ID

VAR-201903-0540


CVE

CVE-2019-1602


TITLE

Cisco NX-OS Vulnerability related to authorization, authority, and access control in software

Trust: 0.8

sources: JVNDB: JVNDB-2019-002466

DESCRIPTION

A vulnerability in the filesystem permissions of Cisco NX-OS Software could allow an authenticated, local attacker to access sensitive data that could be used to elevate their privileges to administrator. The vulnerability is due to improper implementation of filesystem permissions. An attacker could exploit this vulnerability by logging in to the CLI of an affected device, accessing a specific file, and leveraging this information to authenticate to the NX-API server. A successful exploit could allow an attacker to make configuration changes as administrator. Note: NX-API is disabled by default. Nexus 3000 Series Switches are affected in versions prior to 7.0(3)I7(4). Nexus 3500 Platform Switches are affected in versions prior to 7.0(3)I7(4). Nexus 3600 Platform Switches are affected in versions prior to 7.0(3)F3(5). Nexus 9000 Series Switches-Standalone are affected in versions prior to 7.0(3)I7(4). Nexus 9500 R-Series Line Cards and Fabric Modules are affected in versions prior to 7.0(3)F3(5). Cisco NX-OS The software contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Cisco NX-OS Software is prone to local insecure file-permissions vulnerability. A local attacker can exploit this issue to gain elevated privileges on an affected system. This issue is being tracked by Cisco bug ID CSCvj59009 and CSCvk70659

Trust: 1.98

sources: NVD: CVE-2019-1602 // JVNDB: JVNDB-2019-002466 // BID: 107332 // VULHUB: VHN-148124

AFFECTED PRODUCTS

vendor:ciscomodel:nx-osscope:gteversion:7.0\(3\)f1

Trust: 1.0

vendor:ciscomodel:nx-osscope:gteversion:7.0\(3\)i5

Trust: 1.0

vendor:ciscomodel:nx-osscope:ltversion:7.0\(3\)i7\(4\)

Trust: 1.0

vendor:ciscomodel:nx-osscope:gteversion:7.0\(3\)

Trust: 1.0

vendor:ciscomodel:nx-osscope:gteversion:7.0\(3\)f3

Trust: 1.0

vendor:ciscomodel:nx-osscope:ltversion:7.0\(3\)f3\(5\)

Trust: 1.0

vendor:ciscomodel:nx-osscope: - version: -

Trust: 0.8

vendor:ciscomodel:nx-osscope:eqversion:9.2(1)

Trust: 0.3

vendor:ciscomodel:nx-osscope:eqversion:9.2

Trust: 0.3

vendor:ciscomodel:nx-os 7.0 i7scope: - version: -

Trust: 0.3

vendor:ciscomodel:nx-os 7.0 i6scope: - version: -

Trust: 0.3

vendor:ciscomodel:nx-os 7.0 i5scope: - version: -

Trust: 0.3

vendor:ciscomodel:nx-os 7.0 i4scope: - version: -

Trust: 0.3

vendor:ciscomodel:nx-os 7.0 f3scope: - version: -

Trust: 0.3

vendor:ciscomodel:nx-os 7.0 f2scope: - version: -

Trust: 0.3

vendor:ciscomodel:nx-os 7.0 f1scope: - version: -

Trust: 0.3

vendor:ciscomodel:nx-osscope:eqversion:6.0

Trust: 0.3

vendor:ciscomodel:nexus r-series line cards and fabric modulesscope:eqversion:95000

Trust: 0.3

vendor:ciscomodel:nexus series switches in standalone nx-os modescope:eqversion:90000

Trust: 0.3

vendor:ciscomodel:nexus platform switchesscope:eqversion:36000

Trust: 0.3

vendor:ciscomodel:nexus platform switchesscope:eqversion:35000

Trust: 0.3

vendor:ciscomodel:nexus series switchesscope:eqversion:30000

Trust: 0.3

vendor:ciscomodel:nx-osscope:neversion:9.2(2)

Trust: 0.3

vendor:ciscomodel:nx-os 7.0 i7scope:neversion: -

Trust: 0.3

vendor:ciscomodel:nx-os 7.0 f3scope:neversion: -

Trust: 0.3

vendor:ciscomodel:nx-os 6.0 a8scope:neversion: -

Trust: 0.3

sources: BID: 107332 // JVNDB: JVNDB-2019-002466 // NVD: CVE-2019-1602

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-1602
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2019-1602
value: HIGH

Trust: 1.0

NVD: CVE-2019-1602
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201903-181
value: HIGH

Trust: 0.6

VULHUB: VHN-148124
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-1602
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-148124
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

ykramarz@cisco.com: CVE-2019-1602
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 1.8

nvd@nist.gov: CVE-2019-1602
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: VULHUB: VHN-148124 // JVNDB: JVNDB-2019-002466 // CNNVD: CNNVD-201903-181 // NVD: CVE-2019-1602 // NVD: CVE-2019-1602

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.9

problemtype:NVD-CWE-Other

Trust: 1.0

sources: VULHUB: VHN-148124 // JVNDB: JVNDB-2019-002466 // NVD: CVE-2019-1602

THREAT TYPE

local

Trust: 0.9

sources: BID: 107332 // CNNVD: CNNVD-201903-181

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-201903-181

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-002466

PATCH

title:cisco-sa-20190306-nxos-escalationurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-nxos-escalation

Trust: 0.8

title:Cisco NX-OS Software Fixes for permission permissions and access control vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=89853

Trust: 0.6

sources: JVNDB: JVNDB-2019-002466 // CNNVD: CNNVD-201903-181

EXTERNAL IDS

db:NVDid:CVE-2019-1602

Trust: 2.8

db:BIDid:107332

Trust: 2.0

db:JVNDBid:JVNDB-2019-002466

Trust: 0.8

db:CNNVDid:CNNVD-201903-181

Trust: 0.7

db:VULHUBid:VHN-148124

Trust: 0.1

sources: VULHUB: VHN-148124 // BID: 107332 // JVNDB: JVNDB-2019-002466 // CNNVD: CNNVD-201903-181 // NVD: CVE-2019-1602

REFERENCES

url:http://www.securityfocus.com/bid/107332

Trust: 2.3

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190306-nxos-escalation

Trust: 2.0

url:https://nvd.nist.gov/vuln/detail/cve-2019-1602

Trust: 1.4

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1602

Trust: 0.8

url:https://vigilance.fr/vulnerability/cisco-nx-os-nexus-multiple-vulnerabilities-28681

Trust: 0.6

url:http://www.cisco.com/

Trust: 0.3

sources: VULHUB: VHN-148124 // BID: 107332 // JVNDB: JVNDB-2019-002466 // CNNVD: CNNVD-201903-181 // NVD: CVE-2019-1602

CREDITS

The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

Trust: 0.6

sources: CNNVD: CNNVD-201903-181

SOURCES

db:VULHUBid:VHN-148124
db:BIDid:107332
db:JVNDBid:JVNDB-2019-002466
db:CNNVDid:CNNVD-201903-181
db:NVDid:CVE-2019-1602

LAST UPDATE DATE

2024-08-14T15:18:06.381000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-148124date:2020-10-08T00:00:00
db:BIDid:107332date:2019-03-06T00:00:00
db:JVNDBid:JVNDB-2019-002466date:2019-04-09T00:00:00
db:CNNVDid:CNNVD-201903-181date:2020-10-09T00:00:00
db:NVDid:CVE-2019-1602date:2020-10-08T19:44:28.257

SOURCES RELEASE DATE

db:VULHUBid:VHN-148124date:2019-03-08T00:00:00
db:BIDid:107332date:2019-03-06T00:00:00
db:JVNDBid:JVNDB-2019-002466date:2019-04-09T00:00:00
db:CNNVDid:CNNVD-201903-181date:2019-03-06T00:00:00
db:NVDid:CVE-2019-1602date:2019-03-08T19:29:00.327