Details of VAR-201908-0392

ID

VAR-201908-0392

CVE

CVE-2019-1895

TITLE

Cisco Enterprise NFV Infrastructure Software Vulnerabilities related to lack of authentication for critical functions

Trust: 0.8

sources: JVNDB: JVNDB-2019-007660

DESCRIPTION

A vulnerability in the Virtual Network Computing (VNC) console implementation of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an unauthenticated, remote attacker to access the VNC console session of an administrative user on an affected device. The vulnerability is due to an insufficient authentication mechanism used to establish a VNC session. An attacker could exploit this vulnerability by intercepting an administrator VNC session request prior to login. A successful exploit could allow the attacker to watch the administrator console session or interact with it, allowing admin access to the affected device. Cisco Enterprise NFV Infrastructure Software (NFVIS) Is vulnerable to a lack of authentication for critical functions.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Cisco Enterprise NFV Infrastructure Software (NFVIS) is a set of NVF infrastructure software platform of Cisco (Cisco). The platform can realize the full lifecycle management of virtualized services through the central coordinator and controller

Trust: 1.8

sources: NVD: CVE-2019-1895 // JVNDB: JVNDB-2019-007660 // VULHUB: VHN-151347 // VULMON: CVE-2019-1895

AFFECTED PRODUCTS

vendor:	cisco	model:	enterprise network function virtualization infrastructure	scope:	lt	version:	3.12.1	Trust: 1.0
vendor:	cisco	model:	enterprise nfv infrastructure software	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2019-007660 // NVD: CVE-2019-1895

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-1895
value:	CRITICAL
Trust: 1.0
ykramarz@cisco.com:	CVE-2019-1895
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2019-1895
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-201908-491
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-151347
value:	HIGH
Trust: 0.1
VULMON:	CVE-2019-1895
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2019-1895
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-151347
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

ykramarz@cisco.com:	CVE-2019-1895
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.8
nvd@nist.gov:	CVE-2019-1895
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0

sources: VULHUB: VHN-151347 // VULMON: CVE-2019-1895 // JVNDB: JVNDB-2019-007660 // CNNVD: CNNVD-201908-491 // NVD: CVE-2019-1895 // NVD: CVE-2019-1895

PROBLEMTYPE DATA

problemtype:

CWE-306

Trust: 1.9

sources: VULHUB: VHN-151347 // JVNDB: JVNDB-2019-007660 // NVD: CVE-2019-1895

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201908-491

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-201908-491

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-007660

PATCH

title:	cisco-sa-20190807-nfvis-vnc-authbypass	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190807-nfvis-vnc-authbypass	Trust: 0.8
title:	Cisco Enterprise NFV Infrastructure Software Fixes for access control error vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=96213	Trust: 0.6
title:	Cisco: Cisco Enterprise NFV Infrastructure Software VNC Authentication Bypass Vulnerability	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-20190807-nfvis-vnc-authbypass	Trust: 0.1

sources: VULMON: CVE-2019-1895 // JVNDB: JVNDB-2019-007660 // CNNVD: CNNVD-201908-491

EXTERNAL IDS

db:	NVD	id:	CVE-2019-1895	Trust: 2.6
db:	JVNDB	id:	JVNDB-2019-007660	Trust: 0.8
db:	CNNVD	id:	CNNVD-201908-491	Trust: 0.7
db:	AUSCERT	id:	ESB-2019.2983	Trust: 0.6
db:	VULHUB	id:	VHN-151347	Trust: 0.1
db:	VULMON	id:	CVE-2019-1895	Trust: 0.1

sources: VULHUB: VHN-151347 // VULMON: CVE-2019-1895 // JVNDB: JVNDB-2019-007660 // CNNVD: CNNVD-201908-491 // NVD: CVE-2019-1895

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190807-nfvis-vnc-authbypass	Trust: 1.9
url:	https://nvd.nist.gov/vuln/detail/cve-2019-1895	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1895	Trust: 0.8
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190807-nfv-commandinj	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190807-nfv-read	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190807-nfvis-authbypass	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190807-nfv-privescal	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190807-nfv-cli-path	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190807-nfv-pwrecov	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190807-nfv-fileread	Trust: 0.6
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190807-nfv-xss	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2019.2983/	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/306.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-151347 // VULMON: CVE-2019-1895 // JVNDB: JVNDB-2019-007660 // CNNVD: CNNVD-201908-491 // NVD: CVE-2019-1895

SOURCES

db:	VULHUB	id:	VHN-151347
db:	VULMON	id:	CVE-2019-1895
db:	JVNDB	id:	JVNDB-2019-007660
db:	CNNVD	id:	CNNVD-201908-491
db:	NVD	id:	CVE-2019-1895

LAST UPDATE DATE

2024-08-14T12:51:17.882000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-151347	date:	2023-03-03T00:00:00
db:	VULMON	id:	CVE-2019-1895	date:	2019-10-09T00:00:00
db:	JVNDB	id:	JVNDB-2019-007660	date:	2019-08-16T00:00:00
db:	CNNVD	id:	CNNVD-201908-491	date:	2019-08-19T00:00:00
db:	NVD	id:	CVE-2019-1895	date:	2023-03-03T16:34:16.673

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-151347	date:	2019-08-07T00:00:00
db:	VULMON	id:	CVE-2019-1895	date:	2019-08-07T00:00:00
db:	JVNDB	id:	JVNDB-2019-007660	date:	2019-08-16T00:00:00
db:	CNNVD	id:	CNNVD-201908-491	date:	2019-08-07T00:00:00
db:	NVD	id:	CVE-2019-1895	date:	2019-08-07T21:15:11.283