ID

VAR-201908-0848


CVE

CVE-2019-1966


TITLE

Cisco UCS Fabric Interconnect Vulnerability related to authorization, authority, and access control in software

Trust: 0.8

sources: JVNDB: JVNDB-2019-008867

DESCRIPTION

A vulnerability in a specific CLI command within the local management (local-mgmt) context for Cisco UCS Fabric Interconnect Software could allow an authenticated, local attacker to gain elevated privileges as the root user on an affected device. The vulnerability is due to extraneous subcommand options present for a specific CLI command within the local-mgmt context. An attacker could exploit this vulnerability by authenticating to an affected device, entering the local-mgmt context, and issuing a specific CLI command and submitting user input. A successful exploit could allow the attacker to execute arbitrary operating system commands as root on an affected device. The attacker would need to have valid user credentials for the device. Cisco UCS Fabric Interconnect The software contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Cisco UCS 6200 Series Fabric Interconnects, etc. are all products of Cisco (Cisco). Cisco UCS 6200 Series Fabric Interconnects is a 6200 series switching fabric device. UCS 6300 Series Fabric Interconnects is a 6300 series switching fabric device. UCS 6400 Series Fabric Interconnects is a 6400 series switching fabric device

Trust: 1.71

sources: NVD: CVE-2019-1966 // JVNDB: JVNDB-2019-008867 // VULHUB: VHN-152128

AFFECTED PRODUCTS

vendor:ciscomodel:unified computing systemscope:eqversion:4.0\(1a\)a

Trust: 1.0

vendor:ciscomodel:nx-osscope:eqversion:4.0

Trust: 1.0

vendor:ciscomodel:nx-osscope:lteversion:3.2

Trust: 1.0

vendor:ciscomodel:unified computing systemscope:eqversion:3.2\(3b\)a

Trust: 1.0

vendor:ciscomodel:nx-osscope: - version: -

Trust: 0.8

vendor:ciscomodel:unified computing system softwarescope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2019-008867 // NVD: CVE-2019-1966

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-1966
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2019-1966
value: HIGH

Trust: 1.0

NVD: CVE-2019-1966
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201908-2156
value: HIGH

Trust: 0.6

VULHUB: VHN-152128
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-1966
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-152128
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

ykramarz@cisco.com: CVE-2019-1966
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 1.8

nvd@nist.gov: CVE-2019-1966
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: VULHUB: VHN-152128 // JVNDB: JVNDB-2019-008867 // CNNVD: CNNVD-201908-2156 // NVD: CVE-2019-1966 // NVD: CVE-2019-1966

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.9

problemtype:NVD-CWE-noinfo

Trust: 1.0

sources: VULHUB: VHN-152128 // JVNDB: JVNDB-2019-008867 // NVD: CVE-2019-1966

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201908-2156

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201908-2156

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-008867

PATCH

title:cisco-sa-20190828-ucs-privescalationurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-ucs-privescalation

Trust: 0.8

title:Cisco UCS 6200 Series Fabric Interconnects , UCS 6300 Series Fabric Interconnects and UCS 6400 Series Fabric Interconnects Fixes for permissions and access control issues vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=97640

Trust: 0.6

sources: JVNDB: JVNDB-2019-008867 // CNNVD: CNNVD-201908-2156

EXTERNAL IDS

db:NVDid:CVE-2019-1966

Trust: 2.5

db:JVNDBid:JVNDB-2019-008867

Trust: 0.8

db:CNNVDid:CNNVD-201908-2156

Trust: 0.7

db:AUSCERTid:ESB-2019.3279

Trust: 0.6

db:VULHUBid:VHN-152128

Trust: 0.1

sources: VULHUB: VHN-152128 // JVNDB: JVNDB-2019-008867 // CNNVD: CNNVD-201908-2156 // NVD: CVE-2019-1966

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190828-ucs-privescalation

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2019-1966

Trust: 1.4

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1966

Trust: 0.8

url:https://vigilance.fr/vulnerability/cisco-unified-computing-system-fabric-interconnect-privilege-escalation-via-cli-command-30193

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2019.3279/

Trust: 0.6

sources: VULHUB: VHN-152128 // JVNDB: JVNDB-2019-008867 // CNNVD: CNNVD-201908-2156 // NVD: CVE-2019-1966

SOURCES

db:VULHUBid:VHN-152128
db:JVNDBid:JVNDB-2019-008867
db:CNNVDid:CNNVD-201908-2156
db:NVDid:CVE-2019-1966

LAST UPDATE DATE

2024-08-14T14:38:51.226000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-152128date:2020-10-16T00:00:00
db:JVNDBid:JVNDB-2019-008867date:2019-09-06T00:00:00
db:CNNVDid:CNNVD-201908-2156date:2020-10-21T00:00:00
db:NVDid:CVE-2019-1966date:2020-10-16T14:05:14.610

SOURCES RELEASE DATE

db:VULHUBid:VHN-152128date:2019-08-30T00:00:00
db:JVNDBid:JVNDB-2019-008867date:2019-09-06T00:00:00
db:CNNVDid:CNNVD-201908-2156date:2019-08-28T00:00:00
db:NVDid:CVE-2019-1966date:2019-08-30T09:15:20.193