ID

VAR-201903-0577


CVE

CVE-2019-1690


TITLE

Cisco Application Policy Infrastructure Controller Software access control vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-002452

DESCRIPTION

A vulnerability in the management interface of Cisco Application Policy Infrastructure Controller (APIC) software could allow an unauthenticated, adjacent attacker to gain unauthorized access on an affected device. The vulnerability is due to a lack of proper access control mechanisms for IPv6 link-local connectivity imposed on the management interface of an affected device. An attacker on the same physical network could exploit this vulnerability by attempting to connect to the IPv6 link-local address on the affected device. A successful exploit could allow the attacker to bypass default access control restrictions on an affected device. Cisco Application Policy Infrastructure Controller (APIC) devices running versions prior to 4.2(0.21c) are affected. This may lead to further attacks. This issue is being tracked by Cisco Bug ID CSCvn09855

Trust: 1.98

sources: NVD: CVE-2019-1690 // JVNDB: JVNDB-2019-002452 // BID: 107317 // VULHUB: VHN-149092

AFFECTED PRODUCTS

vendor:ciscomodel:application policy infrastructure controllerscope:ltversion:4.2\(0.21c\)

Trust: 1.0

vendor:ciscomodel:application policy infrastructure controllerscope:ltversion:4.2(0.21c)

Trust: 0.8

vendor:ciscomodel:application policy infrastructure controllerscope:eqversion:0

Trust: 0.3

sources: BID: 107317 // JVNDB: JVNDB-2019-002452 // NVD: CVE-2019-1690

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-1690
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2019-1690
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-1690
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201903-203
value: MEDIUM

Trust: 0.6

VULHUB: VHN-149092
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2019-1690
severity: LOW
baseScore: 3.3
vectorString: AV:A/AC:L/AU:N/C:N/I:P/A:N
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.5
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-149092
severity: LOW
baseScore: 3.3
vectorString: AV:A/AC:L/AU:N/C:N/I:P/A:N
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.5
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-1690
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.1

Trust: 1.0

ykramarz@cisco.com: CVE-2019-1690
baseSeverity: MEDIUM
baseScore: 4.3
vectorString: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 1.4
version: 3.0

Trust: 1.0

NVD: CVE-2019-1690
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector: ADJACENT NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-149092 // JVNDB: JVNDB-2019-002452 // CNNVD: CNNVD-201903-203 // NVD: CVE-2019-1690 // NVD: CVE-2019-1690

PROBLEMTYPE DATA

problemtype:CWE-284

Trust: 1.9

problemtype:NVD-CWE-Other

Trust: 1.0

sources: VULHUB: VHN-149092 // JVNDB: JVNDB-2019-002452 // NVD: CVE-2019-1690

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201903-203

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-201903-203

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-002452

PATCH

title:cisco-sa-20190306-apic-ipv6url:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-apic-ipv6

Trust: 0.8

title:Cisco Application Policy Infrastructure Controller Fixes for access control error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=89873

Trust: 0.6

sources: JVNDB: JVNDB-2019-002452 // CNNVD: CNNVD-201903-203

EXTERNAL IDS

db:NVDid:CVE-2019-1690

Trust: 2.8

db:BIDid:107317

Trust: 2.0

db:JVNDBid:JVNDB-2019-002452

Trust: 0.8

db:CNNVDid:CNNVD-201903-203

Trust: 0.7

db:AUSCERTid:ESB-2019.0713.2

Trust: 0.6

db:VULHUBid:VHN-149092

Trust: 0.1

sources: VULHUB: VHN-149092 // BID: 107317 // JVNDB: JVNDB-2019-002452 // CNNVD: CNNVD-201903-203 // NVD: CVE-2019-1690

REFERENCES

url:http://www.securityfocus.com/bid/107317

Trust: 2.3

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190306-apic-ipv6

Trust: 2.0

url:https://nvd.nist.gov/vuln/detail/cve-2019-1690

Trust: 1.4

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1690

Trust: 0.8

url:https://www.auscert.org.au/bulletins/76630

Trust: 0.6

url:http://www.cisco.com/

Trust: 0.3

sources: VULHUB: VHN-149092 // BID: 107317 // JVNDB: JVNDB-2019-002452 // CNNVD: CNNVD-201903-203 // NVD: CVE-2019-1690

CREDITS

Costin Enache with DETACK GmbH .

Trust: 0.6

sources: CNNVD: CNNVD-201903-203

SOURCES

db:VULHUBid:VHN-149092
db:BIDid:107317
db:JVNDBid:JVNDB-2019-002452
db:CNNVDid:CNNVD-201903-203
db:NVDid:CVE-2019-1690

LAST UPDATE DATE

2024-08-14T14:32:45.723000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-149092date:2020-10-16T00:00:00
db:BIDid:107317date:2019-03-06T00:00:00
db:JVNDBid:JVNDB-2019-002452date:2019-04-09T00:00:00
db:CNNVDid:CNNVD-201903-203date:2020-10-21T00:00:00
db:NVDid:CVE-2019-1690date:2020-10-16T13:04:35.550

SOURCES RELEASE DATE

db:VULHUBid:VHN-149092date:2019-03-11T00:00:00
db:BIDid:107317date:2019-03-06T00:00:00
db:JVNDBid:JVNDB-2019-002452date:2019-04-09T00:00:00
db:CNNVDid:CNNVD-201903-203date:2019-03-06T00:00:00
db:NVDid:CVE-2019-1690date:2019-03-11T21:29:01.090