Details of VAR-201908-0389

ID

VAR-201908-0389

CVE

CVE-2019-1865

TITLE

Cisco Integrated Management Controller Software In OS Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-008444

DESCRIPTION

A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Software could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges on an affected device. The vulnerability is due to insufficient validation of user-supplied input by the affected software. An attacker could exploit this vulnerability by invoking an interface monitoring mechanism with a crafted argument on the affected software. A successful exploit could allow the attacker to inject and execute arbitrary, system-level commands with root privileges on an affected device. The software supports HTTP, SSH access, etc., and can perform operations such as starting, shutting down and restarting the server. The vulnerability stems from the fact that the program does not adequately authenticate command injection

Trust: 1.8

sources: NVD: CVE-2019-1865 // JVNDB: JVNDB-2019-008444 // VULHUB: VHN-151017 // VULMON: CVE-2019-1865

AFFECTED PRODUCTS

vendor:	cisco	model:	integrated management controller supervisor	scope:	gte	version:	3.0.0.0	Trust: 1.0
vendor:	cisco	model:	integrated management controller supervisor	scope:	lt	version:	4.0\(2c\)	Trust: 1.0
vendor:	cisco	model:	unified computing system	scope:	eq	version:	4.0\(1c\)hs3	Trust: 1.0
vendor:	cisco	model:	integrated management controller supervisor	scope:	gte	version:	1.5.0.0	Trust: 1.0
vendor:	cisco	model:	integrated management controller supervisor	scope:	lt	version:	1.5\(9g\)	Trust: 1.0
vendor:	cisco	model:	integrated management controller supervisor	scope:	lt	version:	4.0\(4b\)	Trust: 1.0
vendor:	cisco	model:	integrated management controller supervisor	scope:	lt	version:	2.0\(13o\)	Trust: 1.0
vendor:	cisco	model:	integrated management controller supervisor	scope:	gte	version:	4.0.0.0	Trust: 1.0
vendor:	cisco	model:	integrated management controller supervisor	scope:	lt	version:	3.0\(4k\)	Trust: 1.0
vendor:	cisco	model:	integrated management controller supervisor	scope:	gte	version:	2.0.0.0	Trust: 1.0
vendor:	cisco	model:	integrated management controller supervisor	scope:	lt	version:	4.0\(1d\)	Trust: 1.0
vendor:	cisco	model:	integrated management controller supervisor	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	unified computing system software	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2019-008444 // NVD: CVE-2019-1865

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-1865
value:	HIGH
Trust: 1.0
ykramarz@cisco.com:	CVE-2019-1865
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-1865
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201908-1683
value:	HIGH
Trust: 0.6
VULHUB:	VHN-151017
value:	HIGH
Trust: 0.1
VULMON:	CVE-2019-1865
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2019-1865
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-151017
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

ykramarz@cisco.com:	CVE-2019-1865
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8
nvd@nist.gov:	CVE-2019-1865
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0

sources: VULHUB: VHN-151017 // VULMON: CVE-2019-1865 // JVNDB: JVNDB-2019-008444 // CNNVD: CNNVD-201908-1683 // NVD: CVE-2019-1865 // NVD: CVE-2019-1865

PROBLEMTYPE DATA

problemtype:

CWE-78

Trust: 1.9

sources: VULHUB: VHN-151017 // JVNDB: JVNDB-2019-008444 // NVD: CVE-2019-1865

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201908-1683

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201908-1683

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-008444

PATCH

title:	cisco-sa-20190821-imc-cmdinj-1865	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imc-cmdinj-1865	Trust: 0.8
title:	Cisco Integrated Management Controller Fixes for operating system command injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=97285	Trust: 0.6
title:	Cisco: Cisco Integrated Management Controller Command Injection Vulnerability	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-20190821-imc-cmdinj-1865	Trust: 0.1

sources: VULMON: CVE-2019-1865 // JVNDB: JVNDB-2019-008444 // CNNVD: CNNVD-201908-1683

EXTERNAL IDS

db:	NVD	id:	CVE-2019-1865	Trust: 2.6
db:	JVNDB	id:	JVNDB-2019-008444	Trust: 0.8
db:	CNNVD	id:	CNNVD-201908-1683	Trust: 0.7
db:	AUSCERT	id:	ESB-2019.3212	Trust: 0.6
db:	VULHUB	id:	VHN-151017	Trust: 0.1
db:	VULMON	id:	CVE-2019-1865	Trust: 0.1

sources: VULHUB: VHN-151017 // VULMON: CVE-2019-1865 // JVNDB: JVNDB-2019-008444 // CNNVD: CNNVD-201908-1683 // NVD: CVE-2019-1865

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imc-cmdinj-1865	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2019-1865	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1865	Trust: 0.8
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imc-bo	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-cimc-cli-inject	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imc-cmdinject-1896	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-ucs-cimc	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imc-cmdinject-1634	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imc-cmdinj-1864	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imc-cmdinj-1850	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imc-infodisc	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imc-privilege	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imc-privescal	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imcs-ucs-authby	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imcs-ucs-cmdinj	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-ucs-imc-dos	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imcs-usercred	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imc-dos	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2019.3212/	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/78.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/165651	Trust: 0.1

sources: VULHUB: VHN-151017 // VULMON: CVE-2019-1865 // JVNDB: JVNDB-2019-008444 // CNNVD: CNNVD-201908-1683 // NVD: CVE-2019-1865

SOURCES

db:	VULHUB	id:	VHN-151017
db:	VULMON	id:	CVE-2019-1865
db:	JVNDB	id:	JVNDB-2019-008444
db:	CNNVD	id:	CNNVD-201908-1683
db:	NVD	id:	CVE-2019-1865

LAST UPDATE DATE

2024-08-14T13:26:01.336000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-151017	date:	2019-10-09T00:00:00
db:	VULMON	id:	CVE-2019-1865	date:	2019-10-09T00:00:00
db:	JVNDB	id:	JVNDB-2019-008444	date:	2019-08-30T00:00:00
db:	CNNVD	id:	CNNVD-201908-1683	date:	2019-08-30T00:00:00
db:	NVD	id:	CVE-2019-1865	date:	2023-03-31T15:57:05.127

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-151017	date:	2019-08-21T00:00:00
db:	VULMON	id:	CVE-2019-1865	date:	2019-08-21T00:00:00
db:	JVNDB	id:	JVNDB-2019-008444	date:	2019-08-30T00:00:00
db:	CNNVD	id:	CNNVD-201908-1683	date:	2019-08-21T00:00:00
db:	NVD	id:	CVE-2019-1865	date:	2019-08-21T19:15:14.420