ID

VAR-201906-0564


CVE

CVE-2019-1626


TITLE

Cisco SD-WAN Solution Vulnerabilities related to authorization, permissions, and access control

Trust: 0.8

sources: JVNDB: JVNDB-2019-005719

DESCRIPTION

A vulnerability in the vManage web-based UI (Web UI) of the Cisco SD-WAN Solution could allow an authenticated, remote attacker to gain elevated privileges on an affected vManage device. The vulnerability is due to a failure to properly authorize certain user actions in the device configuration. An attacker could exploit this vulnerability by logging in to the vManage Web UI and sending crafted HTTP requests to vManage. A successful exploit could allow attackers to gain elevated privileges and make changes to the configuration that they would not normally be authorized to make. Cisco SD-WAN Solution Vulnerabilities related to authorization, authority, and access controlInformation is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Cisco SD-WAN Solution is prone to a remote privilege-escalation vulnerability. This issue is being tracked by Cisco Bug ID CSCvi69886. CLI is one of those command line interfaces

Trust: 1.98

sources: NVD: CVE-2019-1626 // JVNDB: JVNDB-2019-005719 // BID: 108838 // VULHUB: VHN-148388

AFFECTED PRODUCTS

vendor:ciscomodel:sd-wanscope:lteversion:18.3.6

Trust: 1.0

vendor:ciscomodel:sd-wanscope: - version: -

Trust: 0.8

vendor:ciscomodel:vmanage network management softwarescope:eqversion:0

Trust: 0.3

vendor:ciscomodel:sd-wanscope:eqversion:18.3.1

Trust: 0.3

vendor:ciscomodel:sd-wanscope:eqversion:18.3

Trust: 0.3

vendor:ciscomodel:sd-wanscope:eqversion:17.2.8

Trust: 0.3

vendor:ciscomodel:sd-wanscope:neversion:18.4

Trust: 0.3

sources: BID: 108838 // JVNDB: JVNDB-2019-005719 // NVD: CVE-2019-1626

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-1626
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2019-1626
value: HIGH

Trust: 1.0

NVD: CVE-2019-1626
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201906-798
value: HIGH

Trust: 0.6

VULHUB: VHN-148388
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-1626
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-148388
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

ykramarz@cisco.com: CVE-2019-1626
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

nvd@nist.gov: CVE-2019-1626
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: VULHUB: VHN-148388 // JVNDB: JVNDB-2019-005719 // CNNVD: CNNVD-201906-798 // NVD: CVE-2019-1626 // NVD: CVE-2019-1626

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.9

problemtype:CWE-863

Trust: 1.1

sources: VULHUB: VHN-148388 // JVNDB: JVNDB-2019-005719 // NVD: CVE-2019-1626

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201906-798

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201906-798

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-005719

PATCH

title:cisco-sa-20190619-sdwan-privilescalurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190619-sdwan-privilescal

Trust: 0.8

title:Cisco SD-WAN Solution Fixes for permissions and access control issues vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=93948

Trust: 0.6

sources: JVNDB: JVNDB-2019-005719 // CNNVD: CNNVD-201906-798

EXTERNAL IDS

db:NVDid:CVE-2019-1626

Trust: 2.8

db:BIDid:108838

Trust: 2.0

db:JVNDBid:JVNDB-2019-005719

Trust: 0.8

db:CNNVDid:CNNVD-201906-798

Trust: 0.7

db:AUSCERTid:ESB-2019.2191

Trust: 0.6

db:VULHUBid:VHN-148388

Trust: 0.1

sources: VULHUB: VHN-148388 // BID: 108838 // JVNDB: JVNDB-2019-005719 // CNNVD: CNNVD-201906-798 // NVD: CVE-2019-1626

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190619-sdwan-privilescal

Trust: 2.0

url:http://www.securityfocus.com/bid/108838

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2019-1626

Trust: 1.4

url:http://www.cisco.com/

Trust: 0.9

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1626

Trust: 0.8

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190619-sdwan-privesca

Trust: 0.6

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190619-sdwan-cmdinj

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2019.2191/

Trust: 0.6

url:https://vigilance.fr/vulnerability/cisco-sd-wan-solution-privilege-escalation-via-vmanage-web-ui-29574

Trust: 0.6

sources: VULHUB: VHN-148388 // BID: 108838 // JVNDB: JVNDB-2019-005719 // CNNVD: CNNVD-201906-798 // NVD: CVE-2019-1626

CREDITS

Cisco

Trust: 0.9

sources: BID: 108838 // CNNVD: CNNVD-201906-798

SOURCES

db:VULHUBid:VHN-148388
db:BIDid:108838
db:JVNDBid:JVNDB-2019-005719
db:CNNVDid:CNNVD-201906-798
db:NVDid:CVE-2019-1626

LAST UPDATE DATE

2024-08-14T13:44:57.491000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-148388date:2020-10-06T00:00:00
db:BIDid:108838date:2019-06-19T00:00:00
db:JVNDBid:JVNDB-2019-005719date:2019-06-27T00:00:00
db:CNNVDid:CNNVD-201906-798date:2020-10-09T00:00:00
db:NVDid:CVE-2019-1626date:2020-10-06T19:53:26.710

SOURCES RELEASE DATE

db:VULHUBid:VHN-148388date:2019-06-20T00:00:00
db:BIDid:108838date:2019-06-19T00:00:00
db:JVNDBid:JVNDB-2019-005719date:2019-06-27T00:00:00
db:CNNVDid:CNNVD-201906-798date:2019-06-20T00:00:00
db:NVDid:CVE-2019-1626date:2019-06-20T03:15:11.433