Details of VAR-201906-0564

ID

VAR-201906-0564

CVE

CVE-2019-1626

TITLE

Cisco SD-WAN Solution Vulnerabilities related to authorization, permissions, and access control

Trust: 0.8

sources: JVNDB: JVNDB-2019-005719

DESCRIPTION

A vulnerability in the vManage web-based UI (Web UI) of the Cisco SD-WAN Solution could allow an authenticated, remote attacker to gain elevated privileges on an affected vManage device. The vulnerability is due to a failure to properly authorize certain user actions in the device configuration. An attacker could exploit this vulnerability by logging in to the vManage Web UI and sending crafted HTTP requests to vManage. A successful exploit could allow attackers to gain elevated privileges and make changes to the configuration that they would not normally be authorized to make. Cisco SD-WAN Solution Vulnerabilities related to authorization, authority, and access controlInformation is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Cisco SD-WAN Solution is prone to a remote privilege-escalation vulnerability. This issue is being tracked by Cisco Bug ID CSCvi69886. CLI is one of those command line interfaces

Trust: 1.98

sources: NVD: CVE-2019-1626 // JVNDB: JVNDB-2019-005719 // BID: 108838 // VULHUB: VHN-148388

AFFECTED PRODUCTS

vendor:	cisco	model:	sd-wan	scope:	lte	version:	18.3.6	Trust: 1.0
vendor:	cisco	model:	sd-wan	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	vmanage network management software	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	sd-wan	scope:	eq	version:	18.3.1	Trust: 0.3
vendor:	cisco	model:	sd-wan	scope:	eq	version:	18.3	Trust: 0.3
vendor:	cisco	model:	sd-wan	scope:	eq	version:	17.2.8	Trust: 0.3
vendor:	cisco	model:	sd-wan	scope:	ne	version:	18.4	Trust: 0.3

sources: BID: 108838 // JVNDB: JVNDB-2019-005719 // NVD: CVE-2019-1626

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-1626
value:	HIGH
Trust: 1.0
ykramarz@cisco.com:	CVE-2019-1626
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-1626
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201906-798
value:	HIGH
Trust: 0.6
VULHUB:	VHN-148388
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-1626
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-148388
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

ykramarz@cisco.com:	CVE-2019-1626
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8
nvd@nist.gov:	CVE-2019-1626
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0

sources: VULHUB: VHN-148388 // JVNDB: JVNDB-2019-005719 // CNNVD: CNNVD-201906-798 // NVD: CVE-2019-1626 // NVD: CVE-2019-1626

PROBLEMTYPE DATA

problemtype:	CWE-264	Trust: 1.9
problemtype:	CWE-863	Trust: 1.1

sources: VULHUB: VHN-148388 // JVNDB: JVNDB-2019-005719 // NVD: CVE-2019-1626

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201906-798

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201906-798

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-005719

PATCH

title:	cisco-sa-20190619-sdwan-privilescal	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190619-sdwan-privilescal	Trust: 0.8
title:	Cisco SD-WAN Solution Fixes for permissions and access control issues vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=93948	Trust: 0.6

sources: JVNDB: JVNDB-2019-005719 // CNNVD: CNNVD-201906-798

EXTERNAL IDS

db:	NVD	id:	CVE-2019-1626	Trust: 2.8
db:	BID	id:	108838	Trust: 2.0
db:	JVNDB	id:	JVNDB-2019-005719	Trust: 0.8
db:	CNNVD	id:	CNNVD-201906-798	Trust: 0.7
db:	AUSCERT	id:	ESB-2019.2191	Trust: 0.6
db:	VULHUB	id:	VHN-148388	Trust: 0.1

sources: VULHUB: VHN-148388 // BID: 108838 // JVNDB: JVNDB-2019-005719 // CNNVD: CNNVD-201906-798 // NVD: CVE-2019-1626

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190619-sdwan-privilescal	Trust: 2.0
url:	http://www.securityfocus.com/bid/108838	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-1626	Trust: 1.4
url:	http://www.cisco.com/	Trust: 0.9
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1626	Trust: 0.8
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190619-sdwan-privesca	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190619-sdwan-cmdinj	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2019.2191/	Trust: 0.6
url:	https://vigilance.fr/vulnerability/cisco-sd-wan-solution-privilege-escalation-via-vmanage-web-ui-29574	Trust: 0.6

sources: VULHUB: VHN-148388 // BID: 108838 // JVNDB: JVNDB-2019-005719 // CNNVD: CNNVD-201906-798 // NVD: CVE-2019-1626

CREDITS

Cisco

Trust: 0.9

sources: BID: 108838 // CNNVD: CNNVD-201906-798

SOURCES

db:	VULHUB	id:	VHN-148388
db:	BID	id:	108838
db:	JVNDB	id:	JVNDB-2019-005719
db:	CNNVD	id:	CNNVD-201906-798
db:	NVD	id:	CVE-2019-1626

LAST UPDATE DATE

2024-08-14T13:44:57.491000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-148388	date:	2020-10-06T00:00:00
db:	BID	id:	108838	date:	2019-06-19T00:00:00
db:	JVNDB	id:	JVNDB-2019-005719	date:	2019-06-27T00:00:00
db:	CNNVD	id:	CNNVD-201906-798	date:	2020-10-09T00:00:00
db:	NVD	id:	CVE-2019-1626	date:	2020-10-06T19:53:26.710

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-148388	date:	2019-06-20T00:00:00
db:	BID	id:	108838	date:	2019-06-19T00:00:00
db:	JVNDB	id:	JVNDB-2019-005719	date:	2019-06-27T00:00:00
db:	CNNVD	id:	CNNVD-201906-798	date:	2019-06-20T00:00:00
db:	NVD	id:	CVE-2019-1626	date:	2019-06-20T03:15:11.433