Details of VAR-201905-0531

ID

VAR-201905-0531

CVE

CVE-2019-1808

TITLE

Cisco NX-OS Vulnerabilities related to digital signature verification in software

Trust: 0.8

sources: JVNDB: JVNDB-2019-004648

DESCRIPTION

A vulnerability in the Image Signature Verification feature of Cisco NX-OS Software could allow an authenticated, local attacker with administrator-level credentials to install a malicious software patch on an affected device. The vulnerability is due to improper verification of digital signatures for patch images. An attacker could exploit this vulnerability by loading an unsigned software patch on an affected device. A successful exploit could allow the attacker to boot a malicious software patch image. Cisco NX-OS The software contains a vulnerability related to digital signature verification.Information may be tampered with. Multiple Cisco Products prone to an local security-bypass vulnerability. An attacker may exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may lead to further attacks. This issue is being tracked by Cisco Bug ID CSCvi42248. Cisco NX-OS Software is a data center-level operating system software used by a set of switches of Cisco. The vulnerability stems from a network system or product not adequately verifying the origin or authenticity of data. Attackers can use forged data to attack. The following products and versions are affected: Cisco MDS 9700 Series Multilayer Directors; Nexus 7000 Series Switches; Nexus 7700 Series Switches

Trust: 1.98

sources: NVD: CVE-2019-1808 // JVNDB: JVNDB-2019-004648 // BID: 108367 // VULHUB: VHN-150390

AFFECTED PRODUCTS

vendor:	cisco	model:	nx-os	scope:	gte	version:	8.0	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	lt	version:	8.1\(1a\)	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	gte	version:	7.3	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	lt	version:	8.3\(1\)	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	lt	version:	8.2\(3\)	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	gte	version:	8.2	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	gte	version:	7.2	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	lt	version:	7.3\(3\)d1\(1\)	Trust: 1.0
vendor:	cisco	model:	nx-os	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	77000	Trust: 0.3
vendor:	cisco	model:	nexus series switches	scope:	eq	version:	70008.2(1)	Trust: 0.3
vendor:	cisco	model:	mds series multilayer directors	scope:	eq	version:	97000	Trust: 0.3
vendor:	cisco	model:	nexus series switches	scope:	ne	version:	70008.3(1)	Trust: 0.3
vendor:	cisco	model:	nexus series switches	scope:	ne	version:	70008.2(3)	Trust: 0.3
vendor:	cisco	model:	nexus series switches 7.3 d1	scope:	ne	version:	7000	Trust: 0.3

sources: BID: 108367 // JVNDB: JVNDB-2019-004648 // NVD: CVE-2019-1808

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-1808
value:	MEDIUM
Trust: 1.0
ykramarz@cisco.com:	CVE-2019-1808
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-1808
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201905-682
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-150390
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2019-1808
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:N/I:P/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-150390
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:N/I:P/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-1808
baseSeverity:	MEDIUM
baseScore:	4.4
vectorString:	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	0.8
impactScore:	3.6
version:	3.1
Trust: 1.0
ykramarz@cisco.com:	CVE-2019-1808
baseSeverity:	MEDIUM
baseScore:	6.7
vectorString:	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	0.8
impactScore:	5.9
version:	3.0
Trust: 1.0
NVD:	CVE-2019-1808
baseSeverity:	MEDIUM
baseScore:	4.4
vectorString:	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-150390 // JVNDB: JVNDB-2019-004648 // CNNVD: CNNVD-201905-682 // NVD: CVE-2019-1808 // NVD: CVE-2019-1808

PROBLEMTYPE DATA

problemtype:

CWE-347

Trust: 1.9

sources: VULHUB: VHN-150390 // JVNDB: JVNDB-2019-004648 // NVD: CVE-2019-1808

THREAT TYPE

local

Trust: 0.9

sources: BID: 108367 // CNNVD: CNNVD-201905-682

TYPE

data forgery

Trust: 0.6

sources: CNNVD: CNNVD-201905-682

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-004648

PATCH

title:	cisco-sa-20190515-nxos-spsv	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-nxos-spsv	Trust: 0.8
title:	Cisco NX-OS Software Repair measures for data forgery problem vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=92806	Trust: 0.6

sources: JVNDB: JVNDB-2019-004648 // CNNVD: CNNVD-201905-682

EXTERNAL IDS

db:	NVD	id:	CVE-2019-1808	Trust: 2.8
db:	BID	id:	108367	Trust: 2.0
db:	JVNDB	id:	JVNDB-2019-004648	Trust: 0.8
db:	CNNVD	id:	CNNVD-201905-682	Trust: 0.7
db:	AUSCERT	id:	ESB-2019.1757	Trust: 0.6
db:	VULHUB	id:	VHN-150390	Trust: 0.1

sources: VULHUB: VHN-150390 // BID: 108367 // JVNDB: JVNDB-2019-004648 // CNNVD: CNNVD-201905-682 // NVD: CVE-2019-1808

REFERENCES

url:	http://www.securityfocus.com/bid/108367	Trust: 2.3
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190515-nxos-spsv	Trust: 2.0
url:	https://nvd.nist.gov/vuln/detail/cve-2019-1808	Trust: 1.4
url:	http://www.cisco.com/	Trust: 0.9
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1808	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/81110	Trust: 0.6
url:	https://vigilance.fr/vulnerability/cisco-nexus-multiple-vulnerabilities-via-signature-29341	Trust: 0.6

sources: VULHUB: VHN-150390 // BID: 108367 // JVNDB: JVNDB-2019-004648 // CNNVD: CNNVD-201905-682 // NVD: CVE-2019-1808

CREDITS

Cisco

Trust: 0.9

sources: BID: 108367 // CNNVD: CNNVD-201905-682

SOURCES

db:	VULHUB	id:	VHN-150390
db:	BID	id:	108367
db:	JVNDB	id:	JVNDB-2019-004648
db:	CNNVD	id:	CNNVD-201905-682
db:	NVD	id:	CVE-2019-1808

LAST UPDATE DATE

2024-08-14T15:43:44.631000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-150390	date:	2019-10-09T00:00:00
db:	BID	id:	108367	date:	2019-05-15T00:00:00
db:	JVNDB	id:	JVNDB-2019-004648	date:	2019-06-05T00:00:00
db:	CNNVD	id:	CNNVD-201905-682	date:	2019-05-21T00:00:00
db:	NVD	id:	CVE-2019-1808	date:	2023-03-24T17:46:15.013

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-150390	date:	2019-05-15T00:00:00
db:	BID	id:	108367	date:	2019-05-15T00:00:00
db:	JVNDB	id:	JVNDB-2019-004648	date:	2019-06-05T00:00:00
db:	CNNVD	id:	CNNVD-201905-682	date:	2019-05-15T00:00:00
db:	NVD	id:	CVE-2019-1808	date:	2019-05-15T23:29:01.010