ID

VAR-201905-0531


CVE

CVE-2019-1808


TITLE

Cisco NX-OS Vulnerabilities related to digital signature verification in software

Trust: 0.8

sources: JVNDB: JVNDB-2019-004648

DESCRIPTION

A vulnerability in the Image Signature Verification feature of Cisco NX-OS Software could allow an authenticated, local attacker with administrator-level credentials to install a malicious software patch on an affected device. The vulnerability is due to improper verification of digital signatures for patch images. An attacker could exploit this vulnerability by loading an unsigned software patch on an affected device. A successful exploit could allow the attacker to boot a malicious software patch image. Cisco NX-OS The software contains a vulnerability related to digital signature verification.Information may be tampered with. Multiple Cisco Products prone to an local security-bypass vulnerability. An attacker may exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may lead to further attacks. This issue is being tracked by Cisco Bug ID CSCvi42248. Cisco NX-OS Software is a data center-level operating system software used by a set of switches of Cisco. The vulnerability stems from a network system or product not adequately verifying the origin or authenticity of data. Attackers can use forged data to attack. The following products and versions are affected: Cisco MDS 9700 Series Multilayer Directors; Nexus 7000 Series Switches; Nexus 7700 Series Switches

Trust: 1.98

sources: NVD: CVE-2019-1808 // JVNDB: JVNDB-2019-004648 // BID: 108367 // VULHUB: VHN-150390

AFFECTED PRODUCTS

vendor:ciscomodel:nx-osscope:gteversion:8.0

Trust: 1.0

vendor:ciscomodel:nx-osscope:ltversion:8.1\(1a\)

Trust: 1.0

vendor:ciscomodel:nx-osscope:gteversion:7.3

Trust: 1.0

vendor:ciscomodel:nx-osscope:ltversion:8.3\(1\)

Trust: 1.0

vendor:ciscomodel:nx-osscope:ltversion:8.2\(3\)

Trust: 1.0

vendor:ciscomodel:nx-osscope:gteversion:8.2

Trust: 1.0

vendor:ciscomodel:nx-osscope:gteversion:7.2

Trust: 1.0

vendor:ciscomodel:nx-osscope:ltversion:7.3\(3\)d1\(1\)

Trust: 1.0

vendor:ciscomodel:nx-osscope: - version: -

Trust: 0.8

vendor:ciscomodel:nexus series switchesscope:eqversion:77000

Trust: 0.3

vendor:ciscomodel:nexus series switchesscope:eqversion:70008.2(1)

Trust: 0.3

vendor:ciscomodel:mds series multilayer directorsscope:eqversion:97000

Trust: 0.3

vendor:ciscomodel:nexus series switchesscope:neversion:70008.3(1)

Trust: 0.3

vendor:ciscomodel:nexus series switchesscope:neversion:70008.2(3)

Trust: 0.3

vendor:ciscomodel:nexus series switches 7.3 d1scope:neversion:7000

Trust: 0.3

sources: BID: 108367 // JVNDB: JVNDB-2019-004648 // NVD: CVE-2019-1808

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-1808
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2019-1808
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-1808
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201905-682
value: MEDIUM

Trust: 0.6

VULHUB: VHN-150390
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2019-1808
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:N/I:P/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-150390
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:N/I:P/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-1808
baseSeverity: MEDIUM
baseScore: 4.4
vectorString: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 0.8
impactScore: 3.6
version: 3.1

Trust: 1.0

ykramarz@cisco.com: CVE-2019-1808
baseSeverity: MEDIUM
baseScore: 6.7
vectorString: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 0.8
impactScore: 5.9
version: 3.0

Trust: 1.0

NVD: CVE-2019-1808
baseSeverity: MEDIUM
baseScore: 4.4
vectorString: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-150390 // JVNDB: JVNDB-2019-004648 // CNNVD: CNNVD-201905-682 // NVD: CVE-2019-1808 // NVD: CVE-2019-1808

PROBLEMTYPE DATA

problemtype:CWE-347

Trust: 1.9

sources: VULHUB: VHN-150390 // JVNDB: JVNDB-2019-004648 // NVD: CVE-2019-1808

THREAT TYPE

local

Trust: 0.9

sources: BID: 108367 // CNNVD: CNNVD-201905-682

TYPE

data forgery

Trust: 0.6

sources: CNNVD: CNNVD-201905-682

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-004648

PATCH

title:cisco-sa-20190515-nxos-spsvurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-nxos-spsv

Trust: 0.8

title:Cisco NX-OS Software Repair measures for data forgery problem vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=92806

Trust: 0.6

sources: JVNDB: JVNDB-2019-004648 // CNNVD: CNNVD-201905-682

EXTERNAL IDS

db:NVDid:CVE-2019-1808

Trust: 2.8

db:BIDid:108367

Trust: 2.0

db:JVNDBid:JVNDB-2019-004648

Trust: 0.8

db:CNNVDid:CNNVD-201905-682

Trust: 0.7

db:AUSCERTid:ESB-2019.1757

Trust: 0.6

db:VULHUBid:VHN-150390

Trust: 0.1

sources: VULHUB: VHN-150390 // BID: 108367 // JVNDB: JVNDB-2019-004648 // CNNVD: CNNVD-201905-682 // NVD: CVE-2019-1808

REFERENCES

url:http://www.securityfocus.com/bid/108367

Trust: 2.3

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190515-nxos-spsv

Trust: 2.0

url:https://nvd.nist.gov/vuln/detail/cve-2019-1808

Trust: 1.4

url:http://www.cisco.com/

Trust: 0.9

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1808

Trust: 0.8

url:https://www.auscert.org.au/bulletins/81110

Trust: 0.6

url:https://vigilance.fr/vulnerability/cisco-nexus-multiple-vulnerabilities-via-signature-29341

Trust: 0.6

sources: VULHUB: VHN-150390 // BID: 108367 // JVNDB: JVNDB-2019-004648 // CNNVD: CNNVD-201905-682 // NVD: CVE-2019-1808

CREDITS

Cisco

Trust: 0.9

sources: BID: 108367 // CNNVD: CNNVD-201905-682

SOURCES

db:VULHUBid:VHN-150390
db:BIDid:108367
db:JVNDBid:JVNDB-2019-004648
db:CNNVDid:CNNVD-201905-682
db:NVDid:CVE-2019-1808

LAST UPDATE DATE

2024-08-14T15:43:44.631000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-150390date:2019-10-09T00:00:00
db:BIDid:108367date:2019-05-15T00:00:00
db:JVNDBid:JVNDB-2019-004648date:2019-06-05T00:00:00
db:CNNVDid:CNNVD-201905-682date:2019-05-21T00:00:00
db:NVDid:CVE-2019-1808date:2023-03-24T17:46:15.013

SOURCES RELEASE DATE

db:VULHUBid:VHN-150390date:2019-05-15T00:00:00
db:BIDid:108367date:2019-05-15T00:00:00
db:JVNDBid:JVNDB-2019-004648date:2019-06-05T00:00:00
db:CNNVDid:CNNVD-201905-682date:2019-05-15T00:00:00
db:NVDid:CVE-2019-1808date:2019-05-15T23:29:01.010