Details of VAR-201903-0551

ID

VAR-201903-0551

CVE

CVE-2019-1607

TITLE

Cisco NX-OS Software command injection vulnerability

Trust: 1.4

sources: JVNDB: JVNDB-2019-002417 // CNNVD: CNNVD-201903-161

DESCRIPTION

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system of an affected device. The vulnerability is due to insufficient validation of arguments passed to certain CLI commands. An attacker could exploit this vulnerability by including malicious input as the argument of an affected command. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with elevated privileges. An attacker would need valid administrator credentials to exploit this vulnerability. Nexus 7000 and 7700 Series Switches are affected in versions prior to 6.2(22), 7.3(3)D1(1), and 8.2(3). Cisco NX-OS The software contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Cisco NX-OS Software is a set of data center-level operating system software used by switches. This issue is being tracked by Cisco Bug ID and CSCvi01416

Trust: 2.52

sources: NVD: CVE-2019-1607 // JVNDB: JVNDB-2019-002417 // CNVD: CNVD-2020-47609 // BID: 107393 // VULHUB: VHN-148179

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-47609

AFFECTED PRODUCTS

vendor:	cisco	model:	nx-os	scope:	gte	version:	6.2	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	gte	version:	8.0	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	lt	version:	6.2\(22\)	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	lt	version:	8.2\(3\)	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	gte	version:	7.2	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	lt	version:	7.3\(3\)d1\(1\)	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	7700<6.2(22)	Trust: 0.6
vendor:	cisco	model:	nexus series switches <7.3 d1	scope:	eq	version:	7700	Trust: 0.6
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	7700<8.2(3)	Trust: 0.6
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	7000<6.2(22)	Trust: 0.6
vendor:	cisco	model:	nexus series switches <7.3 d1	scope:	eq	version:	7000	Trust: 0.6
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	7000<8.2(3)	Trust: 0.6
vendor:	cisco	model:	nx-os	scope:	eq	version:	8.3	Trust: 0.3
vendor:	cisco	model:	nx-os	scope:	eq	version:	8.2	Trust: 0.3
vendor:	cisco	model:	nx-os	scope:	eq	version:	8.1	Trust: 0.3
vendor:	cisco	model:	nx-os	scope:	eq	version:	8.0	Trust: 0.3
vendor:	cisco	model:	nx-os	scope:	eq	version:	7.3	Trust: 0.3
vendor:	cisco	model:	nx-os	scope:	eq	version:	7.2	Trust: 0.3
vendor:	cisco	model:	nx-os	scope:	eq	version:	6.2	Trust: 0.3
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	77000	Trust: 0.3
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	70000	Trust: 0.3
vendor:	cisco	model:	nx-os	scope:	ne	version:	8.3(2)	Trust: 0.3
vendor:	cisco	model:	nx-os	scope:	ne	version:	8.2(3)	Trust: 0.3
vendor:	cisco	model:	nx-os	scope:	ne	version:	6.2(22)	Trust: 0.3

sources: CNVD: CNVD-2020-47609 // BID: 107393 // JVNDB: JVNDB-2019-002417 // NVD: CVE-2019-1607

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-1607
value:	MEDIUM
Trust: 1.0
ykramarz@cisco.com:	CVE-2019-1607
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-1607
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2020-47609
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201903-161
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-148179
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2019-1607
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2020-47609
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-148179
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-1607
baseSeverity:	MEDIUM
baseScore:	6.7
vectorString:	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	0.8
impactScore:	5.9
version:	3.1
Trust: 1.0
ykramarz@cisco.com:	CVE-2019-1607
baseSeverity:	MEDIUM
baseScore:	4.2
vectorString:	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	0.8
impactScore:	3.4
version:	3.0
Trust: 1.0
NVD:	CVE-2019-1607
baseSeverity:	MEDIUM
baseScore:	6.7
vectorString:	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-47609 // VULHUB: VHN-148179 // JVNDB: JVNDB-2019-002417 // CNNVD: CNNVD-201903-161 // NVD: CVE-2019-1607 // NVD: CVE-2019-1607

PROBLEMTYPE DATA

problemtype:	CWE-77	Trust: 1.9
problemtype:	CWE-88	Trust: 1.1

sources: VULHUB: VHN-148179 // JVNDB: JVNDB-2019-002417 // NVD: CVE-2019-1607

THREAT TYPE

local

Trust: 0.9

sources: BID: 107393 // CNNVD: CNNVD-201903-161

TYPE

parameter injection

Trust: 0.6

sources: CNNVD: CNNVD-201903-161

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-002417

PATCH

title:	cisco-sa-20190306-nxos-cmdinj-1607	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-nxos-cmdinj-1607	Trust: 0.8
title:	Patch for Cisco NX-OS Software command injection vulnerability (CNVD-2020-47609)	url:	https://www.cnvd.org.cn/patchInfo/show/231493	Trust: 0.6
title:	Cisco NX-OS Software Fixes for command injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=89836	Trust: 0.6

sources: CNVD: CNVD-2020-47609 // JVNDB: JVNDB-2019-002417 // CNNVD: CNNVD-201903-161

EXTERNAL IDS

db:	NVD	id:	CVE-2019-1607	Trust: 3.4
db:	BID	id:	107393	Trust: 2.0
db:	JVNDB	id:	JVNDB-2019-002417	Trust: 0.8
db:	CNNVD	id:	CNNVD-201903-161	Trust: 0.7
db:	CNVD	id:	CNVD-2020-47609	Trust: 0.6
db:	AUSCERT	id:	ESB-2019.0699.2	Trust: 0.6
db:	NSFOCUS	id:	42880	Trust: 0.6
db:	VULHUB	id:	VHN-148179	Trust: 0.1

sources: CNVD: CNVD-2020-47609 // VULHUB: VHN-148179 // BID: 107393 // JVNDB: JVNDB-2019-002417 // CNNVD: CNNVD-201903-161 // NVD: CVE-2019-1607

REFERENCES

url:	http://www.securityfocus.com/bid/107393	Trust: 2.3
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190306-nxos-cmdinj-1607	Trust: 2.0
url:	https://nvd.nist.gov/vuln/detail/cve-2019-1607	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1607	Trust: 0.8
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190306-nxos-cmdinj-	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/76574	Trust: 0.6
url:	https://vigilance.fr/vulnerability/cisco-nx-os-nexus-multiple-vulnerabilities-28681	Trust: 0.6
url:	http://www.nsfocus.net/vulndb/42880	Trust: 0.6
url:	http://www.cisco.com/	Trust: 0.3

sources: CNVD: CNVD-2020-47609 // VULHUB: VHN-148179 // BID: 107393 // JVNDB: JVNDB-2019-002417 // CNNVD: CNNVD-201903-161 // NVD: CVE-2019-1607

CREDITS

The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.,vendor ?? ??

Trust: 0.6

sources: CNNVD: CNNVD-201903-161

SOURCES

db:	CNVD	id:	CNVD-2020-47609
db:	VULHUB	id:	VHN-148179
db:	BID	id:	107393
db:	JVNDB	id:	JVNDB-2019-002417
db:	CNNVD	id:	CNNVD-201903-161
db:	NVD	id:	CVE-2019-1607

LAST UPDATE DATE

2024-08-14T13:26:50.464000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-47609	date:	2020-08-24T00:00:00
db:	VULHUB	id:	VHN-148179	date:	2020-10-05T00:00:00
db:	BID	id:	107393	date:	2019-03-06T00:00:00
db:	JVNDB	id:	JVNDB-2019-002417	date:	2019-04-09T00:00:00
db:	CNNVD	id:	CNNVD-201903-161	date:	2020-10-09T00:00:00
db:	NVD	id:	CVE-2019-1607	date:	2020-10-05T19:50:36.973

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-47609	date:	2019-08-26T00:00:00
db:	VULHUB	id:	VHN-148179	date:	2019-03-08T00:00:00
db:	BID	id:	107393	date:	2019-03-06T00:00:00
db:	JVNDB	id:	JVNDB-2019-002417	date:	2019-04-09T00:00:00
db:	CNNVD	id:	CNNVD-201903-161	date:	2019-03-06T00:00:00
db:	NVD	id:	CVE-2019-1607	date:	2019-03-08T20:29:00.417