vulndb/42899	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/76594	Trust: 0.6
url:	https://vigilance.fr/vulnerability/cisco-nx-os-nexus-multiple-vulnerabilities-28681	Trust: 0.6
url:	https://vigilance.fr/vulnerability/cisco-nx-os-privilege-escalation-via-filesystem-access-28782	Trust: 0.6

sources: VULHUB: VHN-148113 // JVNDB: JVNDB-2019-002530 // CNNVD: CNNVD-201903-183 // NVD: CVE-2019-1601

CREDITS

vendor ?? ??

Trust: 0.6

sources: CNNVD: CNNVD-201903-183

SOURCES

db:	VULHUB	id:	VHN-148113
db:	JVNDB	id:	JVNDB-2019-002530
db:	CNNVD	id:	CNNVD-201903-183
db:	NVD	id:	CVE-2019-1601

LAST UPDATE DATE

2024-11-23T22:06:18.623000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-148113	date:	2020-10-08T00:00:00
db:	JVNDB	id:	JVNDB-2019-002530	date:	2019-04-10T00:00:00
db:	CNNVD	id:	CNNVD-201903-183	date:	2020-10-09T00:00:00
db:	NVD	id:	CVE-2019-1601	date:	2024-11-21T04:36:54.010

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-148113	date:	2019-03-08T00:00:00
db:	JVNDB	id:	JVNDB-2019-002530	date:	2019-04-10T00:00:00
db:	CNNVD	id:	CNNVD-201903-183	date:	2019-03-06T00:00:00
db:	NVD	id:	CVE-2019-1601	date:	2019-03-08T18:29:00.367