ID

VAR-201903-0580


CVE

CVE-2019-1596


TITLE

Cisco NX-OS Vulnerability related to authorization, authority, and access control in software

Trust: 0.8

sources: JVNDB: JVNDB-2019-002263

DESCRIPTION

A vulnerability in the Bash shell implementation for Cisco NX-OS Software could allow an authenticated, local attacker to escalate their privilege level to root. The attacker must authenticate with valid user credentials. The vulnerability is due to incorrect permissions of a system executable. An attacker could exploit this vulnerability by authenticating to the device and entering a crafted command at the Bash prompt. A successful exploit could allow the attacker to escalate their privilege level to root. Nexus 3000 Series Switches are affected in versions prior to 7.0(3)I7(4). Nexus 3500 Platform Switches are affected in versions prior to 7.0(3)I7(4). Nexus 3600 Platform Switches are affected in versions prior to 7.0(3)F3(5). Nexus 9000 Series Switches in Standalone NX-OS Mode are affected in versions prior to 7.0(3)I7(4). Nexus 9500 R-Series Line Cards and Fabric Modules are affected in versions prior to 7.0(3)F3(5). Cisco NX-OS The software contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Cisco NX-OS Software is prone to a local privilege-escalation vulnerability. This issue is being tracked by Cisco Bug IDs CSCvj58962 and CSCvk71078

Trust: 1.98

sources: NVD: CVE-2019-1596 // JVNDB: JVNDB-2019-002263 // BID: 107340 // VULHUB: VHN-148058

AFFECTED PRODUCTS

vendor:ciscomodel:nx-osscope:gteversion:7.0\(3\)f3\(1\)

Trust: 1.0

vendor:ciscomodel:nx-osscope:gteversion:7.0\(3\)i7

Trust: 1.0

vendor:ciscomodel:nx-osscope:gteversion:7.0\(3\)i5

Trust: 1.0

vendor:ciscomodel:nx-osscope:ltversion:7.0\(3\)i7\(4\)

Trust: 1.0

vendor:ciscomodel:nx-osscope:ltversion:7.0\(3\)f3\(5\)

Trust: 1.0

vendor:ciscomodel:nx-osscope:ltversion:7.0\(3\)i4\(9\)

Trust: 1.0

vendor:ciscomodel:nx-osscope: - version: -

Trust: 0.8

vendor:ciscomodel:nx-os 7.0 i7scope: - version: -

Trust: 0.6

vendor:ciscomodel:nx-os 7.0 i7scope:neversion: -

Trust: 0.6

vendor:ciscomodel:nx-os 7.0 f3scope:neversion: -

Trust: 0.6

vendor:ciscomodel:nx-osscope:eqversion:9.2

Trust: 0.3

vendor:ciscomodel:nx-os 8.3 s1scope: - version: -

Trust: 0.3

vendor:ciscomodel:nx-os 7.0 i6scope: - version: -

Trust: 0.3

vendor:ciscomodel:nx-os 7.0 i5scope: - version: -

Trust: 0.3

vendor:ciscomodel:nx-os 7.0 i4scope: - version: -

Trust: 0.3

vendor:ciscomodel:nx-osscope:eqversion:7.0(3)

Trust: 0.3

vendor:ciscomodel:nx-os 6.0 a8scope: - version: -

Trust: 0.3

vendor:ciscomodel:nexus r-series line cards and fabric modulesscope:eqversion:95000

Trust: 0.3

vendor:ciscomodel:nexus series switches in standalone nx-os modescope:eqversion:90000

Trust: 0.3

vendor:ciscomodel:nexus platform switchesscope:eqversion:36000

Trust: 0.3

vendor:ciscomodel:nexus platform switchesscope:eqversion:35000

Trust: 0.3

vendor:ciscomodel:nexus series switchesscope:eqversion:30000

Trust: 0.3

vendor:ciscomodel:nx-osscope:neversion:9.2(2)

Trust: 0.3

vendor:ciscomodel:nx-os 7.0 i4scope:neversion: -

Trust: 0.3

vendor:ciscomodel:nx-os 6.0 a8scope:neversion: -

Trust: 0.3

sources: BID: 107340 // JVNDB: JVNDB-2019-002263 // NVD: CVE-2019-1596

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-1596
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2019-1596
value: HIGH

Trust: 1.0

NVD: CVE-2019-1596
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201903-193
value: HIGH

Trust: 0.6

VULHUB: VHN-148058
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-1596
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-148058
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

ykramarz@cisco.com: CVE-2019-1596
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 1.8

nvd@nist.gov: CVE-2019-1596
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: VULHUB: VHN-148058 // JVNDB: JVNDB-2019-002263 // CNNVD: CNNVD-201903-193 // NVD: CVE-2019-1596 // NVD: CVE-2019-1596

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.9

problemtype:CWE-732

Trust: 1.1

sources: VULHUB: VHN-148058 // JVNDB: JVNDB-2019-002263 // NVD: CVE-2019-1596

THREAT TYPE

local

Trust: 0.9

sources: BID: 107340 // CNNVD: CNNVD-201903-193

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201903-193

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-002263

PATCH

title:cisco-sa-20190306-nxos-peurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-nxos-pe

Trust: 0.8

title:Cisco NX-OS Software Fixes for permission permissions and access control vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=89863

Trust: 0.6

sources: JVNDB: JVNDB-2019-002263 // CNNVD: CNNVD-201903-193

EXTERNAL IDS

db:NVDid:CVE-2019-1596

Trust: 2.8

db:BIDid:107340

Trust: 2.0

db:JVNDBid:JVNDB-2019-002263

Trust: 0.8

db:CNNVDid:CNNVD-201903-193

Trust: 0.7

db:AUSCERTid:ESB-2019.0709

Trust: 0.6

db:VULHUBid:VHN-148058

Trust: 0.1

sources: VULHUB: VHN-148058 // BID: 107340 // JVNDB: JVNDB-2019-002263 // CNNVD: CNNVD-201903-193 // NVD: CVE-2019-1596

REFERENCES

url:http://www.securityfocus.com/bid/107340

Trust: 2.3

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190306-nxos-pe

Trust: 2.0

url:https://nvd.nist.gov/vuln/detail/cve-2019-1596

Trust: 1.4

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1596

Trust: 0.8

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190306-nx-os-bash-escal

Trust: 0.6

url:https://www.auscert.org.au/bulletins/76614

Trust: 0.6

url:https://vigilance.fr/vulnerability/cisco-nx-os-nexus-multiple-vulnerabilities-28681

Trust: 0.6

url:http://www.cisco.com/

Trust: 0.3

url:https://bst.cloudapps.cisco.com/bugsearch/bug/cscvj58962

Trust: 0.3

url:https://bst.cloudapps.cisco.com/bugsearch/bug/cscvk71078

Trust: 0.3

sources: VULHUB: VHN-148058 // BID: 107340 // JVNDB: JVNDB-2019-002263 // CNNVD: CNNVD-201903-193 // NVD: CVE-2019-1596

CREDITS

The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

Trust: 0.6

sources: CNNVD: CNNVD-201903-193

SOURCES

db:VULHUBid:VHN-148058
db:BIDid:107340
db:JVNDBid:JVNDB-2019-002263
db:CNNVDid:CNNVD-201903-193
db:NVDid:CVE-2019-1596

LAST UPDATE DATE

2024-08-14T14:04:35.960000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-148058date:2020-10-08T00:00:00
db:BIDid:107340date:2019-03-06T00:00:00
db:JVNDBid:JVNDB-2019-002263date:2019-04-05T00:00:00
db:CNNVDid:CNNVD-201903-193date:2020-10-09T00:00:00
db:NVDid:CVE-2019-1596date:2020-10-08T19:39:01.467

SOURCES RELEASE DATE

db:VULHUBid:VHN-148058date:2019-03-07T00:00:00
db:BIDid:107340date:2019-03-06T00:00:00
db:JVNDBid:JVNDB-2019-002263date:2019-04-05T00:00:00
db:CNNVDid:CNNVD-201903-193date:2019-03-06T00:00:00
db:NVDid:CVE-2019-1596date:2019-03-07T19:29:00.223