ID

VAR-201903-0547


CVE

CVE-2019-1614


TITLE

Cisco NX-OS Software command injection vulnerability

Trust: 2.0

sources: CNVD: CNVD-2020-47611 // JVNDB: JVNDB-2019-002465 // CNNVD: CNNVD-201903-154

DESCRIPTION

A vulnerability in the NX-API feature of Cisco NX-OS Software could allow an authenticated, remote attacker to execute arbitrary commands with root privileges. The vulnerability is due to incorrect input validation of user-supplied data by the NX-API subsystem. An attacker could exploit this vulnerability by sending malicious HTTP or HTTPS packets to the management interface of an affected system that has the NX-API feature enabled. A successful exploit could allow the attacker to perform a command-injection attack and execute arbitrary commands with root privileges. Note: NX-API is disabled by default. MDS 9000 Series Multilayer Switches are affected running software versions prior to 8.1(1b) and 8.2(3). Nexus 3000 Series Switches are affected running software versions prior to 7.0(3)I4(9) and 7.0(3)I7(4). Nexus 3500 Platform Switches are affected running software versions prior to 7.0(3)I7(4). Nexus 2000, 5500, 5600, and 6000 Series Switches are affected running software versions prior to 7.3(4)N1(1). Nexus 9000 Series Switches in Standalone NX-OS Mode are affected running software versions prior to 7.0(3)I4(9) and 7.0(3)I7(4). Nexus 7000 and 7700 Series Switches are affected running software versions prior to 7.3(3)D1(1) and 8.2(3). Cisco NX-OS The software contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. are all products of the US Cisco (Cisco). Cisco NX-OS Software is a set of data center-level operating system software used by switches. This issue is being tracked by Cisco bug ID CSCvj17615, CSCvk51420, CSCvk51423

Trust: 2.52

sources: NVD: CVE-2019-1614 // JVNDB: JVNDB-2019-002465 // CNVD: CNVD-2020-47611 // BID: 107339 // VULHUB: VHN-148256

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-47611

AFFECTED PRODUCTS

vendor:ciscomodel:nx-osscope:gteversion:8.0

Trust: 1.0

vendor:ciscomodel:nx-osscope:gteversion:7.0\(3\)i5

Trust: 1.0

vendor:ciscomodel:nx-osscope:ltversion:7.3\(4\)n1\(1\)

Trust: 1.0

vendor:ciscomodel:nx-osscope:ltversion:8.2\(3\)

Trust: 1.0

vendor:ciscomodel:nx-osscope:gteversion:7.3

Trust: 1.0

vendor:ciscomodel:nx-osscope:gteversion:7.2

Trust: 1.0

vendor:ciscomodel:nx-osscope:ltversion:7.0\(3\)i4\(9\)

Trust: 1.0

vendor:ciscomodel:nx-osscope:ltversion:7.3\(3\)i4\(9\)

Trust: 1.0

vendor:ciscomodel:nx-osscope:gteversion:8.3

Trust: 1.0

vendor:ciscomodel:nx-osscope:ltversion:7.0\(3\)i7\(4\)

Trust: 1.0

vendor:ciscomodel:nx-osscope:ltversion:8.1\(1b\)

Trust: 1.0

vendor:ciscomodel:nx-osscope:gteversion:7.0\(3\)

Trust: 1.0

vendor:ciscomodel:nx-osscope:gteversion:8.2

Trust: 1.0

vendor:ciscomodel:nx-osscope:ltversion:8.3\(2\)

Trust: 1.0

vendor:ciscomodel:nx-osscope:ltversion:7.3\(3\)d1\(1\)

Trust: 1.0

vendor:ciscomodel:nx-osscope: - version: -

Trust: 0.8

vendor:ciscomodel:nexus series switchescope:eqversion:3000

Trust: 0.6

vendor:ciscomodel:nexus series switchesscope:eqversion:7000

Trust: 0.6

vendor:ciscomodel:nexus series switchesscope:eqversion:6000

Trust: 0.6

vendor:ciscomodel:nexus series switchesscope:eqversion:7700

Trust: 0.6

vendor:ciscomodel:nexus platform switchesscope:eqversion:5600

Trust: 0.6

vendor:ciscomodel:nexus platform switchesscope:eqversion:5500

Trust: 0.6

vendor:ciscomodel:nexus series fabric extendersscope:eqversion:2000

Trust: 0.6

vendor:ciscomodel:nexus platform switchesscope:eqversion:3500

Trust: 0.6

vendor:ciscomodel:mds series multilayer switchesscope:eqversion:9000

Trust: 0.6

vendor:ciscomodel:nexus series switches in standalone nx-os modescope:eqversion:9000

Trust: 0.6

vendor:ciscomodel:nx-osscope:eqversion:8.3

Trust: 0.3

vendor:ciscomodel:nx-osscope:eqversion:8.2

Trust: 0.3

vendor:ciscomodel:nx-osscope:eqversion:8.1

Trust: 0.3

vendor:ciscomodel:nx-osscope:eqversion:8.0

Trust: 0.3

vendor:ciscomodel:nx-osscope:eqversion:7.3

Trust: 0.3

vendor:ciscomodel:nx-osscope:eqversion:7.2

Trust: 0.3

vendor:ciscomodel:nx-os 7.0 i7scope: - version: -

Trust: 0.3

vendor:ciscomodel:nx-os 7.0 i6scope: - version: -

Trust: 0.3

vendor:ciscomodel:nx-os 7.0 i5scope: - version: -

Trust: 0.3

vendor:ciscomodel:nx-os 7.0 i4scope: - version: -

Trust: 0.3

vendor:ciscomodel:nx-osscope:eqversion:7.0(3)

Trust: 0.3

vendor:ciscomodel:nexus series switches in standalone nx-os modescope:eqversion:90000

Trust: 0.3

vendor:ciscomodel:nexus series switchesscope:eqversion:77000

Trust: 0.3

vendor:ciscomodel:nexus series switchesscope:eqversion:70000

Trust: 0.3

vendor:ciscomodel:nexus series switchesscope:eqversion:60000

Trust: 0.3

vendor:ciscomodel:nexus platform switchesscope:eqversion:56000

Trust: 0.3

vendor:ciscomodel:nexus platform switchesscope:eqversion:55000

Trust: 0.3

vendor:ciscomodel:nexus platform switchesscope:eqversion:35000

Trust: 0.3

vendor:ciscomodel:nexus series switchesscope:eqversion:30000

Trust: 0.3

vendor:ciscomodel:nexus series fabric extendersscope:eqversion:20000

Trust: 0.3

vendor:ciscomodel:mds series multilayer switchesscope:eqversion:90000

Trust: 0.3

vendor:ciscomodel:nx-osscope:neversion:8.3(2)

Trust: 0.3

vendor:ciscomodel:nx-osscope:neversion:8.2(3)

Trust: 0.3

vendor:ciscomodel:nx-os 7.3 n1scope:neversion: -

Trust: 0.3

vendor:ciscomodel:nx-os 7.0 i7scope:neversion: -

Trust: 0.3

sources: CNVD: CNVD-2020-47611 // BID: 107339 // JVNDB: JVNDB-2019-002465 // NVD: CVE-2019-1614

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-1614
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2019-1614
value: HIGH

Trust: 1.0

NVD: CVE-2019-1614
value: HIGH

Trust: 0.8

CNVD: CNVD-2020-47611
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201903-154
value: HIGH

Trust: 0.6

VULHUB: VHN-148256
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-1614
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2020-47611
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-148256
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

ykramarz@cisco.com: CVE-2019-1614
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

nvd@nist.gov: CVE-2019-1614
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: CNVD: CNVD-2020-47611 // VULHUB: VHN-148256 // JVNDB: JVNDB-2019-002465 // CNNVD: CNNVD-201903-154 // NVD: CVE-2019-1614 // NVD: CVE-2019-1614

PROBLEMTYPE DATA

problemtype:CWE-77

Trust: 1.9

problemtype:CWE-78

Trust: 1.1

sources: VULHUB: VHN-148256 // JVNDB: JVNDB-2019-002465 // NVD: CVE-2019-1614

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201903-154

TYPE

command injection

Trust: 0.6

sources: CNNVD: CNNVD-201903-154

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-002465

PATCH

title:cisco-sa-20190306-nxos-NXAPI-cmdinjurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-nxos-NXAPI-cmdinj

Trust: 0.8

title:Patch for Cisco NX-OS Software command injection vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/231484

Trust: 0.6

title:Cisco NX-OS Software Fixes for command injection vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=89831

Trust: 0.6

sources: CNVD: CNVD-2020-47611 // JVNDB: JVNDB-2019-002465 // CNNVD: CNNVD-201903-154

EXTERNAL IDS

db:NVDid:CVE-2019-1614

Trust: 3.4

db:BIDid:107339

Trust: 1.4

db:JVNDBid:JVNDB-2019-002465

Trust: 0.8

db:CNNVDid:CNNVD-201903-154

Trust: 0.7

db:CNVDid:CNVD-2020-47611

Trust: 0.6

db:NSFOCUSid:42886

Trust: 0.6

db:VULHUBid:VHN-148256

Trust: 0.1

sources: CNVD: CNVD-2020-47611 // VULHUB: VHN-148256 // BID: 107339 // JVNDB: JVNDB-2019-002465 // CNNVD: CNNVD-201903-154 // NVD: CVE-2019-1614

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190306-nxos-nxapi-cmdinj

Trust: 2.0

url:https://nvd.nist.gov/vuln/detail/cve-2019-1614

Trust: 1.4

url:http://www.securityfocus.com/bid/107339

Trust: 1.1

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1614

Trust: 0.8

url:http://www.nsfocus.net/vulndb/42886

Trust: 0.6

url:https://vigilance.fr/vulnerability/cisco-nx-os-nexus-multiple-vulnerabilities-28681

Trust: 0.6

url:http://www.cisco.com/

Trust: 0.3

sources: CNVD: CNVD-2020-47611 // VULHUB: VHN-148256 // BID: 107339 // JVNDB: JVNDB-2019-002465 // CNNVD: CNNVD-201903-154 // NVD: CVE-2019-1614

CREDITS

The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.,vendor ?? ??

Trust: 0.6

sources: CNNVD: CNNVD-201903-154

SOURCES

db:CNVDid:CNVD-2020-47611
db:VULHUBid:VHN-148256
db:BIDid:107339
db:JVNDBid:JVNDB-2019-002465
db:CNNVDid:CNNVD-201903-154
db:NVDid:CVE-2019-1614

LAST UPDATE DATE

2024-08-14T15:34:03.902000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2020-47611date:2020-08-24T00:00:00
db:VULHUBid:VHN-148256date:2020-10-05T00:00:00
db:BIDid:107339date:2019-03-06T00:00:00
db:JVNDBid:JVNDB-2019-002465date:2019-04-09T00:00:00
db:CNNVDid:CNNVD-201903-154date:2019-03-12T00:00:00
db:NVDid:CVE-2019-1614date:2020-10-05T20:01:50.977

SOURCES RELEASE DATE

db:CNVDid:CNVD-2020-47611date:2019-08-26T00:00:00
db:VULHUBid:VHN-148256date:2019-03-11T00:00:00
db:BIDid:107339date:2019-03-06T00:00:00
db:JVNDBid:JVNDB-2019-002465date:2019-04-09T00:00:00
db:CNNVDid:CNNVD-201903-154date:2019-03-06T00:00:00
db:NVDid:CVE-2019-1614date:2019-03-11T21:29:00.873