Details of VAR-201904-0376

ID

VAR-201904-0376

CVE

CVE-2019-7477

TITLE

SonicWall SonicOS and SonicOSv TLS CBC Cipher Vulnerabilities in the use of cryptographic algorithms

Trust: 0.8

sources: JVNDB: JVNDB-2019-003236

DESCRIPTION

A vulnerability in SonicWall SonicOS and SonicOSv TLS CBC Cipher allow remote attackers to obtain sensitive plaintext data when CBC cipher suites are enabled. This vulnerability affected SonicOS Gen 5 version 5.9.1.10 and earlier, Gen 6 version 6.2.7.3, 6.5.1.3, 6.5.2.2, 6.5.3.1, 6.2.7.8, 6.4.0.0, 6.5.1.8, 6.0.5.3-86o and SonicOSv 6.5.0.2-8v_RC363 (VMWARE), 6.5.0.2.8v_RC367 (AZURE), SonicOSv 6.5.0.2.8v_RC368 (AWS), SonicOSv 6.5.0.2.8v_RC366 (HYPER_V). SonicWall SonicOS is a set of operating system specially designed for SonicWall firewall equipment of SonicWall Company in the United States. This vulnerability stems from the incorrect use of relevant cryptographic algorithms in network systems or products, resulting in incorrect encryption of content, weak encryption, and sensitive information stored in plain text

Trust: 1.8

sources: NVD: CVE-2019-7477 // JVNDB: JVNDB-2019-003236 // VULHUB: VHN-158912 // VULMON: CVE-2019-7477

AFFECTED PRODUCTS

vendor:	sonicwall	model:	sonicos	scope:	eq	version:	6.5.3.1	Trust: 1.0
vendor:	sonicwall	model:	sonicos	scope:	eq	version:	6.4.0.0	Trust: 1.0
vendor:	sonicwall	model:	sonicos	scope:	eq	version:	6.0.5.3-86o	Trust: 1.0
vendor:	sonicwall	model:	sonicosv	scope:	eq	version:	6.5.0.2-8v_rc363	Trust: 1.0
vendor:	sonicwall	model:	sonicos	scope:	eq	version:	6.2.7.3	Trust: 1.0
vendor:	sonicwall	model:	sonicosv	scope:	eq	version:	6.5.0.2.8v_rc368	Trust: 1.0
vendor:	sonicwall	model:	sonicos	scope:	eq	version:	6.5.1.8	Trust: 1.0
vendor:	sonicwall	model:	sonicos	scope:	eq	version:	6.5.1.3	Trust: 1.0
vendor:	sonicwall	model:	sonicos	scope:	eq	version:	6.2.7.8	Trust: 1.0
vendor:	sonicwall	model:	sonicos	scope:	lte	version:	5.9.1.10	Trust: 1.0
vendor:	sonicwall	model:	sonicos	scope:	eq	version:	6.5.2.2	Trust: 1.0
vendor:	sonicwall	model:	sonicosv	scope:	eq	version:	6.5.0.2.8v_rc367	Trust: 1.0
vendor:	sonicwall	model:	sonicosv	scope:	eq	version:	6.5.0.2.8v_rc366	Trust: 1.0
vendor:	sonicwall	model:	sonicos	scope:	lte	version:	gen 5 5.9.1.10	Trust: 0.8
vendor:	sonicwall	model:	sonicos	scope:	eq	version:	gen 6 6.0.5.3-86o	Trust: 0.8
vendor:	sonicwall	model:	sonicos	scope:	eq	version:	gen 6 6.2.7.3	Trust: 0.8
vendor:	sonicwall	model:	sonicos	scope:	eq	version:	gen 6 6.2.7.8	Trust: 0.8
vendor:	sonicwall	model:	sonicos	scope:	eq	version:	gen 6 6.4.0.0	Trust: 0.8
vendor:	sonicwall	model:	sonicos	scope:	eq	version:	gen 6 6.5.1.3	Trust: 0.8
vendor:	sonicwall	model:	sonicos	scope:	eq	version:	gen 6 6.5.1.8	Trust: 0.8
vendor:	sonicwall	model:	sonicos	scope:	eq	version:	gen 6 6.5.2.2	Trust: 0.8
vendor:	sonicwall	model:	sonicos	scope:	eq	version:	gen 6 6.5.3.1	Trust: 0.8
vendor:	sonicwall	model:	sonicosv	scope:	eq	version:	6.5.0.2-8v_rc363 (vmware)	Trust: 0.8

sources: JVNDB: JVNDB-2019-003236 // NVD: CVE-2019-7477

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-7477
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-7477
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201904-104
value:	HIGH
Trust: 0.6
VULHUB:	VHN-158912
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2019-7477
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-7477
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-158912
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-7477
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-158912 // VULMON: CVE-2019-7477 // JVNDB: JVNDB-2019-003236 // CNNVD: CNNVD-201904-104 // NVD: CVE-2019-7477

PROBLEMTYPE DATA

problemtype:

CWE-327

Trust: 1.9

sources: VULHUB: VHN-158912 // JVNDB: JVNDB-2019-003236 // NVD: CVE-2019-7477

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201904-104

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-201904-104

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-003236

PATCH

title:	SNWLID-2019-0003	url:	https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0003	Trust: 0.8
title:	SonicWall SonicOS Fixes for encryption problem vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=91027	Trust: 0.6
title:	-	url:	https://github.com/tls-attacker/TLS-Padding-Oracles	Trust: 0.1
title:	TLS-Padding-Oracles	url:	https://github.com/RUB-NDS/TLS-Padding-Oracles	Trust: 0.1

sources: VULMON: CVE-2019-7477 // JVNDB: JVNDB-2019-003236 // CNNVD: CNNVD-201904-104

EXTERNAL IDS

db:	NVD	id:	CVE-2019-7477	Trust: 2.6
db:	JVNDB	id:	JVNDB-2019-003236	Trust: 0.8
db:	CNNVD	id:	CNNVD-201904-104	Trust: 0.7
db:	VULHUB	id:	VHN-158912	Trust: 0.1
db:	VULMON	id:	CVE-2019-7477	Trust: 0.1

sources: VULHUB: VHN-158912 // VULMON: CVE-2019-7477 // JVNDB: JVNDB-2019-003236 // CNNVD: CNNVD-201904-104 // NVD: CVE-2019-7477

REFERENCES

url:	https://psirt.global.sonicwall.com/vuln-detail/snwlid-2019-0003	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2019-7477	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-7477	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/327.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/tls-attacker/tls-padding-oracles	Trust: 0.1
url:	https://github.com/rub-nds/tls-padding-oracles	Trust: 0.1

sources: VULHUB: VHN-158912 // VULMON: CVE-2019-7477 // JVNDB: JVNDB-2019-003236 // CNNVD: CNNVD-201904-104 // NVD: CVE-2019-7477

SOURCES

db:	VULHUB	id:	VHN-158912
db:	VULMON	id:	CVE-2019-7477
db:	JVNDB	id:	JVNDB-2019-003236
db:	CNNVD	id:	CNNVD-201904-104
db:	NVD	id:	CVE-2019-7477

LAST UPDATE DATE

2024-08-14T15:18:05.139000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-158912	date:	2019-10-09T00:00:00
db:	VULMON	id:	CVE-2019-7477	date:	2019-10-09T00:00:00
db:	JVNDB	id:	JVNDB-2019-003236	date:	2019-05-13T00:00:00
db:	CNNVD	id:	CNNVD-201904-104	date:	2019-10-10T00:00:00
db:	NVD	id:	CVE-2019-7477	date:	2019-10-09T23:52:04.513

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-158912	date:	2019-04-02T00:00:00
db:	VULMON	id:	CVE-2019-7477	date:	2019-04-02T00:00:00
db:	JVNDB	id:	JVNDB-2019-003236	date:	2019-05-13T00:00:00
db:	CNNVD	id:	CNNVD-201904-104	date:	2019-04-02T00:00:00
db:	NVD	id:	CVE-2019-7477	date:	2019-04-02T18:30:25.257