Details of VAR-201904-0244

ID

VAR-201904-0244

CVE

CVE-2019-1721

TITLE

Cisco Expressway Series and TelePresence Video Communication Server Resource management vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-003532

DESCRIPTION

A vulnerability in the phone book feature of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an authenticated, remote attacker to cause the CPU to increase to 100% utilization, causing a denial of service (DoS) condition on an affected system. The vulnerability is due to improper handling of the XML input. An attacker could exploit this vulnerability by sending a Session Initiation Protocol (SIP) message with a crafted XML payload to an affected device. A successful exploit could allow the attacker to exhaust CPU resources, resulting in a DoS condition. Manual intervention may be required to recover the device. This vulnerability is fixed in Cisco Expressway Series and Cisco TelePresence Video Communication Server Releases X12.5.1 and later. This issue is being tracked by Cisco Bug ID CSCvn99037

Trust: 2.07

sources: NVD: CVE-2019-1721 // JVNDB: JVNDB-2019-003532 // BID: 108016 // VULHUB: VHN-149433 // VULMON: CVE-2019-1721

AFFECTED PRODUCTS

vendor:	cisco	model:	telepresence video communication server	scope:	lt	version:	x12.5.1	Trust: 1.0
vendor:	cisco	model:	telepresence video communication server software	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	telepresence video communication server	scope:	eq	version:	x8.5.2	Trust: 0.6
vendor:	cisco	model:	telepresence video communication server	scope:	eq	version:	x8.1.1	Trust: 0.6
vendor:	cisco	model:	telepresence video communication server	scope:	eq	version:	x8.8.3	Trust: 0.3
vendor:	cisco	model:	telepresence video communication server	scope:	eq	version:	x8.7.2	Trust: 0.3
vendor:	cisco	model:	telepresence video communication server	scope:	eq	version:	x8.5.1	Trust: 0.3
vendor:	cisco	model:	telepresence video communication server	scope:	eq	version:	x8.2	Trust: 0.3
vendor:	cisco	model:	telepresence video communication server	scope:	eq	version:	x8.1	Trust: 0.3
vendor:	cisco	model:	telepresence video communication server	scope:	eq	version:	x8	Trust: 0.3
vendor:	cisco	model:	telepresence video communication server	scope:	eq	version:	x7.2.3	Trust: 0.3
vendor:	cisco	model:	telepresence video communication server	scope:	eq	version:	x7.2.2	Trust: 0.3
vendor:	cisco	model:	telepresence video communication server	scope:	eq	version:	x7.2.1	Trust: 0.3
vendor:	cisco	model:	telepresence video communication server	scope:	eq	version:	x7.2	Trust: 0.3
vendor:	cisco	model:	telepresence video communication server	scope:	eq	version:	x7.1	Trust: 0.3
vendor:	cisco	model:	telepresence video communication server	scope:	eq	version:	x7.0.3	Trust: 0.3
vendor:	cisco	model:	telepresence video communication server	scope:	eq	version:	x7.0.1	Trust: 0.3
vendor:	cisco	model:	telepresence video communication server	scope:	eq	version:	x7.0	Trust: 0.3
vendor:	cisco	model:	telepresence video communication server	scope:	eq	version:	8.8	Trust: 0.3
vendor:	cisco	model:	telepresence video communication server	scope:	eq	version:	8.5.1	Trust: 0.3
vendor:	cisco	model:	telepresence video communication server	scope:	eq	version:	x8.6	Trust: 0.3
vendor:	cisco	model:	telepresence video communication server	scope:	eq	version:	x6.0.2	Trust: 0.3
vendor:	cisco	model:	telepresence video communication server	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	expressway series	scope:	eq	version:	x8.8.3	Trust: 0.3
vendor:	cisco	model:	expressway series	scope:	eq	version:	x8.1.1	Trust: 0.3
vendor:	cisco	model:	expressway series	scope:	eq	version:	x8.1	Trust: 0.3
vendor:	cisco	model:	expressway series	scope:	eq	version:	8.8	Trust: 0.3
vendor:	cisco	model:	expressway series	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	telepresence video communication server	scope:	ne	version:	x12.5.1	Trust: 0.3
vendor:	cisco	model:	expressway series	scope:	ne	version:	x12.5.1	Trust: 0.3

sources: BID: 108016 // JVNDB: JVNDB-2019-003532 // NVD: CVE-2019-1721

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-1721
value:	MEDIUM
Trust: 1.0
ykramarz@cisco.com:	CVE-2019-1721
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-1721
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201904-844
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-149433
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2019-1721
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-1721
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:L/AU:S/C:N/I:N/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-149433
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:L/AU:S/C:N/I:N/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-1721
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.1
Trust: 1.0
ykramarz@cisco.com:	CVE-2019-1721
baseSeverity:	HIGH
baseScore:	7.7
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	3.1
impactScore:	4.0
version:	3.0
Trust: 1.0
NVD:	CVE-2019-1721
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-149433 // VULMON: CVE-2019-1721 // JVNDB: JVNDB-2019-003532 // CNNVD: CNNVD-201904-844 // NVD: CVE-2019-1721 // NVD: CVE-2019-1721

PROBLEMTYPE DATA

problemtype:	CWE-20	Trust: 1.1
problemtype:	CWE-399	Trust: 0.9

sources: VULHUB: VHN-149433 // JVNDB: JVNDB-2019-003532 // NVD: CVE-2019-1721

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201904-844

TYPE

Input Validation Error

Trust: 0.9

sources: BID: 108016 // CNNVD: CNNVD-201904-844

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-003532

PATCH

title:	cisco-sa-20190417-es-tvcs-dos	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190417-es-tvcs-dos	Trust: 0.8
title:	Cisco Expressway Series and Cisco TelePresence Video Communication Server Enter the fix for the verification error vulnerability	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=91678	Trust: 0.6
title:	Cisco: Cisco Expressway Series and Cisco TelePresence Video Communication Server Denial of Service Vulnerability	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-20190417-es-tvcs-dos	Trust: 0.1
title:	Threatpost	url:	https://threatpost.com/cisco_high-severity_bug/144410/	Trust: 0.1

sources: VULMON: CVE-2019-1721 // JVNDB: JVNDB-2019-003532 // CNNVD: CNNVD-201904-844

EXTERNAL IDS

db:	NVD	id:	CVE-2019-1721	Trust: 2.9
db:	BID	id:	108016	Trust: 2.1
db:	JVNDB	id:	JVNDB-2019-003532	Trust: 0.8
db:	CNNVD	id:	CNNVD-201904-844	Trust: 0.7
db:	AUSCERT	id:	ESB-2019.1330.2	Trust: 0.6
db:	VULHUB	id:	VHN-149433	Trust: 0.1
db:	VULMON	id:	CVE-2019-1721	Trust: 0.1

sources: VULHUB: VHN-149433 // VULMON: CVE-2019-1721 // BID: 108016 // JVNDB: JVNDB-2019-003532 // CNNVD: CNNVD-201904-844 // NVD: CVE-2019-1721

REFERENCES

url:	http://www.securityfocus.com/bid/108016	Trust: 2.5
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190417-es-tvcs-dos	Trust: 2.2
url:	https://nvd.nist.gov/vuln/detail/cve-2019-1721	Trust: 1.4
url:	http://www.cisco.com/	Trust: 0.9
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1721	Trust: 0.8
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190417-ex-vcs-xsrf	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/79282	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/20.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://threatpost.com/cisco_high-severity_bug/144410/	Trust: 0.1

sources: VULHUB: VHN-149433 // VULMON: CVE-2019-1721 // BID: 108016 // JVNDB: JVNDB-2019-003532 // CNNVD: CNNVD-201904-844 // NVD: CVE-2019-1721

CREDITS

Cisco

Trust: 0.9

sources: BID: 108016 // CNNVD: CNNVD-201904-844

SOURCES

db:	VULHUB	id:	VHN-149433
db:	VULMON	id:	CVE-2019-1721
db:	BID	id:	108016
db:	JVNDB	id:	JVNDB-2019-003532
db:	CNNVD	id:	CNNVD-201904-844
db:	NVD	id:	CVE-2019-1721

LAST UPDATE DATE

2024-11-23T21:52:21.517000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-149433	date:	2020-10-07T00:00:00
db:	VULMON	id:	CVE-2019-1721	date:	2020-10-07T00:00:00
db:	BID	id:	108016	date:	2019-04-17T00:00:00
db:	JVNDB	id:	JVNDB-2019-003532	date:	2019-05-20T00:00:00
db:	CNNVD	id:	CNNVD-201904-844	date:	2020-10-28T00:00:00
db:	NVD	id:	CVE-2019-1721	date:	2024-11-21T04:37:10.620

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-149433	date:	2019-04-18T00:00:00
db:	VULMON	id:	CVE-2019-1721	date:	2019-04-18T00:00:00
db:	BID	id:	108016	date:	2019-04-17T00:00:00
db:	JVNDB	id:	JVNDB-2019-003532	date:	2019-05-20T00:00:00
db:	CNNVD	id:	CNNVD-201904-844	date:	2019-04-17T00:00:00
db:	NVD	id:	CVE-2019-1721	date:	2019-04-18T01:29:01.967