Sign-up

ID

VAR-201909-0157


CVE

CVE-2019-12648


TITLE

Cisco IOS Vulnerability related to unauthorized authentication in software

Trust: 0.8

sources: JVNDB: JVNDB-2019-010052

DESCRIPTION

A vulnerability in the IOx application environment for Cisco IOS Software could allow an authenticated, remote attacker to gain unauthorized access to the Guest Operating System (Guest OS) running on an affected device. The vulnerability is due to incorrect role-based access control (RBAC) evaluation when a low-privileged user requests access to a Guest OS that should be restricted to administrative accounts. An attacker could exploit this vulnerability by authenticating to the Guest OS by using the low-privileged-user credentials. An exploit could allow the attacker to gain unauthorized access to the Guest OS as a root user. Cisco IOS The software is vulnerable to unauthorized authentication.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state

Trust: 1.71

sources: NVD: CVE-2019-12648 // JVNDB: JVNDB-2019-010052 // VULHUB: VHN-144415

AFFECTED PRODUCTS

vendor:ciscomodel:iosscope:eqversion:15.7\(3\)m3

Trust: 1.0

vendor:ciscomodel:iosscope: - version: -

Trust: 0.8

vendor:ciscomodel:cgr 1120scope:eqversion: -

Trust: 0.6

vendor:ciscomodel:829 industrial integrated services routersscope:eqversion: -

Trust: 0.6

vendor:ciscomodel:iosscope:eqversion:15.73m3

Trust: 0.6

vendor:ciscomodel:cgr1240scope:eqversion: -

Trust: 0.6

vendor:ciscomodel:807 industrial integrated services routersscope:eqversion: -

Trust: 0.6

vendor:ciscomodel:809 industrial integrated services routersscope:eqversion: -

Trust: 0.6

sources: JVNDB: JVNDB-2019-010052 // CNNVD: CNNVD-201909-1180 // NVD: CVE-2019-12648

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-12648
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2019-12648
value: CRITICAL

Trust: 1.0

NVD: CVE-2019-12648
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201909-1180
value: HIGH

Trust: 0.6

VULHUB: VHN-144415
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-12648
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-144415
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-12648
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

ykramarz@cisco.com: CVE-2019-12648
baseSeverity: CRITICAL
baseScore: 9.9
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.1
impactScore: 6.0
version: 3.0

Trust: 1.0

NVD: CVE-2019-12648
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-144415 // JVNDB: JVNDB-2019-010052 // CNNVD: CNNVD-201909-1180 // NVD: CVE-2019-12648 // NVD: CVE-2019-12648

PROBLEMTYPE DATA

problemtype:CWE-863

Trust: 1.9

problemtype:CWE-284

Trust: 1.0

sources: VULHUB: VHN-144415 // JVNDB: JVNDB-2019-010052 // NVD: CVE-2019-12648

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201909-1180

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-201909-1180

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-010052

PATCH
title:cisco-sa-20190925-ios-gos-authurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-ios-gos-auth
Trust: 0.8
title:Cisco 800 Series Industrial Integrated Services Routers  and Cisco 1000 Series Connected Grid Routers IOS Software Fixes for access control error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=98590
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-010052 // 
            
            
            
            CNNVD: CNNVD-201909-1180

EXTERNAL IDS
db:NVDid:CVE-2019-12648
Trust: 2.5
db:JVNDBid:JVNDB-2019-010052
Trust: 0.8
db:CNNVDid:CNNVD-201909-1180
Trust: 0.7
db:AUSCERTid:ESB-2019.3617
Trust: 0.6
db:VULHUBid:VHN-144415
Trust: 0.1
sources:
            
            
            VULHUB: VHN-144415 // 
            
            
            
            JVNDB: JVNDB-2019-010052 // 
            
            
            
            CNNVD: CNNVD-201909-1180 // 
            
            
            
            NVD: CVE-2019-12648

REFERENCES
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190925-ios-gos-auth
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2019-12648
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-12648
Trust: 0.8
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190925-iox
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2019.3617/
Trust: 0.6
url:https://vigilance.fr/vulnerability/cisco-ios-privilege-escalation-via-iox-guest-os-30427
Trust: 0.6
sources:
            
            
            VULHUB: VHN-144415 // 
            
            
            
            JVNDB: JVNDB-2019-010052 // 
            
            
            
            CNNVD: CNNVD-201909-1180 // 
            
            
            
            NVD: CVE-2019-12648

SOURCES
db:VULHUBid:VHN-144415
db:JVNDBid:JVNDB-2019-010052
db:CNNVDid:CNNVD-201909-1180
db:NVDid:CVE-2019-12648

LAST UPDATE DATE
2024-11-23T22:44:54.273000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-144415date:2019-10-09T00:00:00
db:JVNDBid:JVNDB-2019-010052date:2019-10-03T00:00:00
db:CNNVDid:CNNVD-201909-1180date:2019-10-17T00:00:00
db:NVDid:CVE-2019-12648date:2024-11-21T04:23:15.463

SOURCES RELEASE DATE
db:VULHUBid:VHN-144415date:2019-09-25T00:00:00
db:JVNDBid:JVNDB-2019-010052date:2019-10-03T00:00:00
db:CNNVDid:CNNVD-201909-1180date:2019-09-25T00:00:00
db:NVDid:CVE-2019-12648date:2019-09-25T20:15:10.477