ID

VAR-201903-0571


CVE

CVE-2019-1756


TITLE

Cisco IOS XE Input validation vulnerability in software

Trust: 0.8

sources: JVNDB: JVNDB-2019-002960

DESCRIPTION

A vulnerability in Cisco IOS XE Software could allow an authenticated, remote attacker to execute commands on the underlying Linux shell of an affected device with root privileges. The vulnerability occurs because the affected software improperly sanitizes user-supplied input. An attacker who has valid administrator access to an affected device could exploit this vulnerability by supplying a username with a malicious payload in the web UI and subsequently making a request to a specific endpoint in the web UI. A successful exploit could allow the attacker to run arbitrary commands as the root user, allowing complete compromise of the system. Cisco IOS XE The software contains an input validation vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Cisco IOS XE Software is prone to a remote command-injection vulnerability

Trust: 2.07

sources: NVD: CVE-2019-1756 // JVNDB: JVNDB-2019-002960 // BID: 107598 // VULHUB: VHN-149818 // VULMON: CVE-2019-1756

AFFECTED PRODUCTS

vendor:ciscomodel:ios xescope:eqversion:16.8.1c

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.7.1b

Trust: 1.0

vendor:ciscomodel:iosscope:eqversion:11.0\(20.3\)

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.7.3

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.7.2

Trust: 1.0

vendor:ciscomodel:iosscope:eqversion:16.9\(1\)

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.8.1

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.7.1a

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.7.1

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.8.1a

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.8.1d

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.8.1e

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.8.1b

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.8.2

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:3.2.0ja

Trust: 1.0

vendor:ciscomodel:ios xescope:eqversion:16.8.1s

Trust: 1.0

vendor:ciscomodel:iosscope: - version: -

Trust: 0.8

vendor:ciscomodel:ios xescope: - version: -

Trust: 0.8

vendor:ciscomodel:ios xe softwarescope:eqversion:0

Trust: 0.3

vendor:ciscomodel:iosscope:eqversion:16.9(1)

Trust: 0.3

sources: BID: 107598 // JVNDB: JVNDB-2019-002960 // NVD: CVE-2019-1756

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-1756
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2019-1756
value: HIGH

Trust: 1.0

NVD: CVE-2019-1756
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201903-1093
value: HIGH

Trust: 0.6

VULHUB: VHN-149818
value: HIGH

Trust: 0.1

VULMON: CVE-2019-1756
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-1756
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-149818
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-1756
baseSeverity: HIGH
baseScore: 7.2
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.2
impactScore: 5.9
version: 3.0

Trust: 2.8

sources: VULHUB: VHN-149818 // VULMON: CVE-2019-1756 // JVNDB: JVNDB-2019-002960 // CNNVD: CNNVD-201903-1093 // NVD: CVE-2019-1756 // NVD: CVE-2019-1756

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.9

sources: VULHUB: VHN-149818 // JVNDB: JVNDB-2019-002960 // NVD: CVE-2019-1756

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201903-1093

TYPE

Input Validation Error

Trust: 0.9

sources: BID: 107598 // CNNVD: CNNVD-201903-1093

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-002960

PATCH

title:cisco-sa-20190327-iosxe-cmdinjecturl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-iosxe-cmdinject

Trust: 0.8

title:Cisco IOS XE Enter the fix for the verification vulnerabilityurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=90508

Trust: 0.6

title:Cisco: Cisco IOS XE Software Command Injection Vulnerabilityurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-20190327-iosxe-cmdinject

Trust: 0.1

title:Threatposturl:https://threatpost.com/cisco-releases-flood-of-patches-for-ios-xe-and-small-business-routers/143228/

Trust: 0.1

sources: VULMON: CVE-2019-1756 // JVNDB: JVNDB-2019-002960 // CNNVD: CNNVD-201903-1093

EXTERNAL IDS

db:NVDid:CVE-2019-1756

Trust: 2.9

db:BIDid:107598

Trust: 2.1

db:JVNDBid:JVNDB-2019-002960

Trust: 0.8

db:CNNVDid:CNNVD-201903-1093

Trust: 0.6

db:VULHUBid:VHN-149818

Trust: 0.1

db:VULMONid:CVE-2019-1756

Trust: 0.1

sources: VULHUB: VHN-149818 // VULMON: CVE-2019-1756 // BID: 107598 // JVNDB: JVNDB-2019-002960 // CNNVD: CNNVD-201903-1093 // NVD: CVE-2019-1756

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190327-iosxe-cmdinject

Trust: 2.8

url:http://www.securityfocus.com/bid/107598

Trust: 2.5

url:https://nvd.nist.gov/vuln/detail/cve-2019-1756

Trust: 1.4

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1756

Trust: 0.8

url:https://vigilance.fr/vulnerability/cisco-ios-ios-xe-multiple-vulnerabilities-28888

Trust: 0.6

url:http://www.cisco.com/

Trust: 0.3

url:https://cwe.mitre.org/data/definitions/20.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://threatpost.com/cisco-releases-flood-of-patches-for-ios-xe-and-small-business-routers/143228/

Trust: 0.1

sources: VULHUB: VHN-149818 // VULMON: CVE-2019-1756 // BID: 107598 // JVNDB: JVNDB-2019-002960 // CNNVD: CNNVD-201903-1093 // NVD: CVE-2019-1756

CREDITS

Cisco

Trust: 0.9

sources: BID: 107598 // CNNVD: CNNVD-201903-1093

SOURCES

db:VULHUBid:VHN-149818
db:VULMONid:CVE-2019-1756
db:BIDid:107598
db:JVNDBid:JVNDB-2019-002960
db:CNNVDid:CNNVD-201903-1093
db:NVDid:CVE-2019-1756

LAST UPDATE DATE

2024-08-14T14:26:23.758000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-149818date:2019-10-09T00:00:00
db:VULMONid:CVE-2019-1756date:2019-10-09T00:00:00
db:BIDid:107598date:2019-03-27T00:00:00
db:JVNDBid:JVNDB-2019-002960date:2019-04-26T00:00:00
db:CNNVDid:CNNVD-201903-1093date:2019-10-17T00:00:00
db:NVDid:CVE-2019-1756date:2019-10-09T23:47:59.220

SOURCES RELEASE DATE

db:VULHUBid:VHN-149818date:2019-03-28T00:00:00
db:VULMONid:CVE-2019-1756date:2019-03-28T00:00:00
db:BIDid:107598date:2019-03-27T00:00:00
db:JVNDBid:JVNDB-2019-002960date:2019-04-26T00:00:00
db:CNNVDid:CNNVD-201903-1093date:2019-03-27T00:00:00
db:NVDid:CVE-2019-1756date:2019-03-28T01:29:00.377