ID

VAR-201906-0289


CVE

CVE-2019-1880


TITLE

Cisco Unified Computing System C-Series Rack Server Vulnerabilities related to insufficient validation of data reliability

Trust: 0.8

sources: JVNDB: JVNDB-2019-005281

DESCRIPTION

A vulnerability in the BIOS upgrade utility of Cisco Unified Computing System (UCS) C-Series Rack Servers could allow an authenticated, local attacker to install compromised BIOS firmware on an affected device. The vulnerability is due to insufficient validation of the firmware image file. An attacker could exploit this vulnerability by executing the BIOS upgrade utility with a specific set of options. A successful exploit could allow the attacker to bypass the firmware signature-verification process and install compromised BIOS firmware on an affected device. Cisco Unified Computing System (UCS) C-Series Rack Server Contains vulnerabilities related to insufficient validation of data reliability.Information may be tampered with. Cisco Unified Computing System Central Software is prone to a security-bypass Vulnerability. Attackers can exploit this issue to bypass certain security restrictions to perform unauthorized actions. This issue being tracked by Cisco Bug IDs CSCvp12824, CSCvp12840

Trust: 1.89

sources: NVD: CVE-2019-1880 // JVNDB: JVNDB-2019-005281 // BID: 108680

AFFECTED PRODUCTS

vendor:ciscomodel:unified computing system serverscope:ltversion:4.0\(4c\)

Trust: 1.0

vendor:ciscomodel:unified computing system serverscope:ltversion:4.0\(2g\)

Trust: 1.0

vendor:ciscomodel:unified computing system serverscope:gteversion:4.0

Trust: 1.0

vendor:ciscomodel:unified computing system serverscope:ltversion:3.0\(4l\)

Trust: 1.0

vendor:ciscomodel:industrial network directorscope: - version: -

Trust: 0.8

vendor:ciscomodel:unified computing system 4.0 s7scope: - version: -

Trust: 0.3

vendor:ciscomodel:unified computing system 3.0 hscope: - version: -

Trust: 0.3

vendor:ciscomodel:ucs c-series rack servers 4.0 hs3scope: - version: -

Trust: 0.3

sources: BID: 108680 // JVNDB: JVNDB-2019-005281 // NVD: CVE-2019-1880

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-1880
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2019-1880
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-1880
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201906-153
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2019-1880
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:N/I:P/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

nvd@nist.gov: CVE-2019-1880
baseSeverity: MEDIUM
baseScore: 4.4
vectorString: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 0.8
impactScore: 3.6
version: 3.0

Trust: 2.8

sources: JVNDB: JVNDB-2019-005281 // CNNVD: CNNVD-201906-153 // NVD: CVE-2019-1880 // NVD: CVE-2019-1880

PROBLEMTYPE DATA

problemtype:CWE-345

Trust: 1.8

sources: JVNDB: JVNDB-2019-005281 // NVD: CVE-2019-1880

THREAT TYPE

local

Trust: 0.9

sources: BID: 108680 // CNNVD: CNNVD-201906-153

TYPE

data forgery

Trust: 0.6

sources: CNNVD: CNNVD-201906-153

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-005281

PATCH

title:cisco-sa-20190605-ucs-biossig-bypassurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190605-ucs-biossig-bypass

Trust: 0.8

title:Cisco Unified Computing System C-Series Rack Servers Repair measures for data forgery problem vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=93245

Trust: 0.6

sources: JVNDB: JVNDB-2019-005281 // CNNVD: CNNVD-201906-153

EXTERNAL IDS

db:NVDid:CVE-2019-1880

Trust: 2.7

db:BIDid:108680

Trust: 1.9

db:JVNDBid:JVNDB-2019-005281

Trust: 0.8

db:AUSCERTid:ESB-2020.0766

Trust: 0.6

db:AUSCERTid:ESB-2019.2028

Trust: 0.6

db:CNNVDid:CNNVD-201906-153

Trust: 0.6

sources: BID: 108680 // JVNDB: JVNDB-2019-005281 // CNNVD: CNNVD-201906-153 // NVD: CVE-2019-1880

REFERENCES

url:http://www.securityfocus.com/bid/108680

Trust: 2.2

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190605-ucs-biossig-bypass

Trust: 1.9

url:https://nvd.nist.gov/vuln/detail/cve-2019-1880

Trust: 1.4

url:http://www.cisco.com/c/en/us/support/servers-unified-computing/ucs-central-software/tsd-products-support-series-home.html

Trust: 0.9

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1880

Trust: 0.8

url:https://www.auscert.org.au/bulletins/esb-2020.0766/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2019.2028/

Trust: 0.6

url:https://vigilance.fr/vulnerability/cisco-unified-computing-system-privilege-escalation-via-bios-upgrade-29477

Trust: 0.6

url:http://www.cisco.com/

Trust: 0.3

sources: BID: 108680 // JVNDB: JVNDB-2019-005281 // CNNVD: CNNVD-201906-153 // NVD: CVE-2019-1880

CREDITS

Cisco

Trust: 0.9

sources: BID: 108680 // CNNVD: CNNVD-201906-153

SOURCES

db:BIDid:108680
db:JVNDBid:JVNDB-2019-005281
db:CNNVDid:CNNVD-201906-153
db:NVDid:CVE-2019-1880

LAST UPDATE DATE

2024-08-14T12:35:06.329000+00:00


SOURCES UPDATE DATE

db:BIDid:108680date:2019-06-05T00:00:00
db:JVNDBid:JVNDB-2019-005281date:2019-06-18T00:00:00
db:CNNVDid:CNNVD-201906-153date:2020-03-04T00:00:00
db:NVDid:CVE-2019-1880date:2019-10-09T23:48:25.190

SOURCES RELEASE DATE

db:BIDid:108680date:2019-06-05T00:00:00
db:JVNDBid:JVNDB-2019-005281date:2019-06-18T00:00:00
db:CNNVDid:CNNVD-201906-153date:2019-06-05T00:00:00
db:NVDid:CVE-2019-1880date:2019-06-05T17:29:00.647