ID

VAR-201904-0245


CVE

CVE-2019-1710


TITLE

Cisco IOS XR Software input validation vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-003480

DESCRIPTION

A vulnerability in the sysadmin virtual machine (VM) on Cisco ASR 9000 Series Aggregation Services Routers running Cisco IOS XR 64-bit Software could allow an unauthenticated, remote attacker to access internal applications running on the sysadmin VM. The vulnerability is due to incorrect isolation of the secondary management interface from internal sysadmin applications. An attacker could exploit this vulnerability by connecting to one of the listening internal applications. A successful exploit could result in unstable conditions, including both a denial of service and remote unauthenticated access to the device. This vulnerability has been fixed in Cisco IOS XR 64-bit Software Release 6.5.3 and 7.0.1, which will edit the calvados_boostrap.cfg file and reload the device. Cisco IOS XR The software contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. An attacker can exploit this issue to gain unauthorized access, perform unintended actions and cause denial-of-service conditions. This may lead to further attacks. This issue is being tracked by Cisco Bug ID CSCvn56004

Trust: 1.98

sources: NVD: CVE-2019-1710 // JVNDB: JVNDB-2019-003480 // BID: 108007 // VULMON: CVE-2019-1710

AFFECTED PRODUCTS

vendor:ciscomodel:ios xrscope:gteversion:7.0

Trust: 1.0

vendor:ciscomodel:ios xrscope:ltversion:6.5.3

Trust: 1.0

vendor:ciscomodel:ios xrscope:ltversion:7.0.1

Trust: 1.0

vendor:ciscomodel:ios xrscope:ltversion:64-bit 6.5.3

Trust: 0.8

vendor:ciscomodel:ios xrscope:ltversion:64-bit 7.0.1

Trust: 0.8

vendor:ciscomodel:ios xr softwarescope:eqversion:6.3.2

Trust: 0.3

vendor:ciscomodel:ios xr softwarescope:eqversion:6.3.1

Trust: 0.3

vendor:ciscomodel:ios xr softwarescope:eqversion:6.2.3

Trust: 0.3

vendor:ciscomodel:ios xr softwarescope:eqversion:6.1.4

Trust: 0.3

vendor:ciscomodel:ios xr softwarescope:eqversion:6.1.2

Trust: 0.3

vendor:ciscomodel:ios xr softwarescope:eqversion:6.1.1

Trust: 0.3

vendor:ciscomodel:ios xr softwarescope:eqversion:6.0.1

Trust: 0.3

vendor:ciscomodel:ios xrscope:eqversion:6.5.2

Trust: 0.3

vendor:ciscomodel:ios xrscope:eqversion:6.4.2

Trust: 0.3

vendor:ciscomodel:asrscope:eqversion:90000

Trust: 0.3

vendor:ciscomodel:ios xrscope:neversion:7.0.1

Trust: 0.3

vendor:ciscomodel:ios xrscope:neversion:6.5.3

Trust: 0.3

sources: BID: 108007 // JVNDB: JVNDB-2019-003480 // NVD: CVE-2019-1710

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-1710
value: CRITICAL

Trust: 1.0

ykramarz@cisco.com: CVE-2019-1710
value: CRITICAL

Trust: 1.0

NVD: CVE-2019-1710
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-201904-849
value: CRITICAL

Trust: 0.6

VULMON: CVE-2019-1710
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-1710
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

nvd@nist.gov: CVE-2019-1710
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 2.8

sources: VULMON: CVE-2019-1710 // JVNDB: JVNDB-2019-003480 // CNNVD: CNNVD-201904-849 // NVD: CVE-2019-1710 // NVD: CVE-2019-1710

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.8

sources: JVNDB: JVNDB-2019-003480 // NVD: CVE-2019-1710

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201904-849

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-201904-849

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-003480

PATCH

title:cisco-sa-20190417-asr9k-exrurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190417-asr9k-exr

Trust: 0.8

title:Cisco ASR 9000 Enter the fix for the verification error vulnerabilityurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=91683

Trust: 0.6

title:Cisco: Cisco IOS XR 64-Bit Software for Cisco ASR 9000 Series Aggregation Services Routers Network Isolation Vulnerabilityurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-20190417-asr9k-exr

Trust: 0.1

title:Threatposturl:https://threatpost.com/cisco-patch-asr-9000-routers/143895/

Trust: 0.1

sources: VULMON: CVE-2019-1710 // JVNDB: JVNDB-2019-003480 // CNNVD: CNNVD-201904-849

EXTERNAL IDS

db:NVDid:CVE-2019-1710

Trust: 2.8

db:BIDid:108007

Trust: 2.0

db:JVNDBid:JVNDB-2019-003480

Trust: 0.8

db:AUSCERTid:ESB-2019.1331.3

Trust: 0.6

db:CNNVDid:CNNVD-201904-849

Trust: 0.6

db:VULMONid:CVE-2019-1710

Trust: 0.1

sources: VULMON: CVE-2019-1710 // BID: 108007 // JVNDB: JVNDB-2019-003480 // CNNVD: CNNVD-201904-849 // NVD: CVE-2019-1710

REFERENCES

url:http://www.securityfocus.com/bid/108007

Trust: 2.4

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190417-asr9k-exr

Trust: 2.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-1710

Trust: 1.4

url:http://www.cisco.com/

Trust: 0.9

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1710

Trust: 0.8

url:https://vigilance.fr/vulnerability/cisco-ios-xr-asr-9000-privilege-escalation-via-management-interface-isolation-29081

Trust: 0.6

url:https://www.auscert.org.au/bulletins/79286

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/20.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://threatpost.com/cisco-patch-asr-9000-routers/143895/

Trust: 0.1

sources: VULMON: CVE-2019-1710 // BID: 108007 // JVNDB: JVNDB-2019-003480 // CNNVD: CNNVD-201904-849 // NVD: CVE-2019-1710

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 108007

SOURCES

db:VULMONid:CVE-2019-1710
db:BIDid:108007
db:JVNDBid:JVNDB-2019-003480
db:CNNVDid:CNNVD-201904-849
db:NVDid:CVE-2019-1710

LAST UPDATE DATE

2024-11-23T21:37:33.157000+00:00


SOURCES UPDATE DATE

db:VULMONid:CVE-2019-1710date:2019-10-09T00:00:00
db:BIDid:108007date:2019-04-17T00:00:00
db:JVNDBid:JVNDB-2019-003480date:2019-05-17T00:00:00
db:CNNVDid:CNNVD-201904-849date:2019-05-14T00:00:00
db:NVDid:CVE-2019-1710date:2024-11-21T04:37:09.177

SOURCES RELEASE DATE

db:VULMONid:CVE-2019-1710date:2019-04-17T00:00:00
db:BIDid:108007date:2019-04-17T00:00:00
db:JVNDBid:JVNDB-2019-003480date:2019-05-17T00:00:00
db:CNNVDid:CNNVD-201904-849date:2019-04-17T00:00:00
db:NVDid:CVE-2019-1710date:2019-04-17T22:29:00.390