ID

VAR-201905-0579


CVE

CVE-2019-1682


TITLE

Cisco Application Policy Infrastructure Controller Vulnerability related to authorization, authority, and access control in software

Trust: 0.8

sources: JVNDB: JVNDB-2019-003893

DESCRIPTION

A vulnerability in the FUSE filesystem functionality for Cisco Application Policy Infrastructure Controller (APIC) software could allow an authenticated, local attacker to escalate privileges to root on an affected device. The vulnerability is due to insufficient input validation for certain command strings issued on the CLI of the affected device. An attacker with write permissions for files within a readable folder on the device could alter certain definitions in the affected file. A successful exploit could allow an attacker to cause the underlying FUSE driver to execute said crafted commands, elevating the attacker's privileges to root on an affected device. This issue is being tracked by Cisco Bug ID CSCvn09779. The FUSE file system functionality in Cisco APIC versions prior to 4.1(1i) is vulnerable to permission and access control issues. The vulnerability stems from the lack of effective permissions and access control measures in network systems or products

Trust: 1.98

sources: NVD: CVE-2019-1682 // JVNDB: JVNDB-2019-003893 // BID: 108129 // VULHUB: VHN-149004

AFFECTED PRODUCTS

vendor:ciscomodel:application policy infrastructure controllerscope:ltversion:4.1\(1i\)

Trust: 1.0

vendor:ciscomodel:application policy infrastructure controllerscope: - version: -

Trust: 0.8

vendor:ciscomodel:application policy infrastructure controller 3.2scope: - version: -

Trust: 0.3

vendor:ciscomodel:application policy infrastructure controller 2.3scope: - version: -

Trust: 0.3

vendor:ciscomodel:application policy infrastructure controllerscope:eqversion:2.2(1)

Trust: 0.3

vendor:ciscomodel:application policy infrastructure controller 2.1scope: - version: -

Trust: 0.3

vendor:ciscomodel:application policy infrastructure controller 2.0scope: - version: -

Trust: 0.3

vendor:ciscomodel:application policy infrastructure controller 1.3scope: - version: -

Trust: 0.3

vendor:ciscomodel:application policy infrastructure controller 4.1scope:neversion: -

Trust: 0.3

sources: BID: 108129 // JVNDB: JVNDB-2019-003893 // NVD: CVE-2019-1682

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-1682
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2019-1682
value: HIGH

Trust: 1.0

NVD: CVE-2019-1682
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201905-015
value: HIGH

Trust: 0.6

VULHUB: VHN-149004
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-1682
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-149004
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

ykramarz@cisco.com: CVE-2019-1682
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 1.8

nvd@nist.gov: CVE-2019-1682
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: VULHUB: VHN-149004 // JVNDB: JVNDB-2019-003893 // CNNVD: CNNVD-201905-015 // NVD: CVE-2019-1682 // NVD: CVE-2019-1682

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.9

problemtype:CWE-20

Trust: 1.1

sources: VULHUB: VHN-149004 // JVNDB: JVNDB-2019-003893 // NVD: CVE-2019-1682

THREAT TYPE

local

Trust: 0.9

sources: BID: 108129 // CNNVD: CNNVD-201905-015

TYPE

Input Validation Error

Trust: 0.9

sources: BID: 108129 // CNNVD: CNNVD-201905-015

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-003893

PATCH

title:cisco-sa-20190501-apic-priv-escalationurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-apic-priv-escalation

Trust: 0.8

title:Cisco Application Policy Infrastructure Controller Fixes for permissions and access control issues vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=92166

Trust: 0.6

sources: JVNDB: JVNDB-2019-003893 // CNNVD: CNNVD-201905-015

EXTERNAL IDS

db:NVDid:CVE-2019-1682

Trust: 2.8

db:BIDid:108129

Trust: 1.0

db:JVNDBid:JVNDB-2019-003893

Trust: 0.8

db:CNNVDid:CNNVD-201905-015

Trust: 0.7

db:NSFOCUSid:43204

Trust: 0.6

db:AUSCERTid:ESB-2019.1518.2

Trust: 0.6

db:VULHUBid:VHN-149004

Trust: 0.1

sources: VULHUB: VHN-149004 // BID: 108129 // JVNDB: JVNDB-2019-003893 // CNNVD: CNNVD-201905-015 // NVD: CVE-2019-1682

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190501-apic-priv-escalation

Trust: 2.0

url:https://nvd.nist.gov/vuln/detail/cve-2019-1682

Trust: 1.4

url:http://www.cisco.com/

Trust: 0.9

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1682

Trust: 0.8

url:https://www.securityfocus.com/bid/108129

Trust: 0.6

url:https://www.auscert.org.au/bulletins/80110

Trust: 0.6

url:http://www.nsfocus.net/vulndb/43204

Trust: 0.6

sources: VULHUB: VHN-149004 // BID: 108129 // JVNDB: JVNDB-2019-003893 // CNNVD: CNNVD-201905-015 // NVD: CVE-2019-1682

CREDITS

Octav Opaschi with Detack GmbH ?? ??,Octav Opaschi with Detack GmbH .,Octav Opaschi with Detack GmbH

Trust: 0.6

sources: CNNVD: CNNVD-201905-015

SOURCES

db:VULHUBid:VHN-149004
db:BIDid:108129
db:JVNDBid:JVNDB-2019-003893
db:CNNVDid:CNNVD-201905-015
db:NVDid:CVE-2019-1682

LAST UPDATE DATE

2024-08-14T14:19:34.142000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-149004date:2020-10-07T00:00:00
db:BIDid:108129date:2019-05-01T00:00:00
db:JVNDBid:JVNDB-2019-003893date:2019-05-23T00:00:00
db:CNNVDid:CNNVD-201905-015date:2020-10-28T00:00:00
db:NVDid:CVE-2019-1682date:2020-10-07T18:11:31.143

SOURCES RELEASE DATE

db:VULHUBid:VHN-149004date:2019-05-03T00:00:00
db:BIDid:108129date:2019-05-01T00:00:00
db:JVNDBid:JVNDB-2019-003893date:2019-05-23T00:00:00
db:CNNVDid:CNNVD-201905-015date:2019-05-01T00:00:00
db:NVDid:CVE-2019-1682date:2019-05-03T15:29:00.777