ID

VAR-201909-0184


CVE

CVE-2019-12670


TITLE

Cisco IOS XE Vulnerability in improper assignment of permissions to critical resources in software

Trust: 0.8

sources: JVNDB: JVNDB-2019-010043

DESCRIPTION

A vulnerability in the filesystem of Cisco IOS XE Software could allow an authenticated, local attacker within the IOx Guest Shell to modify the namespace container protections on an affected device. The vulnerability is due to insufficient file permissions. An attacker could exploit this vulnerability by modifying files that they should not have access to. A successful exploit could allow the attacker to remove container protections and perform file actions outside the namespace of the container. Cisco IOS XE The software contains a vulnerability related to improper assignment of permissions to critical resources.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Cisco IOS XE is an operating system developed by Cisco for its network equipment

Trust: 1.71

sources: NVD: CVE-2019-12670 // JVNDB: JVNDB-2019-010043 // VULHUB: VHN-144440

AFFECTED PRODUCTS

vendor:ciscomodel:iosscope:eqversion:16.10.1

Trust: 1.0

vendor:ciscomodel:iosscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2019-010043 // NVD: CVE-2019-12670

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-12670
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2019-12670
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-12670
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201909-1134
value: MEDIUM

Trust: 0.6

VULHUB: VHN-144440
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-12670
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-144440
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

ykramarz@cisco.com: CVE-2019-12670
baseSeverity: MEDIUM
baseScore: 6.7
vectorString: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 0.8
impactScore: 5.9
version: 3.0

Trust: 1.8

nvd@nist.gov: CVE-2019-12670
baseSeverity: MEDIUM
baseScore: 6.7
vectorString: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 0.8
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: VULHUB: VHN-144440 // JVNDB: JVNDB-2019-010043 // CNNVD: CNNVD-201909-1134 // NVD: CVE-2019-12670 // NVD: CVE-2019-12670

PROBLEMTYPE DATA

problemtype:CWE-276

Trust: 1.1

problemtype:CWE-284

Trust: 1.0

problemtype:CWE-732

Trust: 0.9

sources: VULHUB: VHN-144440 // JVNDB: JVNDB-2019-010043 // NVD: CVE-2019-12670

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201909-1134

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-201909-1134

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-010043

PATCH

title:cisco-sa-20190925-iox-gsurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-iox-gs

Trust: 0.8

title:Cisco IOS XE Fixes for access control error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=98552

Trust: 0.6

sources: JVNDB: JVNDB-2019-010043 // CNNVD: CNNVD-201909-1134

EXTERNAL IDS

db:NVDid:CVE-2019-12670

Trust: 2.5

db:JVNDBid:JVNDB-2019-010043

Trust: 0.8

db:CNNVDid:CNNVD-201909-1134

Trust: 0.7

db:AUSCERTid:ESB-2019.3615.2

Trust: 0.6

db:AUSCERTid:ESB-2019.3615

Trust: 0.6

db:VULHUBid:VHN-144440

Trust: 0.1

sources: VULHUB: VHN-144440 // JVNDB: JVNDB-2019-010043 // CNNVD: CNNVD-201909-1134 // NVD: CVE-2019-12670

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190925-iox-gs

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2019-12670

Trust: 1.4

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-12670

Trust: 0.8

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190925-webui-cmd-injection

Trust: 0.6

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190925-vman-cmd-injection

Trust: 0.6

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190925-utd

Trust: 0.6

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190925-ctspac-dos

Trust: 0.6

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190925-xss

Trust: 0.6

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190925-rawtcp-dos

Trust: 0.6

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190925-dt

Trust: 0.6

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190925-sip-alg

Trust: 0.6

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190925-isdn-data-leak

Trust: 0.6

url:httpserv-dos

Trust: 0.6

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190925-iosxe-fsdos

Trust: 0.6

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190925-ftp

Trust: 0.6

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190925-iosxe-digsig-bypass

Trust: 0.6

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190925-iosxe-ctbypass

Trust: 0.6

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190925-iosxe-codeexec

Trust: 0.6

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190925-awr

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2019.3615.2/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2019.3615/

Trust: 0.6

url:https://vigilance.fr/vulnerability/cisco-ios-xe-privilege-escalation-via-iox-guest-shell-namespace-30433

Trust: 0.6

sources: VULHUB: VHN-144440 // JVNDB: JVNDB-2019-010043 // CNNVD: CNNVD-201909-1134 // NVD: CVE-2019-12670

SOURCES

db:VULHUBid:VHN-144440
db:JVNDBid:JVNDB-2019-010043
db:CNNVDid:CNNVD-201909-1134
db:NVDid:CVE-2019-12670

LAST UPDATE DATE

2024-11-23T21:36:54.724000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-144440date:2020-10-08T00:00:00
db:JVNDBid:JVNDB-2019-010043date:2019-10-03T00:00:00
db:CNNVDid:CNNVD-201909-1134date:2020-10-09T00:00:00
db:NVDid:CVE-2019-12670date:2024-11-21T04:23:19.320

SOURCES RELEASE DATE

db:VULHUBid:VHN-144440date:2019-09-25T00:00:00
db:JVNDBid:JVNDB-2019-010043date:2019-10-03T00:00:00
db:CNNVDid:CNNVD-201909-1134date:2019-09-25T00:00:00
db:NVDid:CVE-2019-12670date:2019-09-25T21:15:11.687