Sign-up

ID

VAR-201905-1320


CVE

CVE-2019-1586


TITLE

Cisco Application Policy Infrastructure Controller Software key management error vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-004444

DESCRIPTION

A vulnerability in Cisco Application Policy Infrastructure Controller (APIC) Software could allow an unauthenticated, local attacker with physical access to obtain sensitive information from an affected device. The vulnerability is due to insecure removal of cleartext encryption keys stored on local partitions in the hard drive of an affected device. An attacker could exploit this vulnerability by retrieving data from the physical disk on the affected partition(s). A successful exploit could allow the attacker to retrieve encryption keys, possibly allowing the attacker to further decrypt other data and sensitive information on the device, which could lead to the disclosure of confidential information. This issue is being tracked by Cisco bug ID CSCvn09800. The vulnerability stems from incorrect use of relevant cryptographic algorithms by network systems or products, resulting in improperly encrypted content, weak encryption, and storing sensitive information in plain text

Trust: 1.98

sources: NVD: CVE-2019-1586 // JVNDB: JVNDB-2019-004444 // BID: 108158 // VULHUB: VHN-147948

AFFECTED PRODUCTS

vendor:ciscomodel:application policy infrastructure controllerscope:eqversion:4.1\(0.90a\)

Trust: 1.0

vendor:ciscomodel:application policy infrastructure controllerscope: - version: -

Trust: 0.8

vendor:ciscomodel:application policy infrastructure controller 4.2scope:neversion: -

Trust: 0.6

vendor:ciscomodel:application policy infrastructure controller 4.1scope:neversion: -

Trust: 0.6

vendor:ciscomodel:application policy infrastructure controller 4.1scope: - version: -

Trust: 0.3

sources: BID: 108158 // JVNDB: JVNDB-2019-004444 // NVD: CVE-2019-1586

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-1586
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2019-1586
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-1586
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201905-013
value: MEDIUM

Trust: 0.6

VULHUB: VHN-147948
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2019-1586
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-147948
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

ykramarz@cisco.com: CVE-2019-1586
baseSeverity: MEDIUM
baseScore: 4.6
vectorString: CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: PHYSICAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 0.9
impactScore: 3.6
version: 3.0

Trust: 1.8

nvd@nist.gov: CVE-2019-1586
baseSeverity: MEDIUM
baseScore: 4.6
vectorString: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: PHYSICAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 0.9
impactScore: 3.6
version: 3.1

Trust: 1.0

sources: VULHUB: VHN-147948 // JVNDB: JVNDB-2019-004444 // CNNVD: CNNVD-201905-013 // NVD: CVE-2019-1586 // NVD: CVE-2019-1586

PROBLEMTYPE DATA

problemtype:CWE-320

Trust: 1.9

problemtype:CWE-459

Trust: 1.0

sources: VULHUB: VHN-147948 // JVNDB: JVNDB-2019-004444 // NVD: CVE-2019-1586

THREAT TYPE

local

Trust: 0.9

sources: BID: 108158 // CNNVD: CNNVD-201905-013

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-201905-013

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-004444

PATCH
title:cisco-sa-20190501-apic-encrypturl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-apic-encrypt
Trust: 0.8
title:Cisco Application Policy Infrastructure Controller Fixes for encryption problem vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=92164
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-004444 // 
            
            
            
            CNNVD: CNNVD-201905-013

EXTERNAL IDS
db:NVDid:CVE-2019-1586
Trust: 2.8
db:BIDid:108158
Trust: 2.0
db:JVNDBid:JVNDB-2019-004444
Trust: 0.8
db:CNNVDid:CNNVD-201905-013
Trust: 0.7
db:AUSCERTid:ESB-2019.1518.2
Trust: 0.6
db:VULHUBid:VHN-147948
Trust: 0.1
sources:
            
            
            VULHUB: VHN-147948 // 
            
            
            
            BID: 108158 // 
            
            
            
            JVNDB: JVNDB-2019-004444 // 
            
            
            
            CNNVD: CNNVD-201905-013 // 
            
            
            
            NVD: CVE-2019-1586

REFERENCES
url:http://www.securityfocus.com/bid/108158
Trust: 2.3
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190501-apic-encrypt
Trust: 2.0
url:https://nvd.nist.gov/vuln/detail/cve-2019-1586
Trust: 1.4
url:http://www.cisco.com/
Trust: 0.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1586
Trust: 0.8
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190501-apic-priv-escalation
Trust: 0.6
url:https://www.auscert.org.au/bulletins/80110
Trust: 0.6
sources:
            
            
            VULHUB: VHN-147948 // 
            
            
            
            BID: 108158 // 
            
            
            
            JVNDB: JVNDB-2019-004444 // 
            
            
            
            CNNVD: CNNVD-201905-013 // 
            
            
            
            NVD: CVE-2019-1586

CREDITS
Costin Enache of Detack GmbH .
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201905-013

SOURCES
db:VULHUBid:VHN-147948
db:BIDid:108158
db:JVNDBid:JVNDB-2019-004444
db:CNNVDid:CNNVD-201905-013
db:NVDid:CVE-2019-1586

LAST UPDATE DATE
2024-08-14T14:19:34.174000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-147948date:2019-10-09T00:00:00
db:BIDid:108158date:2019-05-01T00:00:00
db:JVNDBid:JVNDB-2019-004444date:2019-06-03T00:00:00
db:CNNVDid:CNNVD-201905-013date:2021-11-02T00:00:00
db:NVDid:CVE-2019-1586date:2021-10-29T16:54:49.673

SOURCES RELEASE DATE
db:VULHUBid:VHN-147948date:2019-05-03T00:00:00
db:BIDid:108158date:2019-05-01T00:00:00
db:JVNDBid:JVNDB-2019-004444date:2019-06-03T00:00:00
db:CNNVDid:CNNVD-201905-013date:2019-05-01T00:00:00
db:NVDid:CVE-2019-1586date:2019-05-03T15:29:00.367