Sign-up

ID

VAR-201905-0502


CVE

CVE-2019-1649


TITLE

Cisco Trust Anchor module (TAm) improperly checks code and Cisco IOS XE web UI does not sanitize user input

Trust: 0.8

sources: CERT/CC: VU#400865

DESCRIPTION

A vulnerability in the logic that handles access control to one of the hardware components in Cisco's proprietary Secure Boot implementation could allow an authenticated, local attacker to write a modified firmware image to the component. This vulnerability affects multiple Cisco products that support hardware-based Secure Boot functionality. The vulnerability is due to an improper check on the area of code that manages on-premise updates to a Field Programmable Gate Array (FPGA) part of the Secure Boot hardware implementation. An attacker with elevated privileges and access to the underlying operating system that is running on the affected device could exploit this vulnerability by writing a modified firmware image to the FPGA. A successful exploit could either cause the device to become unusable (and require a hardware replacement) or allow tampering with the Secure Boot verification process, which under some circumstances may allow the attacker to install and boot a malicious software image. An attacker will need to fulfill all the following conditions to attempt to exploit this vulnerability: Have privileged administrative access to the device. Be able to access the underlying operating system running on the device; this can be achieved either by using a supported, documented mechanism or by exploiting another vulnerability that would provide an attacker with such access. Develop or have access to a platform-specific exploit. An attacker attempting to exploit this vulnerability across multiple affected platforms would need to research each one of those platforms and then develop a platform-specific exploit. Although the research process could be reused across different platforms, an exploit developed for a given hardware platform is unlikely to work on a different hardware platform. Cisco's Trust Anchor module (TAm) can be bypassed through manipulating the bitstream of the Field Programmable Gate Array (FPGA). Additionally, Cisco's IOS XE web UI improperly sanitizes user-input, and could allow an authenticated, remote attack to execute commands. An authenticated, remote attacker could execute commands as root on the vulnerable device. A local attacker can leverage this issue to bypass certain security restrictions and perform unauthorized actions. This may lead to further attacks. This issue is being tracked by Cisco Bug IDsCSCvn77141, CSCvn77142,CSCvn77143,CSCvn77147, CSCvn77150, CSCvn77151, CSCvn77152, CSCvn77153, CSCvn77154, CSCvn77155,CSCvn77156, CSCvn77158, CSCvn77159, CSCvn77160, CSCvn77162, CSCvn77166, CSCvn77167, CSCvn77168, CSCvn77169, CSCvn77170, CSCvn77171, CSCvn77172, CSCvn77175, CSCvn77180, CSCvn77181, CSCvn77182, CSCvn77183, CSCvn77184, CSCvn77185, CSCvn77191, CSCvn77201, CSCvn77202, CSCvn77205, CSCvn77207, CSCvn77209, CSCvn77212, CSCvn77219, CSCvn77220, CSCvn77245, CSCvn77246, CSCvn77248, CSCvn77249, CSCvn89137, CSCvn89138, CSCvn89140, CSCvn89143, CSCvn89144, CSCvn89145, CSCvn89146,CSCvn89150, and CSCvp42792. This vulnerability stems from network systems or products not properly restricting access to resources from unauthorized roles

Trust: 2.79

sources: NVD: CVE-2019-1649 // CERT/CC: VU#400865 // JVNDB: JVNDB-2019-004636 // BID: 108350 // VULHUB: VHN-148641 // VULMON: CVE-2019-1649

AFFECTED PRODUCTS

vendor:ciscomodel:ios xescope:gteversion:16.7.0

Trust: 1.0

vendor:ciscomodel:asr 1001scope:eqversion:16.0.0

Trust: 1.0

vendor:ciscomodel:supervisor b\+scope:eqversion:*

Trust: 1.0

vendor:ciscomodel:15454-m-wse-k9scope:ltversion:11.1

Trust: 1.0

vendor:ciscomodel:iosscope:gteversion:15.9

Trust: 1.0

vendor:ciscomodel:integrated services router t1\/e1 voice and wan network interface modulesscope:eqversion:*

Trust: 1.0

vendor:ciscomodel:iosscope:gteversion:15.7

Trust: 1.0

vendor:ciscomodel:encs 5400scope:eqversion: -

Trust: 1.0

vendor:ciscomodel:ios xescope:ltversion:16.2.1

Trust: 1.0

vendor:ciscomodel:ios xescope:ltversion:16.12.1

Trust: 1.0

vendor:ciscomodel:catalyst 9800-80 wireless controllerscope:eqversion: -

Trust: 1.0

vendor:ciscomodel:ios xescope:gteversion:16.4.0

Trust: 1.0

vendor:ciscomodel:iosscope:lteversion:15.7\(3\)m4b

Trust: 1.0

vendor:ciscomodel:iosscope:ltversion:15.6\(3\)m6b

Trust: 1.0

vendor:ciscomodel:supervisor a\+scope:eqversion:*

Trust: 1.0

vendor:ciscomodel:ios xescope:ltversion:15.5\(1\)sy4

Trust: 1.0

vendor:ciscomodel:analog voice network interface modulesscope:eqversion:*

Trust: 1.0

vendor:ciscomodel:integrated services router 4300scope:ltversion:1.1

Trust: 1.0

vendor:ciscomodel:iosscope:ltversion:15.8\(3\)m2a

Trust: 1.0

vendor:ciscomodel:ios xrscope:eqversion:7.1.1

Trust: 1.0

vendor:ciscomodel:asr 1000 seriesscope:eqversion:*

Trust: 1.0

vendor:ciscomodel:integrated services router 4400scope:ltversion:1.1

Trust: 1.0

vendor:ciscomodel:nx-osscope:ltversion:9.3\(2\)

Trust: 1.0

vendor:ciscomodel:ios xrscope:eqversion:7.0.1

Trust: 1.0

vendor:ciscomodel:ios xescope:ltversion:16.3.9

Trust: 1.0

vendor:ciscomodel:ios xescope:ltversion:16.9.4

Trust: 1.0

vendor:ciscomodel:iosscope:lteversion:15.7\(3\)m5

Trust: 1.0

vendor:ciscomodel:firepower 9000scope:ltversion:1.0.18

Trust: 1.0

vendor:ciscomodel:sm-x-1t3\/e3scope:eqversion: -

Trust: 1.0

vendor:ciscomodel:ios xescope:ltversion:16.6.7

Trust: 1.0

vendor:ciscomodel:ios xescope:gteversion:16.10

Trust: 1.0

vendor:ciscomodel:encs 5100scope:eqversion: -

Trust: 1.0

vendor:ciscomodel:firepower 2100scope:ltversion:2.6.1.134

Trust: 1.0

vendor:ciscomodel:ncs2k-mr-mxp-k9scope:ltversion:11.1

Trust: 1.0

vendor:ciscomodel:iosscope:ltversion:15.8\(3\)m3

Trust: 1.0

vendor:ciscomodel:industrial security appliances 3000scope:ltversion:1.0.05

Trust: 1.0

vendor:ciscomodel:ons 15454 mstpscope:ltversion:11.1

Trust: 1.0

vendor:ciscomodel:ic3000-k9scope:ltversion:1.0.2

Trust: 1.0

vendor:ciscomodel:iosscope:ltversion:15.6\(3\)m7

Trust: 1.0

vendor:ciscomodel:catalyst 9800-40 wireless controllerscope:eqversion: -

Trust: 1.0

vendor:ciscomodel:iosscope:ltversion:15.9\(3\)m

Trust: 1.0

vendor:ciscomodel:asa 5500scope:ltversion:1.1.15

Trust: 1.0

vendor:ciscomodel:firepower 4000scope:ltversion:1.0.18

Trust: 1.0

vendor:ciscomodel:integrated services router 4200scope:ltversion:1.1

Trust: 1.0

vendor:ciscomodel:ios xescope:gteversion:16.10.0

Trust: 1.0

vendor:ciscomodel:nx-osscope:ltversion:8.4.1

Trust: 1.0

vendor:ciscomodel:iosscope:gteversion:15.8

Trust: 1.0

vendor:ciscomodel: - scope: - version: -

Trust: 0.8

vendor:ciscomodel:15454 m wse k9scope: - version: -

Trust: 0.8

vendor:ciscomodel:analog voice network interface modulesscope: - version: -

Trust: 0.8

vendor:ciscomodel:asa 5500scope: - version: -

Trust: 0.8

vendor:ciscomodel:firepower 2100scope: - version: -

Trust: 0.8

vendor:ciscomodel:firepower 4000scope: - version: -

Trust: 0.8

vendor:ciscomodel:firepower 9000scope: - version: -

Trust: 0.8

vendor:ciscomodel:integrated services router t1/e1 voice and wan network interface modulesscope: - version: -

Trust: 0.8

vendor:ciscomodel:ons 15454 mstpscope: - version: -

Trust: 0.8

vendor:ciscomodel:supervisor a+scope: - version: -

Trust: 0.8

vendor:ciscomodel:supervisor b+scope: - version: -

Trust: 0.8

vendor:ciscomodel:trust anchor modulescope:eqversion:0

Trust: 0.3

vendor:ciscomodel:packet-over-t3/e3 service modulescope:eqversion:0

Trust: 0.3

vendor:ciscomodel:nexusscope:eqversion:95000

Trust: 0.3

vendor:ciscomodel:nexusscope:eqversion:93000

Trust: 0.3

vendor:ciscomodel:nexusscope:eqversion:92000

Trust: 0.3

vendor:ciscomodel:nexusscope:eqversion:90000

Trust: 0.3

vendor:ciscomodel:nexusscope:eqversion:70000

Trust: 0.3

vendor:ciscomodel:nexus 3264c-e switchesscope:eqversion:0

Trust: 0.3

vendor:ciscomodel:nexus 3132c-z switchesscope:eqversion:0

Trust: 0.3

vendor:ciscomodel:nexus 31108tc-vscope:eqversion:0

Trust: 0.3

vendor:ciscomodel:nexus 31108pc-vscope:eqversion:0

Trust: 0.3

vendor:ciscomodel:network convergence system series routersscope:eqversion:55000

Trust: 0.3

vendor:ciscomodel:network convergence systemscope:eqversion:50020

Trust: 0.3

vendor:ciscomodel:network convergence systemscope:eqversion:50010

Trust: 0.3

vendor:ciscomodel:network convergence systemscope:eqversion:10020

Trust: 0.3

vendor:ciscomodel:ncs seriesscope:eqversion:2000

Trust: 0.3

vendor:ciscomodel:mdsscope:eqversion:9000

Trust: 0.3

vendor:ciscomodel:ic3000 industrial compute gatewayscope:eqversion:0

Trust: 0.3

vendor:ciscomodel:firepower seriesscope:eqversion:90000

Trust: 0.3

vendor:ciscomodel:firepower seriesscope:eqversion:40000

Trust: 0.3

vendor:ciscomodel:firepower seriesscope:eqversion:21000

Trust: 0.3

vendor:ciscomodel:connected grid routersscope:eqversion:0

Trust: 0.3

vendor:ciscomodel:cbr-8 converged broadband routerscope:eqversion:0

Trust: 0.3

vendor:ciscomodel:catalyst wireless controllerscope:eqversion:9800-800

Trust: 0.3

vendor:ciscomodel:catalyst wireless controllerscope:eqversion:9800-400

Trust: 0.3

vendor:ciscomodel:catalystscope:eqversion:96000

Trust: 0.3

vendor:ciscomodel:catalyst series switchscope:eqversion:95000

Trust: 0.3

vendor:ciscomodel:catalyst series switchesscope:eqversion:93000

Trust: 0.3

vendor:ciscomodel:catalystscope:eqversion:68000

Trust: 0.3

vendor:ciscomodel:asr series aggregation services routerscope:eqversion:9200

Trust: 0.3

vendor:ciscomodel:asr series aggregation services routersscope:eqversion:90000

Trust: 0.3

vendor:ciscomodel:asr route switch processorscope:eqversion:90030

Trust: 0.3

vendor:ciscomodel:asr route switch processorscope:eqversion:90020

Trust: 0.3

vendor:ciscomodel:asr series routersscope:eqversion:10000

Trust: 0.3

vendor:ciscomodel:asa series with firepower servicesscope:eqversion:5500-x0

Trust: 0.3

vendor:ciscomodel:asa series with firepower servicescope:eqversion:5500-x5.3

Trust: 0.3

vendor:ciscomodel:analog voice network interface modulescope:eqversion:0

Trust: 0.3

vendor:ciscomodel:industrial integrated services routersscope:eqversion:8290

Trust: 0.3

vendor:ciscomodel:industrial integrated services routersscope:eqversion:8090

Trust: 0.3

vendor:ciscomodel:series enterprise network compute systemscope:eqversion:50000

Trust: 0.3

vendor:ciscomodel:integrated services routerscope:eqversion:44610

Trust: 0.3

vendor:ciscomodel:integrated services routerscope:eqversion:4451-x0

Trust: 0.3

vendor:ciscomodel:integrated services routerscope:eqversion:44310

Trust: 0.3

vendor:ciscomodel:integrated services routerscope:eqversion:43510

Trust: 0.3

vendor:ciscomodel:integrated services routerscope:eqversion:43310

Trust: 0.3

vendor:ciscomodel:integrated services routerscope:eqversion:43210

Trust: 0.3

vendor:ciscomodel:integrated services routerscope:eqversion:42210

Trust: 0.3

vendor:ciscomodel:series integrated services routersscope:eqversion:40000

Trust: 0.3

vendor:ciscomodel: - scope:eqversion:4000

Trust: 0.3

vendor:ciscomodel:series industrial security appliancesscope:eqversion:30000

Trust: 0.3

sources: CERT/CC: VU#400865 // BID: 108350 // JVNDB: JVNDB-2019-004636 // NVD: CVE-2019-1649

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-1649
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2019-1649
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-1649
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201905-340
value: MEDIUM

Trust: 0.6

VULHUB: VHN-148641
value: HIGH

Trust: 0.1

VULMON: CVE-2019-1649
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-1649
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-148641
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

ykramarz@cisco.com: CVE-2019-1649
baseSeverity: MEDIUM
baseScore: 6.7
vectorString: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 0.8
impactScore: 5.9
version: 3.0

Trust: 1.8

nvd@nist.gov: CVE-2019-1649
baseSeverity: MEDIUM
baseScore: 6.7
vectorString: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 0.8
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: VULHUB: VHN-148641 // VULMON: CVE-2019-1649 // JVNDB: JVNDB-2019-004636 // CNNVD: CNNVD-201905-340 // NVD: CVE-2019-1649 // NVD: CVE-2019-1649

PROBLEMTYPE DATA

problemtype:CWE-284

Trust: 1.9

problemtype:CWE-667

Trust: 1.1

sources: VULHUB: VHN-148641 // JVNDB: JVNDB-2019-004636 // NVD: CVE-2019-1649

THREAT TYPE

local

Trust: 0.9

sources: BID: 108350 // CNNVD: CNNVD-201905-340

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-201905-340

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-004636

PATCH
title:cisco-sa-20190513-securebooturl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-secureboot
Trust: 0.8
title:The Registerurl:https://www.theregister.co.uk/2019/08/22/cisco_patch_bundle/
Trust: 0.2
title:The Registerurl:https://www.theregister.co.uk/2019/05/13/cisco_thrangrycat_vulnerability/
Trust: 0.2
title:Cisco: Cisco Secure Boot Hardware Tampering Vulnerabilityurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-20190513-secureboot
Trust: 0.1
title: - url:https://github.com/Live-Hack-CVE/CVE-2019-1649 
Trust: 0.1
title:sec-daily-2019url:https://github.com/alphaSeclab/sec-daily-2019 
Trust: 0.1
title:Threatposturl:https://threatpost.com/cisco-patch-firmware/144936/
Trust: 0.1
title:Threatposturl:https://threatpost.com/cisco-webex-remote-code-execution/144805/
Trust: 0.1
title:Threatposturl:https://threatpost.com/cisco-bugs-unpatched-millions-devices/144692/
Trust: 0.1
sources:
            
            
            VULMON: CVE-2019-1649 // 
            
            
            
            JVNDB: JVNDB-2019-004636

EXTERNAL IDS
db:CERT/CCid:VU#400865
Trust: 3.7
db:NVDid:CVE-2019-1649
Trust: 2.9
db:BIDid:108350
Trust: 2.1
db:ICS CERTid:ICSA-20-072-03
Trust: 1.8
db:JVNid:JVNVU97735735
Trust: 0.8
db:JVNDBid:JVNDB-2019-004636
Trust: 0.8
db:CNNVDid:CNNVD-201905-340
Trust: 0.7
db:AUSCERTid:ESB-2019.1680.6
Trust: 0.6
db:AUSCERTid:ESB-2019.1680.16
Trust: 0.6
db:AUSCERTid:ESB-2019.1680.5
Trust: 0.6
db:VULHUBid:VHN-148641
Trust: 0.1
db:VULMONid:CVE-2019-1649
Trust: 0.1
sources:
            
            
            CERT/CC: VU#400865 // 
            
            
            
            VULHUB: VHN-148641 // 
            
            
            
            VULMON: CVE-2019-1649 // 
            
            
            
            BID: 108350 // 
            
            
            
            JVNDB: JVNDB-2019-004636 // 
            
            
            
            CNNVD: CNNVD-201905-340 // 
            
            
            
            NVD: CVE-2019-1649

REFERENCES
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190513-secureboot
Trust: 3.5
url:http://www.securityfocus.com/bid/108350
Trust: 2.4
url:https://www.us-cert.gov/ics/advisories/icsa-20-072-03
Trust: 1.8
url:https://www.kb.cert.org/vuls/id/400865/
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2019-1649
Trust: 1.4
url:https://www.kb.cert.org/vuls/id/400865
Trust: 1.3
url:http://www.cisco.com/
Trust: 0.9
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190513-webui
Trust: 0.8
url:https://thrangrycat.com/
Trust: 0.8
url:https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html
Trust: 0.8
url:https://www.cisco.com/c/dam/en_us/about/doing_business/trust-center/docs/trustworthy-technologies-datasheet.pdf
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1649
Trust: 0.8
url:https://jvn.jp/vu/jvnvu97735735/
Trust: 0.8
url:https://vigilance.fr/vulnerability/cisco-overwrite-of-the-firmware-image-29281
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2019.1680.5/
Trust: 0.6
url:https://www.auscert.org.au/bulletins/80766
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2019.1680.6/
Trust: 0.6
url:https://cwe.mitre.org/data/definitions/667.html
Trust: 0.1
url:https://github.com/live-hack-cve/cve-2019-1649
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://www.theregister.co.uk/2019/05/13/cisco_thrangrycat_vulnerability/
Trust: 0.1
sources:
            
            
            CERT/CC: VU#400865 // 
            
            
            
            VULHUB: VHN-148641 // 
            
            
            
            VULMON: CVE-2019-1649 // 
            
            
            
            BID: 108350 // 
            
            
            
            JVNDB: JVNDB-2019-004636 // 
            
            
            
            CNNVD: CNNVD-201905-340 // 
            
            
            
            NVD: CVE-2019-1649

CREDITS
Richard Housley (Research Scientist),This vulnerability was publicly disclosed by Red Balloon Security on May 13,atin Kataria (Principal Research Scientist), and Dr. Ang Cui (Chief Scientist) of Red Balloon Security, 2019. The Cisco Product Security Incident Response Team (PSIRT) is aware of the existence of proof-of-concept code that demonstrates this vulnerability on the Cisco ASR 1001-X. There are no indications at this time that this proof-of-concept code is publicly available. Cisco PSIRT is not aware of any malicious use of the vulnerability that is described in this advisory.
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201905-340

SOURCES
db:CERT/CCid:VU#400865
db:VULHUBid:VHN-148641
db:VULMONid:CVE-2019-1649
db:BIDid:108350
db:JVNDBid:JVNDB-2019-004636
db:CNNVDid:CNNVD-201905-340
db:NVDid:CVE-2019-1649

LAST UPDATE DATE
2024-11-23T22:41:30.267000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#400865date:2019-05-16T00:00:00
db:VULHUBid:VHN-148641date:2022-12-13T00:00:00
db:VULMONid:CVE-2019-1649date:2022-12-13T00:00:00
db:BIDid:108350date:2019-05-13T00:00:00
db:JVNDBid:JVNDB-2019-004636date:2019-06-05T00:00:00
db:CNNVDid:CNNVD-201905-340date:2020-10-19T00:00:00
db:NVDid:CVE-2019-1649date:2024-11-21T04:37:00.627

SOURCES RELEASE DATE
db:CERT/CCid:VU#400865date:2019-05-14T00:00:00
db:VULHUBid:VHN-148641date:2019-05-13T00:00:00
db:VULMONid:CVE-2019-1649date:2019-05-13T00:00:00
db:BIDid:108350date:2019-05-13T00:00:00
db:JVNDBid:JVNDB-2019-004636date:2019-06-05T00:00:00
db:CNNVDid:CNNVD-201905-340date:2019-05-13T00:00:00
db:NVDid:CVE-2019-1649date:2019-05-13T19:29:01.520