ID

VAR-201907-0616


CVE

CVE-2019-1855


TITLE

Cisco Jabber Vulnerabilities related to authorization, permissions, and access control

Trust: 0.8

sources: JVNDB: JVNDB-2019-006268

DESCRIPTION

A vulnerability in the loading mechanism of specific dynamic link libraries in Cisco Jabber for Windows could allow an authenticated, local attacker to perform a DLL preloading attack. To exploit this vulnerability, the attacker would need to have valid credentials on the Windows system. The vulnerability is due to insufficient validation of the resources loaded by the application at run time. An attacker could exploit this vulnerability by crafting a malicious DLL file and placing it in a specific location on the targeted system. The malicious DLL file would execute when the Jabber application launches. A successful exploit could allow the attacker to execute arbitrary code on the target machine with the privileges of another user's account. Cisco Jabber Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Cisco Jabber for Windows is prone to an local arbitrary code-execution vulnerability. Failed exploit attempts will result in a denial of service condition. This issue is being tracked by Cisco Bug IDs CSCvo55994 and CSCvo63008. Versions prior to Cisco Jabber for Windows 12.6(0) are vulnerable. The program provides online status display, instant messaging, voice and other functions

Trust: 1.98

sources: NVD: CVE-2019-1855 // JVNDB: JVNDB-2019-006268 // BID: 109038 // VULHUB: VHN-150907

AFFECTED PRODUCTS

vendor:ciscomodel:jabberscope:ltversion:12.6\(2\)

Trust: 1.0

vendor:ciscomodel:jabberscope:eqversion:(windows)

Trust: 0.8

vendor:ciscomodel:jabber for windowsscope:eqversion:11.8

Trust: 0.3

vendor:ciscomodel:jabber for windowsscope:eqversion:9.2.1

Trust: 0.3

vendor:ciscomodel:jabber for windowsscope:eqversion:9.2

Trust: 0.3

vendor:ciscomodel:jabber for windowsscope:eqversion:9.1.5

Trust: 0.3

vendor:ciscomodel:jabber for windowsscope:eqversion:9.1.4

Trust: 0.3

vendor:ciscomodel:jabber for windowsscope:eqversion:9.1.3

Trust: 0.3

vendor:ciscomodel:jabber for windowsscope:eqversion:9.1.2

Trust: 0.3

vendor:ciscomodel:jabber for windowsscope:eqversion:9.1.1

Trust: 0.3

vendor:ciscomodel:jabber for windowsscope:eqversion:9.1

Trust: 0.3

vendor:ciscomodel:jabber for windowsscope:eqversion:9.0.5

Trust: 0.3

vendor:ciscomodel:jabber for windowsscope:eqversion:9.0.4

Trust: 0.3

vendor:ciscomodel:jabber for windowsscope:eqversion:9.0.3

Trust: 0.3

vendor:ciscomodel:jabber for windowsscope:eqversion:9.0.2

Trust: 0.3

vendor:ciscomodel:jabber for windowsscope:eqversion:9.0.1

Trust: 0.3

vendor:ciscomodel:jabber for windowsscope:eqversion:9.7(5)

Trust: 0.3

vendor:ciscomodel:jabber for windowsscope:eqversion:9.7(4)

Trust: 0.3

vendor:ciscomodel:jabber for windowsscope:eqversion:9.7(3)

Trust: 0.3

vendor:ciscomodel:jabber for windowsscope:eqversion:9.7(2)

Trust: 0.3

vendor:ciscomodel:jabber for windowsscope:eqversion:9.7(1)

Trust: 0.3

vendor:ciscomodel:jabber for windowsscope:eqversion:9.7(0)

Trust: 0.3

vendor:ciscomodel:jabber for windowsscope:eqversion:9.6(3)

Trust: 0.3

vendor:ciscomodel:jabber for windowsscope:eqversion:9.6(2)

Trust: 0.3

vendor:ciscomodel:jabber for windowsscope:eqversion:9.6(1)

Trust: 0.3

vendor:ciscomodel:jabber for windowsscope:eqversion:9.6(0)

Trust: 0.3

vendor:ciscomodel:jabber for windowsscope:eqversion:11.9(2.57651)

Trust: 0.3

vendor:ciscomodel:jabber for windowsscope:eqversion:11.9(1)

Trust: 0.3

vendor:ciscomodel:jabber for windowsscope:eqversion:11.9(0.54450)

Trust: 0.3

vendor:ciscomodel:jabber for windowsscope:eqversion:11.9(0)

Trust: 0.3

vendor:ciscomodel:jabber for windowsscope:eqversion:11.8(4.52954)

Trust: 0.3

vendor:ciscomodel:jabber for windowsscope:eqversion:11.8(4)

Trust: 0.3

vendor:ciscomodel:jabber for windowsscope:eqversion:11.8(3)

Trust: 0.3

vendor:ciscomodel:jabber for windowsscope:eqversion:11.8(2)

Trust: 0.3

vendor:ciscomodel:jabber for windowsscope:eqversion:11.8(1)

Trust: 0.3

vendor:ciscomodel:jabber for windowsscope:eqversion:11.8(0)

Trust: 0.3

vendor:ciscomodel:jabber for windowsscope:eqversion:11.5(1)

Trust: 0.3

vendor:ciscomodel:jabber for windowsscope:eqversion:11.5

Trust: 0.3

vendor:ciscomodel:jabber for windowsscope:eqversion:11.1

Trust: 0.3

vendor:ciscomodel:jabber for windowsscope:eqversion:11.0

Trust: 0.3

vendor:ciscomodel:jabber for windowsscope:eqversion:10.6

Trust: 0.3

vendor:ciscomodel:jabber for windowsscope:eqversion:10.5(2)

Trust: 0.3

vendor:ciscomodel:jabber for windowsscope:neversion:12.6(0)

Trust: 0.3

sources: BID: 109038 // JVNDB: JVNDB-2019-006268 // NVD: CVE-2019-1855

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-1855
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2019-1855
value: HIGH

Trust: 1.0

NVD: CVE-2019-1855
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201907-231
value: HIGH

Trust: 0.6

VULHUB: VHN-150907
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-1855
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-150907
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-1855
baseSeverity: HIGH
baseScore: 7.3
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.3
impactScore: 5.9
version: 3.1

Trust: 1.0

ykramarz@cisco.com: CVE-2019-1855
baseSeverity: HIGH
baseScore: 7.3
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.3
impactScore: 5.9
version: 3.0

Trust: 1.0

NVD: CVE-2019-1855
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-150907 // JVNDB: JVNDB-2019-006268 // CNNVD: CNNVD-201907-231 // NVD: CVE-2019-1855 // NVD: CVE-2019-1855

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.9

problemtype:CWE-427

Trust: 1.1

sources: VULHUB: VHN-150907 // JVNDB: JVNDB-2019-006268 // NVD: CVE-2019-1855

THREAT TYPE

local

Trust: 0.9

sources: BID: 109038 // CNNVD: CNNVD-201907-231

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-201907-231

CONFIGURATIONS

[
  {
    "CVE_data_version": "4.0",
    "nodes": [
      {
        "operator": "OR",
        "cpe_match": [
          {
            "vulnerable": true,
            "cpe22Uri": "cpe:/a:cisco:jabber"
          }
        ]
      }
    ]
  }
]

sources: JVNDB: JVNDB-2019-006268

PATCH

title:cisco-sa-20190703-jabber-dllurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190703-jabber-dll

Trust: 0.8

title:Cisco Jabber for Windows Fixes for permissions and access control issues vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=94420

Trust: 0.6

sources: JVNDB: JVNDB-2019-006268 // CNNVD: CNNVD-201907-231

EXTERNAL IDS

db:NVDid:CVE-2019-1855

Trust: 2.8

db:BIDid:109038

Trust: 2.0

db:JVNDBid:JVNDB-2019-006268

Trust: 0.8

db:CNNVDid:CNNVD-201907-231

Trust: 0.7

db:AUSCERTid:ESB-2019.2448

Trust: 0.6

db:AUSCERTid:ESB-2019.2448.2

Trust: 0.6

db:VULHUBid:VHN-150907

Trust: 0.1

sources: VULHUB: VHN-150907 // BID: 109038 // JVNDB: JVNDB-2019-006268 // CNNVD: CNNVD-201907-231 // NVD: CVE-2019-1855

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190703-jabber-dll

Trust: 2.0

url:http://www.securityfocus.com/bid/109038

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2019-1855

Trust: 1.4

url:http://www.cisco.com/

Trust: 0.9

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1855

Trust: 0.8

url:https://www.auscert.org.au/bulletins/esb-2019.2448/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2019.2448.2/

Trust: 0.6

sources: VULHUB: VHN-150907 // BID: 109038 // JVNDB: JVNDB-2019-006268 // CNNVD: CNNVD-201907-231 // NVD: CVE-2019-1855

CREDITS

security researcher "wjcsharp" .,security researcher "wjcsharp" ,wjcsharp.

Trust: 0.6

sources: CNNVD: CNNVD-201907-231

SOURCES

db:VULHUBid:VHN-150907
db:BIDid:109038
db:JVNDBid:JVNDB-2019-006268
db:CNNVDid:CNNVD-201907-231
db:NVDid:CVE-2019-1855

LAST UPDATE DATE

2024-11-23T21:37:06.095000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-150907date:2021-01-04T00:00:00
db:BIDid:109038date:2019-07-03T00:00:00
db:JVNDBid:JVNDB-2019-006268date:2019-07-17T00:00:00
db:CNNVDid:CNNVD-201907-231date:2021-01-05T00:00:00
db:NVDid:CVE-2019-1855date:2024-11-21T04:37:32.313

SOURCES RELEASE DATE

db:VULHUBid:VHN-150907date:2019-07-04T00:00:00
db:BIDid:109038date:2019-07-03T00:00:00
db:JVNDBid:JVNDB-2019-006268date:2019-07-17T00:00:00
db:CNNVDid:CNNVD-201907-231date:2019-07-03T00:00:00
db:NVDid:CVE-2019-1855date:2019-07-04T20:15:10.873