Details of VAR-201906-0571

ID

VAR-201906-0571

CVE

CVE-2019-1624

TITLE

Cisco SD-WAN Solution Command injection vulnerability

Trust: 1.4

sources: JVNDB: JVNDB-2019-005671 // CNNVD: CNNVD-201906-797

DESCRIPTION

A vulnerability in the vManage web-based UI (Web UI) in the Cisco SD-WAN Solution could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by authenticating to the device and submitting crafted input to the vManage Web UI. A successful exploit could allow the attacker to execute commands with root privileges. Cisco SD-WAN Solution Contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Cisco SD-WAN Solution is prone to a remote command-injection vulnerability. This issue is being tracked by Cisco Bug IDs CSCvi46909, CSCvi59723, and CSCvi59724. CLI is one of those command line interfaces

Trust: 2.07

sources: NVD: CVE-2019-1624 // JVNDB: JVNDB-2019-005671 // BID: 108845 // VULHUB: VHN-148366 // VULMON: CVE-2019-1624

AFFECTED PRODUCTS

vendor:	cisco	model:	sd-wan	scope:	lt	version:	18.4.0	Trust: 1.0
vendor:	cisco	model:	sd-wan	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	sd-wan	scope:	eq	version:	18.3.5	Trust: 0.3
vendor:	cisco	model:	sd-wan	scope:	eq	version:	18.3.3	Trust: 0.3
vendor:	cisco	model:	sd-wan	scope:	eq	version:	18.3.1	Trust: 0.3
vendor:	cisco	model:	sd-wan	scope:	eq	version:	18.3	Trust: 0.3
vendor:	cisco	model:	sd-wan	scope:	eq	version:	18.3.6	Trust: 0.3
vendor:	cisco	model:	sd-wan	scope:	ne	version:	18.4	Trust: 0.3
vendor:	cisco	model:	sd-wan	scope:	eq	version:	18.3.3.1	Trust: 0.3
vendor:	cisco	model:	sd-wan	scope:	eq	version:	18.3.4	Trust: 0.3
vendor:	cisco	model:	sd-wan	scope:	eq	version:	17.2.8	Trust: 0.3

sources: BID: 108845 // JVNDB: JVNDB-2019-005671 // NVD: CVE-2019-1624

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-1624
value:	HIGH
Trust: 1.0
ykramarz@cisco.com:	CVE-2019-1624
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-1624
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201906-797
value:	HIGH
Trust: 0.6
VULHUB:	VHN-148366
value:	HIGH
Trust: 0.1
VULMON:	CVE-2019-1624
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2019-1624
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-148366
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-1624
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 2.8

sources: VULHUB: VHN-148366 // VULMON: CVE-2019-1624 // JVNDB: JVNDB-2019-005671 // CNNVD: CNNVD-201906-797 // NVD: CVE-2019-1624 // NVD: CVE-2019-1624

PROBLEMTYPE DATA

problemtype:

CWE-77

Trust: 1.9

sources: VULHUB: VHN-148366 // JVNDB: JVNDB-2019-005671 // NVD: CVE-2019-1624

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201906-797

TYPE

command injection

Trust: 0.6

sources: CNNVD: CNNVD-201906-797

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-005671

PATCH

title:	cisco-sa-20190619-sdwan-cmdinj	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190619-sdwan-cmdinj	Trust: 0.8
title:	Cisco SD-WAN Solution Fixes for command injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=93947	Trust: 0.6
title:	Cisco: Cisco SD-WAN Solution Command Injection Vulnerability	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-20190619-sdwan-cmdinj	Trust: 0.1

sources: VULMON: CVE-2019-1624 // JVNDB: JVNDB-2019-005671 // CNNVD: CNNVD-201906-797

EXTERNAL IDS

db:	NVD	id:	CVE-2019-1624	Trust: 2.9
db:	BID	id:	108845	Trust: 2.1
db:	JVNDB	id:	JVNDB-2019-005671	Trust: 0.8
db:	CNNVD	id:	CNNVD-201906-797	Trust: 0.7
db:	AUSCERT	id:	ESB-2019.2191	Trust: 0.6
db:	VULHUB	id:	VHN-148366	Trust: 0.1
db:	VULMON	id:	CVE-2019-1624	Trust: 0.1

sources: VULHUB: VHN-148366 // VULMON: CVE-2019-1624 // BID: 108845 // JVNDB: JVNDB-2019-005671 // CNNVD: CNNVD-201906-797 // NVD: CVE-2019-1624

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190619-sdwan-cmdinj	Trust: 2.2
url:	http://www.securityfocus.com/bid/108845	Trust: 1.9
url:	https://nvd.nist.gov/vuln/detail/cve-2019-1624	Trust: 1.4
url:	http://www.cisco.com/	Trust: 0.9
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1624	Trust: 0.8
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190619-sdwan-privilescal	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190619-sdwan-privesca	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2019.2191/	Trust: 0.6
url:	https://vigilance.fr/vulnerability/cisco-sd-wan-solution-privilege-escalation-via-command-injection-29572	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/77.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-148366 // VULMON: CVE-2019-1624 // BID: 108845 // JVNDB: JVNDB-2019-005671 // CNNVD: CNNVD-201906-797 // NVD: CVE-2019-1624

CREDITS

Cisco

Trust: 0.9

sources: BID: 108845 // CNNVD: CNNVD-201906-797

SOURCES

db:	VULHUB	id:	VHN-148366
db:	VULMON	id:	CVE-2019-1624
db:	BID	id:	108845
db:	JVNDB	id:	JVNDB-2019-005671
db:	CNNVD	id:	CNNVD-201906-797
db:	NVD	id:	CVE-2019-1624

LAST UPDATE DATE

2024-08-14T13:44:57.426000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-148366	date:	2019-10-09T00:00:00
db:	VULMON	id:	CVE-2019-1624	date:	2019-10-09T00:00:00
db:	BID	id:	108845	date:	2019-06-19T00:00:00
db:	JVNDB	id:	JVNDB-2019-005671	date:	2019-06-25T00:00:00
db:	CNNVD	id:	CNNVD-201906-797	date:	2019-10-10T00:00:00
db:	NVD	id:	CVE-2019-1624	date:	2019-10-09T23:47:32.220

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-148366	date:	2019-06-20T00:00:00
db:	VULMON	id:	CVE-2019-1624	date:	2019-06-20T00:00:00
db:	BID	id:	108845	date:	2019-06-19T00:00:00
db:	JVNDB	id:	JVNDB-2019-005671	date:	2019-06-25T00:00:00
db:	CNNVD	id:	CNNVD-201906-797	date:	2019-06-20T00:00:00
db:	NVD	id:	CVE-2019-1624	date:	2019-06-20T03:15:11.307