Details of VAR-201903-0547

ID

VAR-201903-0547

CVE

CVE-2019-1614

TITLE

Cisco NX-OS Software command injection vulnerability

Trust: 2.0

sources: CNVD: CNVD-2020-47611 // JVNDB: JVNDB-2019-002465 // CNNVD: CNNVD-201903-154

DESCRIPTION

A vulnerability in the NX-API feature of Cisco NX-OS Software could allow an authenticated, remote attacker to execute arbitrary commands with root privileges. The vulnerability is due to incorrect input validation of user-supplied data by the NX-API subsystem. An attacker could exploit this vulnerability by sending malicious HTTP or HTTPS packets to the management interface of an affected system that has the NX-API feature enabled. A successful exploit could allow the attacker to perform a command-injection attack and execute arbitrary commands with root privileges. Note: NX-API is disabled by default. MDS 9000 Series Multilayer Switches are affected running software versions prior to 8.1(1b) and 8.2(3). Nexus 3000 Series Switches are affected running software versions prior to 7.0(3)I4(9) and 7.0(3)I7(4). Nexus 3500 Platform Switches are affected running software versions prior to 7.0(3)I7(4). Nexus 2000, 5500, 5600, and 6000 Series Switches are affected running software versions prior to 7.3(4)N1(1). Nexus 9000 Series Switches in Standalone NX-OS Mode are affected running software versions prior to 7.0(3)I4(9) and 7.0(3)I7(4). Nexus 7000 and 7700 Series Switches are affected running software versions prior to 7.3(3)D1(1) and 8.2(3). Cisco NX-OS The software contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. are all products of the US Cisco (Cisco). Cisco NX-OS Software is a set of data center-level operating system software used by switches. This issue is being tracked by Cisco bug ID CSCvj17615, CSCvk51420, CSCvk51423

Trust: 2.52

sources: NVD: CVE-2019-1614 // JVNDB: JVNDB-2019-002465 // CNVD: CNVD-2020-47611 // BID: 107339 // VULHUB: VHN-148256

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-47611

AFFECTED PRODUCTS

vendor:	cisco	model:	nx-os	scope:	gte	version:	8.0	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	gte	version:	7.0\(3\)i5	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	lt	version:	7.3\(4\)n1\(1\)	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	lt	version:	8.2\(3\)	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	gte	version:	7.3	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	gte	version:	7.2	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	lt	version:	7.0\(3\)i4\(9\)	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	lt	version:	7.3\(3\)i4\(9\)	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	gte	version:	8.3	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	lt	version:	7.0\(3\)i7\(4\)	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	lt	version:	8.1\(1b\)	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	gte	version:	7.0\(3\)	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	gte	version:	8.2	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	lt	version:	8.3\(2\)	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	lt	version:	7.3\(3\)d1\(1\)	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	nexus series switche	scope:	eq	version:	3000	Trust: 0.6
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	7000	Trust: 0.6
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	6000	Trust: 0.6
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	7700	Trust: 0.6
vendor:	cisco	model:	nexus platform switches	scope:	eq	version:	5600	Trust: 0.6
vendor:	cisco	model:	nexus platform switches	scope:	eq	version:	5500	Trust: 0.6
vendor:	cisco	model:	nexus series fabric extenders	scope:	eq	version:	2000	Trust: 0.6
vendor:	cisco	model:	nexus platform switches	scope:	eq	version:	3500	Trust: 0.6
vendor:	cisco	model:	mds series multilayer switches	scope:	eq	version:	9000	Trust: 0.6
vendor:	cisco	model:	nexus series switches in standalone nx-os mode	scope:	eq	version:	9000	Trust: 0.6
vendor:	cisco	model:	nx-os	scope:	eq	version:	8.3	Trust: 0.3
vendor:	cisco	model:	nx-os	scope:	eq	version:	8.2	Trust: 0.3
vendor:	cisco	model:	nx-os	scope:	eq	version:	8.1	Trust: 0.3
vendor:	cisco	model:	nx-os	scope:	eq	version:	8.0	Trust: 0.3
vendor:	cisco	model:	nx-os	scope:	eq	version:	7.3	Trust: 0.3
vendor:	cisco	model:	nx-os	scope:	eq	version:	7.2	Trust: 0.3
vendor:	cisco	model:	nx-os 7.0 i7	scope:	-	version:	-	Trust: 0.3
vendor:	cisco	model:	nx-os 7.0 i6	scope:	-	version:	-	Trust: 0.3
vendor:	cisco	model:	nx-os 7.0 i5	scope:	-	version:	-	Trust: 0.3
vendor:	cisco	model:	nx-os 7.0 i4	scope:	-	version:	-	Trust: 0.3
vendor:	cisco	model:	nx-os	scope:	eq	version:	7.0(3)	Trust: 0.3
vendor:	cisco	model:	nexus series switches in standalone nx-os mode	scope:	eq	version:	90000	Trust: 0.3
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	77000	Trust: 0.3
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	70000	Trust: 0.3
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	60000	Trust: 0.3
vendor:	cisco	model:	nexus platform switches	scope:	eq	version:	56000	Trust: 0.3
vendor:	cisco	model:	nexus platform switches	scope:	eq	version:	55000	Trust: 0.3
vendor:	cisco	model:	nexus platform switches	scope:	eq	version:	35000	Trust: 0.3
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	30000	Trust: 0.3
vendor:	cisco	model:	nexus series fabric extenders	scope:	eq	version:	20000	Trust: 0.3
vendor:	cisco	model:	mds series multilayer switches	scope:	eq	version:	90000	Trust: 0.3
vendor:	cisco	model:	nx-os	scope:	ne	version:	8.3(2)	Trust: 0.3
vendor:	cisco	model:	nx-os	scope:	ne	version:	8.2(3)	Trust: 0.3
vendor:	cisco	model:	nx-os 7.3 n1	scope:	ne	version:	-	Trust: 0.3
vendor:	cisco	model:	nx-os 7.0 i7	scope:	ne	version:	-	Trust: 0.3

sources: CNVD: CNVD-2020-47611 // BID: 107339 // JVNDB: JVNDB-2019-002465 // NVD: CVE-2019-1614

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-1614
value:	HIGH
Trust: 1.0
ykramarz@cisco.com:	CVE-2019-1614
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-1614
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2020-47611
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201903-154
value:	HIGH
Trust: 0.6
VULHUB:	VHN-148256
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2019-1614
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2020-47611
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-148256
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

ykramarz@cisco.com:	CVE-2019-1614
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8
nvd@nist.gov:	CVE-2019-1614
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2020-47611 // VULHUB: VHN-148256 // JVNDB: JVNDB-2019-002465 // CNNVD: CNNVD-201903-154 // NVD: CVE-2019-1614 // NVD: CVE-2019-1614

PROBLEMTYPE DATA

problemtype:	CWE-77	Trust: 1.9
problemtype:	CWE-78	Trust: 1.1

sources: VULHUB: VHN-148256 // JVNDB: JVNDB-2019-002465 // NVD: CVE-2019-1614

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201903-154

TYPE

command injection

Trust: 0.6

sources: CNNVD: CNNVD-201903-154

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-002465

PATCH

title:	cisco-sa-20190306-nxos-NXAPI-cmdinj	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-nxos-NXAPI-cmdinj	Trust: 0.8
title:	Patch for Cisco NX-OS Software command injection vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/231484	Trust: 0.6
title:	Cisco NX-OS Software Fixes for command injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=89831	Trust: 0.6

sources: CNVD: CNVD-2020-47611 // JVNDB: JVNDB-2019-002465 // CNNVD: CNNVD-201903-154

EXTERNAL IDS

db:	NVD	id:	CVE-2019-1614	Trust: 3.4
db:	BID	id:	107339	Trust: 1.4
db:	JVNDB	id:	JVNDB-2019-002465	Trust: 0.8
db:	CNNVD	id:	CNNVD-201903-154	Trust: 0.7
db:	CNVD	id:	CNVD-2020-47611	Trust: 0.6
db:	NSFOCUS	id:	42886	Trust: 0.6
db:	VULHUB	id:	VHN-148256	Trust: 0.1

sources: CNVD: CNVD-2020-47611 // VULHUB: VHN-148256 // BID: 107339 // JVNDB: JVNDB-2019-002465 // CNNVD: CNNVD-201903-154 // NVD: CVE-2019-1614

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190306-nxos-nxapi-cmdinj	Trust: 2.0
url:	https://nvd.nist.gov/vuln/detail/cve-2019-1614	Trust: 1.4
url:	http://www.securityfocus.com/bid/107339	Trust: 1.1
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1614	Trust: 0.8
url:	http://www.nsfocus.net/vulndb/42886	Trust: 0.6
url:	https://vigilance.fr/vulnerability/cisco-nx-os-nexus-multiple-vulnerabilities-28681	Trust: 0.6
url:	http://www.cisco.com/	Trust: 0.3

sources: CNVD: CNVD-2020-47611 // VULHUB: VHN-148256 // BID: 107339 // JVNDB: JVNDB-2019-002465 // CNNVD: CNNVD-201903-154 // NVD: CVE-2019-1614

CREDITS

The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.,vendor ?? ??

Trust: 0.6

sources: CNNVD: CNNVD-201903-154

SOURCES

db:	CNVD	id:	CNVD-2020-47611
db:	VULHUB	id:	VHN-148256
db:	BID	id:	107339
db:	JVNDB	id:	JVNDB-2019-002465
db:	CNNVD	id:	CNNVD-201903-154
db:	NVD	id:	CVE-2019-1614

LAST UPDATE DATE

2024-08-14T15:34:03.902000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-47611	date:	2020-08-24T00:00:00
db:	VULHUB	id:	VHN-148256	date:	2020-10-05T00:00:00
db:	BID	id:	107339	date:	2019-03-06T00:00:00
db:	JVNDB	id:	JVNDB-2019-002465	date:	2019-04-09T00:00:00
db:	CNNVD	id:	CNNVD-201903-154	date:	2019-03-12T00:00:00
db:	NVD	id:	CVE-2019-1614	date:	2020-10-05T20:01:50.977

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-47611	date:	2019-08-26T00:00:00
db:	VULHUB	id:	VHN-148256	date:	2019-03-11T00:00:00
db:	BID	id:	107339	date:	2019-03-06T00:00:00
db:	JVNDB	id:	JVNDB-2019-002465	date:	2019-04-09T00:00:00
db:	CNNVD	id:	CNNVD-201903-154	date:	2019-03-06T00:00:00
db:	NVD	id:	CVE-2019-1614	date:	2019-03-11T21:29:00.873