Sign-up

ID

VAR-201909-0184


CVE

CVE-2019-12670


TITLE

Cisco IOS XE Vulnerability in improper assignment of permissions to critical resources in software

Trust: 0.8

sources: JVNDB: JVNDB-2019-010043

DESCRIPTION

A vulnerability in the filesystem of Cisco IOS XE Software could allow an authenticated, local attacker within the IOx Guest Shell to modify the namespace container protections on an affected device. The vulnerability is due to insufficient file permissions. An attacker could exploit this vulnerability by modifying files that they should not have access to. A successful exploit could allow the attacker to remove container protections and perform file actions outside the namespace of the container. Cisco IOS XE The software contains a vulnerability related to improper assignment of permissions to critical resources.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Cisco IOS XE is an operating system developed by Cisco for its network equipment

Trust: 1.71

sources: NVD: CVE-2019-12670 // JVNDB: JVNDB-2019-010043 // VULHUB: VHN-144440

AFFECTED PRODUCTS

vendor:ciscomodel:iosscope:eqversion:16.10.1

Trust: 1.0

vendor:ciscomodel:iosscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2019-010043 // NVD: CVE-2019-12670

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-12670
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2019-12670
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-12670
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201909-1134
value: MEDIUM

Trust: 0.6

VULHUB: VHN-144440
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-12670
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-144440
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

ykramarz@cisco.com: CVE-2019-12670
baseSeverity: MEDIUM
baseScore: 6.7
vectorString: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 0.8
impactScore: 5.9
version: 3.0

Trust: 1.8

nvd@nist.gov: CVE-2019-12670
baseSeverity: MEDIUM
baseScore: 6.7
vectorString: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 0.8
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: VULHUB: VHN-144440 // JVNDB: JVNDB-2019-010043 // CNNVD: CNNVD-201909-1134 // NVD: CVE-2019-12670 // NVD: CVE-2019-12670

PROBLEMTYPE DATA

problemtype:CWE-276

Trust: 1.1

problemtype:CWE-284

Trust: 1.0

problemtype:CWE-732

Trust: 0.9

sources: VULHUB: VHN-144440 // JVNDB: JVNDB-2019-010043 // NVD: CVE-2019-12670

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201909-1134

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-201909-1134

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-010043

PATCH
title:cisco-sa-20190925-iox-gsurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-iox-gs
Trust: 0.8
title:Cisco IOS XE Fixes for access control error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=98552
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-010043 // 
            
            
            
            CNNVD: CNNVD-201909-1134

EXTERNAL IDS
db:NVDid:CVE-2019-12670
Trust: 2.5
db:JVNDBid:JVNDB-2019-010043
Trust: 0.8
db:CNNVDid:CNNVD-201909-1134
Trust: 0.7
db:AUSCERTid:ESB-2019.3615.2
Trust: 0.6
db:AUSCERTid:ESB-2019.3615
Trust: 0.6
db:VULHUBid:VHN-144440
Trust: 0.1
sources:
            
            
            VULHUB: VHN-144440 // 
            
            
            
            JVNDB: JVNDB-2019-010043 // 
            
            
            
            CNNVD: CNNVD-201909-1134 // 
            
            
            
            NVD: CVE-2019-12670

REFERENCES
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190925-iox-gs
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2019-12670
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-12670
Trust: 0.8
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190925-webui-cmd-injection
Trust: 0.6
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190925-vman-cmd-injection
Trust: 0.6
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190925-utd
Trust: 0.6
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190925-ctspac-dos
Trust: 0.6
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190925-xss
Trust: 0.6
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190925-rawtcp-dos
Trust: 0.6
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190925-dt
Trust: 0.6
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190925-sip-alg
Trust: 0.6
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190925-isdn-data-leak
Trust: 0.6
url:httpserv-dos
Trust: 0.6
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190925-iosxe-fsdos
Trust: 0.6
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190925-ftp
Trust: 0.6
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190925-iosxe-digsig-bypass
Trust: 0.6
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190925-iosxe-ctbypass
Trust: 0.6
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190925-iosxe-codeexec
Trust: 0.6
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190925-awr
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2019.3615.2/
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2019.3615/
Trust: 0.6
url:https://vigilance.fr/vulnerability/cisco-ios-xe-privilege-escalation-via-iox-guest-shell-namespace-30433
Trust: 0.6
sources:
            
            
            VULHUB: VHN-144440 // 
            
            
            
            JVNDB: JVNDB-2019-010043 // 
            
            
            
            CNNVD: CNNVD-201909-1134 // 
            
            
            
            NVD: CVE-2019-12670

SOURCES
db:VULHUBid:VHN-144440
db:JVNDBid:JVNDB-2019-010043
db:CNNVDid:CNNVD-201909-1134
db:NVDid:CVE-2019-12670

LAST UPDATE DATE
2024-08-14T13:25:56.891000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-144440date:2020-10-08T00:00:00
db:JVNDBid:JVNDB-2019-010043date:2019-10-03T00:00:00
db:CNNVDid:CNNVD-201909-1134date:2020-10-09T00:00:00
db:NVDid:CVE-2019-12670date:2020-10-08T14:04:48.943

SOURCES RELEASE DATE
db:VULHUBid:VHN-144440date:2019-09-25T00:00:00
db:JVNDBid:JVNDB-2019-010043date:2019-10-03T00:00:00
db:CNNVDid:CNNVD-201909-1134date:2019-09-25T00:00:00
db:NVDid:CVE-2019-12670date:2019-09-25T21:15:11.687