ID

VAR-201908-0388


CVE

CVE-2019-1864


TITLE

Cisco Integrated Management Controller Software In OS Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-008449

DESCRIPTION

A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Software could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges on an affected device. The vulnerability is due to insufficient validation of command input by the affected software. An attacker could exploit this vulnerability by sending malicious commands to the web-based management interface of the affected software. A successful exploit could allow the attacker, with read-only privileges, to inject and execute arbitrary, system-level commands with root privileges on an affected device. The software supports HTTP, SSH access, etc., and can perform operations such as starting, shutting down and restarting the server. The following products and versions are affected: Cisco UCS C-Series and S-Series Servers (in single mode); UCS E-Series Servers; 5000 Series Enterprise Network Compute System (ENCS) Platforms

Trust: 1.71

sources: NVD: CVE-2019-1864 // JVNDB: JVNDB-2019-008449 // VULHUB: VHN-151006

AFFECTED PRODUCTS

vendor:ciscomodel:integrated management controller supervisorscope:gteversion:3.0.0.0

Trust: 1.0

vendor:ciscomodel:integrated management controller supervisorscope:ltversion:4.0\(2c\)

Trust: 1.0

vendor:ciscomodel:unified computing systemscope:eqversion:4.0\(1c\)hs3

Trust: 1.0

vendor:ciscomodel:integrated management controller supervisorscope:gteversion:1.5.0.0

Trust: 1.0

vendor:ciscomodel:integrated management controller supervisorscope:ltversion:1.5\(9g\)

Trust: 1.0

vendor:ciscomodel:integrated management controller supervisorscope:ltversion:4.0\(4b\)

Trust: 1.0

vendor:ciscomodel:integrated management controller supervisorscope:ltversion:2.0\(13o\)

Trust: 1.0

vendor:ciscomodel:integrated management controller supervisorscope:gteversion:4.0.0.0

Trust: 1.0

vendor:ciscomodel:integrated management controller supervisorscope:ltversion:3.0\(4k\)

Trust: 1.0

vendor:ciscomodel:integrated management controller supervisorscope:gteversion:2.0.0.0

Trust: 1.0

vendor:ciscomodel:integrated management controller supervisorscope:ltversion:4.0\(1d\)

Trust: 1.0

vendor:ciscomodel:integrated management controller supervisorscope: - version: -

Trust: 0.8

vendor:ciscomodel:unified computing system softwarescope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2019-008449 // NVD: CVE-2019-1864

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-1864
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2019-1864
value: HIGH

Trust: 1.0

NVD: CVE-2019-1864
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201908-1682
value: HIGH

Trust: 0.6

VULHUB: VHN-151006
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-1864
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-151006
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

ykramarz@cisco.com: CVE-2019-1864
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

nvd@nist.gov: CVE-2019-1864
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: VULHUB: VHN-151006 // JVNDB: JVNDB-2019-008449 // CNNVD: CNNVD-201908-1682 // NVD: CVE-2019-1864 // NVD: CVE-2019-1864

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.9

sources: VULHUB: VHN-151006 // JVNDB: JVNDB-2019-008449 // NVD: CVE-2019-1864

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201908-1682

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201908-1682

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-008449

PATCH

title:cisco-sa-20190821-imc-cmdinj-1864url:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imc-cmdinj-1864

Trust: 0.8

title:Cisco Integrated Management Controller Fixes for operating system command injection vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=97284

Trust: 0.6

sources: JVNDB: JVNDB-2019-008449 // CNNVD: CNNVD-201908-1682

EXTERNAL IDS

db:NVDid:CVE-2019-1864

Trust: 2.5

db:JVNDBid:JVNDB-2019-008449

Trust: 0.8

db:CNNVDid:CNNVD-201908-1682

Trust: 0.7

db:AUSCERTid:ESB-2019.3212

Trust: 0.6

db:VULHUBid:VHN-151006

Trust: 0.1

sources: VULHUB: VHN-151006 // JVNDB: JVNDB-2019-008449 // CNNVD: CNNVD-201908-1682 // NVD: CVE-2019-1864

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imc-cmdinj-1864

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2019-1864

Trust: 1.4

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1864

Trust: 0.8

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imc-bo

Trust: 0.6

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-cimc-cli-inject

Trust: 0.6

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imc-cmdinject-1896

Trust: 0.6

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-ucs-cimc

Trust: 0.6

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imc-cmdinject-1634

Trust: 0.6

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imc-cmdinj-1865

Trust: 0.6

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imc-cmdinj-1850

Trust: 0.6

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imc-infodisc

Trust: 0.6

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imc-privilege

Trust: 0.6

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imc-privescal

Trust: 0.6

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imcs-ucs-authby

Trust: 0.6

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imcs-ucs-cmdinj

Trust: 0.6

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-ucs-imc-dos

Trust: 0.6

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imcs-usercred

Trust: 0.6

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imc-dos

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2019.3212/

Trust: 0.6

sources: VULHUB: VHN-151006 // JVNDB: JVNDB-2019-008449 // CNNVD: CNNVD-201908-1682 // NVD: CVE-2019-1864

SOURCES

db:VULHUBid:VHN-151006
db:JVNDBid:JVNDB-2019-008449
db:CNNVDid:CNNVD-201908-1682
db:NVDid:CVE-2019-1864

LAST UPDATE DATE

2024-08-14T13:26:01.229000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-151006date:2019-10-09T00:00:00
db:JVNDBid:JVNDB-2019-008449date:2019-08-30T00:00:00
db:CNNVDid:CNNVD-201908-1682date:2019-09-02T00:00:00
db:NVDid:CVE-2019-1864date:2023-03-31T15:56:58.467

SOURCES RELEASE DATE

db:VULHUBid:VHN-151006date:2019-08-21T00:00:00
db:JVNDBid:JVNDB-2019-008449date:2019-08-30T00:00:00
db:CNNVDid:CNNVD-201908-1682date:2019-08-21T00:00:00
db:NVDid:CVE-2019-1864date:2019-08-21T19:15:14.357