Sign-up

ID

VAR-201903-0556


CVE

CVE-2019-1615


TITLE

Cisco NX-OS Vulnerabilities related to digital signature verification in software

Trust: 0.8

sources: JVNDB: JVNDB-2019-002429

DESCRIPTION

A vulnerability in the Image Signature Verification feature of Cisco NX-OS Software could allow an authenticated, local attacker with administrator-level credentials to install a malicious software image on an affected device. The vulnerability is due to improper verification of digital signatures for software images. An attacker could exploit this vulnerability by loading an unsigned software image on an affected device. A successful exploit could allow the attacker to boot a malicious software image. Note: The fix for this vulnerability requires a BIOS upgrade as part of the software upgrade. For additional information, see the Details section of this advisory. Nexus 3000 Series Switches are affected running software versions prior to 7.0(3)I7(5). Nexus 9000 Series Fabric Switches in ACI Mode are affected running software versions prior to 13.2(1l). Nexus 9000 Series Switches in Standalone NX-OS Mode are affected running software versions prior to 7.0(3)I7(5). Nexus 9500 R-Series Line Cards and Fabric Modules are affected running software versions prior to 7.0(3)F3(5). Cisco NX-OS The software contains a vulnerability related to digital signature verification.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Cisco NX-OS Software is prone to a local security-bypass vulnerability. An attacker may exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may lead to further attacks. This issue is being tracked by Cisco Bug ID CSCvj14135, CSCvk70903 and CSCvk70905

Trust: 1.98

sources: NVD: CVE-2019-1615 // JVNDB: JVNDB-2019-002429 // BID: 107397 // VULHUB: VHN-148267

AFFECTED PRODUCTS

vendor:ciscomodel:nx-osscope:eqversion:7.0\(3\)i7\(3\)

Trust: 1.0

vendor:ciscomodel:nx-osscope:eqversion:12.3\(0.97\)

Trust: 1.0

vendor:ciscomodel:nx-osscope:eqversion:7.0\(3\)i7\(5\)

Trust: 1.0

vendor:ciscomodel:nx-osscope:eqversion:9.2\(1\)

Trust: 1.0

vendor:ciscomodel:nx-osscope: - version: -

Trust: 0.8

vendor:ciscomodel:nx-osscope:eqversion:9.2(1)

Trust: 0.3

vendor:ciscomodel:nx-osscope:eqversion:9.2

Trust: 0.3

vendor:ciscomodel:nx-os 7.0 i7scope: - version: -

Trust: 0.3

vendor:ciscomodel:nx-os 7.0 i6scope: - version: -

Trust: 0.3

vendor:ciscomodel:nx-os 7.0 i5scope: - version: -

Trust: 0.3

vendor:ciscomodel:nx-os 7.0 i4scope: - version: -

Trust: 0.3

vendor:ciscomodel:nx-os 7.0 f3scope: - version: -

Trust: 0.3

vendor:ciscomodel:nx-os 7.0 f2scope: - version: -

Trust: 0.3

vendor:ciscomodel:nx-os 7.0 f1scope: - version: -

Trust: 0.3

vendor:ciscomodel:nx-osscope:eqversion:14.0

Trust: 0.3

vendor:ciscomodel:nx-osscope:eqversion:13.2

Trust: 0.3

vendor:ciscomodel:nx-osscope:eqversion:13.1

Trust: 0.3

vendor:ciscomodel:nexus r-series line cards and fabric modulesscope:eqversion:95000

Trust: 0.3

vendor:ciscomodel:nexus series switches in standalone nx-os modescope:eqversion:90000

Trust: 0.3

vendor:ciscomodel:nexus series fabric switches aci modescope:eqversion:9000-0

Trust: 0.3

vendor:ciscomodel:nexus series switchesscope:eqversion:30000

Trust: 0.3

vendor:ciscomodel:nx-osscope:neversion:9.2(2)

Trust: 0.3

vendor:ciscomodel:nx-os 7.0 i7scope:neversion: -

Trust: 0.3

vendor:ciscomodel:nx-os 7.0 i4scope:neversion: -

Trust: 0.3

vendor:ciscomodel:nx-os 7.0 f3scope:neversion: -

Trust: 0.3

vendor:ciscomodel:nx-os 14.0scope:neversion: -

Trust: 0.3

sources: BID: 107397 // JVNDB: JVNDB-2019-002429 // NVD: CVE-2019-1615

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-1615
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2019-1615
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-1615
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201903-160
value: MEDIUM

Trust: 0.6

VULHUB: VHN-148267
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-1615
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-148267
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-1615
baseSeverity: MEDIUM
baseScore: 6.7
vectorString: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 0.8
impactScore: 5.9
version: 3.0

Trust: 2.8

sources: VULHUB: VHN-148267 // JVNDB: JVNDB-2019-002429 // CNNVD: CNNVD-201903-160 // NVD: CVE-2019-1615 // NVD: CVE-2019-1615

PROBLEMTYPE DATA

problemtype:CWE-347

Trust: 1.9

sources: VULHUB: VHN-148267 // JVNDB: JVNDB-2019-002429 // NVD: CVE-2019-1615

THREAT TYPE

local

Trust: 0.3

sources: BID: 107397

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201903-160

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-002429

PATCH
title:cisco-sa-20190306-nxos-sig-verifurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-nxos-sig-verif
Trust: 0.8
title:Cisco NX-OS Software Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=89835
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-002429 // 
            
            
            
            CNNVD: CNNVD-201903-160

EXTERNAL IDS
db:NVDid:CVE-2019-1615
Trust: 2.8
db:BIDid:107397
Trust: 1.4
db:JVNDBid:JVNDB-2019-002429
Trust: 0.8
db:CNNVDid:CNNVD-201903-160
Trust: 0.7
db:AUSCERTid:ESB-2019.0708.3
Trust: 0.6
db:NSFOCUSid:42883
Trust: 0.6
db:VULHUBid:VHN-148267
Trust: 0.1
sources:
            
            
            VULHUB: VHN-148267 // 
            
            
            
            BID: 107397 // 
            
            
            
            JVNDB: JVNDB-2019-002429 // 
            
            
            
            CNNVD: CNNVD-201903-160 // 
            
            
            
            NVD: CVE-2019-1615

REFERENCES
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190306-nxos-sig-verif
Trust: 2.0
url:http://www.securityfocus.com/bid/107397
Trust: 1.1
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1615
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2019-1615
Trust: 0.8
url:https://www.auscert.org.au/bulletins/76610
Trust: 0.6
url:http://www.nsfocus.net/vulndb/42883
Trust: 0.6
url:https://vigilance.fr/vulnerability/cisco-nx-os-nexus-multiple-vulnerabilities-28681
Trust: 0.6
url:http://www.cisco.com/
Trust: 0.3
sources:
            
            
            VULHUB: VHN-148267 // 
            
            
            
            BID: 107397 // 
            
            
            
            JVNDB: JVNDB-2019-002429 // 
            
            
            
            CNNVD: CNNVD-201903-160 // 
            
            
            
            NVD: CVE-2019-1615

CREDITS
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.,vendor ?? ??
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201903-160

SOURCES
db:VULHUBid:VHN-148267
db:BIDid:107397
db:JVNDBid:JVNDB-2019-002429
db:CNNVDid:CNNVD-201903-160
db:NVDid:CVE-2019-1615

LAST UPDATE DATE
2024-11-23T22:33:57.861000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-148267date:2019-10-09T00:00:00
db:BIDid:107397date:2019-03-06T00:00:00
db:JVNDBid:JVNDB-2019-002429date:2019-04-09T00:00:00
db:CNNVDid:CNNVD-201903-160date:2019-03-12T00:00:00
db:NVDid:CVE-2019-1615date:2024-11-21T04:36:56.073

SOURCES RELEASE DATE
db:VULHUBid:VHN-148267date:2019-03-11T00:00:00
db:BIDid:107397date:2019-03-06T00:00:00
db:JVNDBid:JVNDB-2019-002429date:2019-04-09T00:00:00
db:CNNVDid:CNNVD-201903-160date:2019-03-06T00:00:00
db:NVDid:CVE-2019-1615date:2019-03-11T21:29:00.920