Details of VAR-201908-0390

ID

VAR-201908-0390

CVE

CVE-2019-1883

TITLE

Cisco Integrated Management Controller In OS Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-008614

DESCRIPTION

A vulnerability in the command-line interface of Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker with read-only credentials to inject arbitrary commands that could allow them to obtain root privileges. The vulnerability is due to insufficient validation of user-supplied input on the command-line interface. An attacker could exploit this vulnerability by authenticating with read-only privileges via the CLI of an affected device and submitting crafted input to the affected commands. A successful exploit could allow an attacker to execute arbitrary commands on the device with root privileges. Cisco Integrated Management Controller (IMC) is a set of software used by Cisco to manage UCS (Unified Computing System). The software supports HTTP, SSH access, etc., and can perform operations such as starting, shutting down and restarting the server. The following products and versions are affected: Cisco UCS C-Series and S-Series Servers (in single mode) (Cisco IMC Software releases prior to 3.0 and releases prior to 4.0); UCS E-Series Servers (Cisco IMC Software releases prior to 3.2(8) ); 5000 Series Enterprise Network Compute System (ENCS) Platforms (Cisco IMC Software prior to 3.2(8))

Trust: 1.71

sources: NVD: CVE-2019-1883 // JVNDB: JVNDB-2019-008614 // VULHUB: VHN-151215

AFFECTED PRODUCTS

vendor:	cisco	model:	integrated management controller supervisor	scope:	gte	version:	3.0.0.0	Trust: 1.0
vendor:	cisco	model:	integrated management controller supervisor	scope:	gte	version:	4.0.0.0	Trust: 1.0
vendor:	cisco	model:	integrated management controller supervisor	scope:	lt	version:	3.0\(4k\)	Trust: 1.0
vendor:	cisco	model:	unified computing system	scope:	eq	version:	4.0\(1c\)hs3	Trust: 1.0
vendor:	cisco	model:	integrated management controller supervisor	scope:	lt	version:	4.0\(2f\)	Trust: 1.0
vendor:	cisco	model:	integrated management controller supervisor	scope:	lt	version:	4.0\(4b\)	Trust: 1.0
vendor:	cisco	model:	integrated management controller supervisor	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	unified computing system software	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2019-008614 // NVD: CVE-2019-1883

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-1883
value:	HIGH
Trust: 1.0
ykramarz@cisco.com:	CVE-2019-1883
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-1883
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201908-1669
value:	HIGH
Trust: 0.6
VULHUB:	VHN-151215
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2019-1883
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-151215
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-1883
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 1.0
ykramarz@cisco.com:	CVE-2019-1883
baseSeverity:	HIGH
baseScore:	7.0
vectorString:	CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.0
impactScore:	5.9
version:	3.0
Trust: 1.0
NVD:	CVE-2019-1883
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-151215 // JVNDB: JVNDB-2019-008614 // CNNVD: CNNVD-201908-1669 // NVD: CVE-2019-1883 // NVD: CVE-2019-1883

PROBLEMTYPE DATA

problemtype:

CWE-78

Trust: 1.9

sources: VULHUB: VHN-151215 // JVNDB: JVNDB-2019-008614 // NVD: CVE-2019-1883

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201908-1669

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201908-1669

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-008614

PATCH

title:	cisco-sa-20190821-cimc-cli-inject	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-cimc-cli-inject	Trust: 0.8
title:	Cisco Integrated Management Controller Fixes for operating system command injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=97274	Trust: 0.6

sources: JVNDB: JVNDB-2019-008614 // CNNVD: CNNVD-201908-1669

EXTERNAL IDS

db:	NVD	id:	CVE-2019-1883	Trust: 2.5
db:	JVNDB	id:	JVNDB-2019-008614	Trust: 0.8
db:	CNNVD	id:	CNNVD-201908-1669	Trust: 0.7
db:	AUSCERT	id:	ESB-2019.3212	Trust: 0.6
db:	VULHUB	id:	VHN-151215	Trust: 0.1

sources: VULHUB: VHN-151215 // JVNDB: JVNDB-2019-008614 // CNNVD: CNNVD-201908-1669 // NVD: CVE-2019-1883

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-cimc-cli-inject	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-1883	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1883	Trust: 0.8
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imc-bo	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imc-cmdinject-1896	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-ucs-cimc	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imc-cmdinject-1634	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imc-cmdinj-1865	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imc-cmdinj-1864	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imc-cmdinj-1850	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imc-infodisc	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imc-privilege	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imc-privescal	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imcs-ucs-authby	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imcs-ucs-cmdinj	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-ucs-imc-dos	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imcs-usercred	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190821-imc-dos	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2019.3212/	Trust: 0.6

sources: VULHUB: VHN-151215 // JVNDB: JVNDB-2019-008614 // CNNVD: CNNVD-201908-1669 // NVD: CVE-2019-1883

SOURCES

db:	VULHUB	id:	VHN-151215
db:	JVNDB	id:	JVNDB-2019-008614
db:	CNNVD	id:	CNNVD-201908-1669
db:	NVD	id:	CVE-2019-1883

LAST UPDATE DATE

2024-08-14T13:26:01.203000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-151215	date:	2019-10-09T00:00:00
db:	JVNDB	id:	JVNDB-2019-008614	date:	2019-09-04T00:00:00
db:	CNNVD	id:	CNNVD-201908-1669	date:	2019-09-02T00:00:00
db:	NVD	id:	CVE-2019-1883	date:	2023-03-31T15:57:12.207

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-151215	date:	2019-08-21T00:00:00
db:	JVNDB	id:	JVNDB-2019-008614	date:	2019-09-04T00:00:00
db:	CNNVD	id:	CNNVD-201908-1669	date:	2019-08-21T00:00:00
db:	NVD	id:	CVE-2019-1883	date:	2019-08-21T19:15:14.637