Sign-up

ID

VAR-201905-0579


CVE

CVE-2019-1682


TITLE

Cisco Application Policy Infrastructure Controller Vulnerability related to authorization, authority, and access control in software

Trust: 0.8

sources: JVNDB: JVNDB-2019-003893

DESCRIPTION

A vulnerability in the FUSE filesystem functionality for Cisco Application Policy Infrastructure Controller (APIC) software could allow an authenticated, local attacker to escalate privileges to root on an affected device. The vulnerability is due to insufficient input validation for certain command strings issued on the CLI of the affected device. An attacker with write permissions for files within a readable folder on the device could alter certain definitions in the affected file. A successful exploit could allow an attacker to cause the underlying FUSE driver to execute said crafted commands, elevating the attacker's privileges to root on an affected device. This issue is being tracked by Cisco Bug ID CSCvn09779. The FUSE file system functionality in Cisco APIC versions prior to 4.1(1i) is vulnerable to permission and access control issues. The vulnerability stems from the lack of effective permissions and access control measures in network systems or products

Trust: 1.98

sources: NVD: CVE-2019-1682 // JVNDB: JVNDB-2019-003893 // BID: 108129 // VULHUB: VHN-149004

AFFECTED PRODUCTS

vendor:ciscomodel:application policy infrastructure controllerscope:ltversion:4.1\(1i\)

Trust: 1.0

vendor:ciscomodel:application policy infrastructure controllerscope: - version: -

Trust: 0.8

vendor:ciscomodel:application policy infrastructure controller 3.2scope: - version: -

Trust: 0.3

vendor:ciscomodel:application policy infrastructure controller 2.3scope: - version: -

Trust: 0.3

vendor:ciscomodel:application policy infrastructure controllerscope:eqversion:2.2(1)

Trust: 0.3

vendor:ciscomodel:application policy infrastructure controller 2.1scope: - version: -

Trust: 0.3

vendor:ciscomodel:application policy infrastructure controller 2.0scope: - version: -

Trust: 0.3

vendor:ciscomodel:application policy infrastructure controller 1.3scope: - version: -

Trust: 0.3

vendor:ciscomodel:application policy infrastructure controller 4.1scope:neversion: -

Trust: 0.3

sources: BID: 108129 // JVNDB: JVNDB-2019-003893 // NVD: CVE-2019-1682

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-1682
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2019-1682
value: HIGH

Trust: 1.0

NVD: CVE-2019-1682
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201905-015
value: HIGH

Trust: 0.6

VULHUB: VHN-149004
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-1682
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-149004
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

ykramarz@cisco.com: CVE-2019-1682
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 1.8

nvd@nist.gov: CVE-2019-1682
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: VULHUB: VHN-149004 // JVNDB: JVNDB-2019-003893 // CNNVD: CNNVD-201905-015 // NVD: CVE-2019-1682 // NVD: CVE-2019-1682

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.9

problemtype:CWE-20

Trust: 1.1

sources: VULHUB: VHN-149004 // JVNDB: JVNDB-2019-003893 // NVD: CVE-2019-1682

THREAT TYPE

local

Trust: 0.9

sources: BID: 108129 // CNNVD: CNNVD-201905-015

TYPE

Input Validation Error

Trust: 0.9

sources: BID: 108129 // CNNVD: CNNVD-201905-015

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-003893

PATCH
title:cisco-sa-20190501-apic-priv-escalationurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-apic-priv-escalation
Trust: 0.8
title:Cisco Application Policy Infrastructure Controller Fixes for permissions and access control issues vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=92166
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-003893 // 
            
            
            
            CNNVD: CNNVD-201905-015

EXTERNAL IDS
db:NVDid:CVE-2019-1682
Trust: 2.8
db:BIDid:108129
Trust: 1.0
db:JVNDBid:JVNDB-2019-003893
Trust: 0.8
db:CNNVDid:CNNVD-201905-015
Trust: 0.7
db:NSFOCUSid:43204
Trust: 0.6
db:AUSCERTid:ESB-2019.1518.2
Trust: 0.6
db:VULHUBid:VHN-149004
Trust: 0.1
sources:
            
            
            VULHUB: VHN-149004 // 
            
            
            
            BID: 108129 // 
            
            
            
            JVNDB: JVNDB-2019-003893 // 
            
            
            
            CNNVD: CNNVD-201905-015 // 
            
            
            
            NVD: CVE-2019-1682

REFERENCES
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190501-apic-priv-escalation
Trust: 2.0
url:https://nvd.nist.gov/vuln/detail/cve-2019-1682
Trust: 1.4
url:http://www.cisco.com/
Trust: 0.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1682
Trust: 0.8
url:https://www.securityfocus.com/bid/108129
Trust: 0.6
url:https://www.auscert.org.au/bulletins/80110
Trust: 0.6
url:http://www.nsfocus.net/vulndb/43204
Trust: 0.6
sources:
            
            
            VULHUB: VHN-149004 // 
            
            
            
            BID: 108129 // 
            
            
            
            JVNDB: JVNDB-2019-003893 // 
            
            
            
            CNNVD: CNNVD-201905-015 // 
            
            
            
            NVD: CVE-2019-1682

CREDITS
Octav Opaschi with Detack GmbH ?? ??,Octav Opaschi with Detack GmbH .,Octav Opaschi with Detack GmbH
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201905-015

SOURCES
db:VULHUBid:VHN-149004
db:BIDid:108129
db:JVNDBid:JVNDB-2019-003893
db:CNNVDid:CNNVD-201905-015
db:NVDid:CVE-2019-1682

LAST UPDATE DATE
2024-08-14T14:19:34.142000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-149004date:2020-10-07T00:00:00
db:BIDid:108129date:2019-05-01T00:00:00
db:JVNDBid:JVNDB-2019-003893date:2019-05-23T00:00:00
db:CNNVDid:CNNVD-201905-015date:2020-10-28T00:00:00
db:NVDid:CVE-2019-1682date:2020-10-07T18:11:31.143

SOURCES RELEASE DATE
db:VULHUBid:VHN-149004date:2019-05-03T00:00:00
db:BIDid:108129date:2019-05-01T00:00:00
db:JVNDBid:JVNDB-2019-003893date:2019-05-23T00:00:00
db:CNNVDid:CNNVD-201905-015date:2019-05-01T00:00:00
db:NVDid:CVE-2019-1682date:2019-05-03T15:29:00.777