ID

VAR-202009-0362


CVE

CVE-2019-1888


TITLE

Cisco Unified Contact Center Express  Unlimited Upload Vulnerability in File Vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2020-011570

DESCRIPTION

A vulnerability in the Administration Web Interface of Cisco Unified Contact Center Express (Unified CCX) could allow an authenticated, remote attacker to upload arbitrary files and execute commands on the underlying operating system. To exploit this vulnerability, an attacker needs valid Administrator credentials. The vulnerability is due to insufficient restrictions for the content uploaded to an affected system. An attacker could exploit this vulnerability by uploading arbitrary files containing operating system commands that will be executed by an affected system. A successful exploit could allow the attacker to execute arbitrary commands with the privileges of the web interface and then elevate their privileges to root. This component supports functions such as self-service voice service, call distribution, and customer access control. A code issue vulnerability exists in Cisco Unified CCX releases prior to 12.5(1) where the program does not adequately restrict what is uploaded to an affected system. I've quoted the Cisco summary below as it's pretty accurate. tl;dr is an admin user on the web console can gain command execution and then escalate to root. If this is an issue in your environment, then please patch. Thanks to Cisco PSIRT who were responsive and professional. Shouts to Andrew, Dave and Senad, Pedro R - if that's still even a thing on advisories

Trust: 1.8

sources: NVD: CVE-2019-1888 // JVNDB: JVNDB-2020-011570 // VULHUB: VHN-151270 // PACKETSTORM: 156531

AFFECTED PRODUCTS

vendor:ciscomodel:unified ip interactive voice responsescope:eqversion:11.6\(1\)

Trust: 1.0

vendor:ciscomodel:unified contact center expressscope:eqversion:11.6\(2\)

Trust: 1.0

vendor:ciscomodel:unified contact center expressscope:eqversion:12.0\(1\)

Trust: 1.0

vendor:ciscomodel:unified contact center expressscope:eqversion:11.6\(1\)

Trust: 1.0

vendor:ciscomodel:unified ip interactive voice responsescope:eqversion:11.6\(2\)

Trust: 1.0

vendor:シスコシステムズmodel:cisco unified contact center expressscope: - version: -

Trust: 0.8

vendor:シスコシステムズmodel:cisco unified ip interactive voice responsescope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2020-011570 // NVD: CVE-2019-1888

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-1888
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2019-1888
value: HIGH

Trust: 1.0

NVD: CVE-2019-1888
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202002-997
value: HIGH

Trust: 0.6

VULHUB: VHN-151270
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-1888
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-151270
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

ykramarz@cisco.com: CVE-2019-1888
baseSeverity: HIGH
baseScore: 7.2
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.2
impactScore: 5.9
version: 3.0

Trust: 1.8

nvd@nist.gov: CVE-2019-1888
baseSeverity: HIGH
baseScore: 7.2
vectorString: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.2
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: VULHUB: VHN-151270 // JVNDB: JVNDB-2020-011570 // CNNVD: CNNVD-202002-997 // NVD: CVE-2019-1888 // NVD: CVE-2019-1888

PROBLEMTYPE DATA

problemtype:CWE-434

Trust: 1.1

problemtype:Unlimited upload of dangerous types of files (CWE-434) [NVD Evaluation ]

Trust: 0.8

sources: VULHUB: VHN-151270 // JVNDB: JVNDB-2020-011570 // NVD: CVE-2019-1888

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202002-997

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202002-997

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-151270

PATCH

title:cisco-sa-uccx-privesc-Zd7bvwyfurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-uccx-privesc-Zd7bvwyf

Trust: 0.8

title:Cisco Unified Contact Center Express Fixes for code issue vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=110047

Trust: 0.6

sources: JVNDB: JVNDB-2020-011570 // CNNVD: CNNVD-202002-997

EXTERNAL IDS

db:NVDid:CVE-2019-1888

Trust: 2.6

db:PACKETSTORMid:156531

Trust: 0.8

db:JVNDBid:JVNDB-2020-011570

Trust: 0.8

db:CNNVDid:CNNVD-202002-997

Trust: 0.7

db:AUSCERTid:ESB-2020.0603

Trust: 0.6

db:VULHUBid:VHN-151270

Trust: 0.1

sources: VULHUB: VHN-151270 // JVNDB: JVNDB-2020-011570 // PACKETSTORM: 156531 // CNNVD: CNNVD-202002-997 // NVD: CVE-2019-1888

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-uccx-privesc-zd7bvwyf

Trust: 2.4

url:https://nvd.nist.gov/vuln/detail/cve-2019-1888

Trust: 0.9

url:https://packetstormsecurity.com/files/156531/cisco-unified-contact-center-express-privilege-escalation.html

Trust: 0.6

url:https://vigilance.fr/vulnerability/cisco-unified-contact-center-express-file-upload-via-administration-web-interface-31644

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.0603/

Trust: 0.6

sources: VULHUB: VHN-151270 // JVNDB: JVNDB-2020-011570 // PACKETSTORM: 156531 // CNNVD: CNNVD-202002-997 // NVD: CVE-2019-1888

CREDITS

Jamie R

Trust: 0.7

sources: PACKETSTORM: 156531 // CNNVD: CNNVD-202002-997

SOURCES

db:VULHUBid:VHN-151270
db:JVNDBid:JVNDB-2020-011570
db:PACKETSTORMid:156531
db:CNNVDid:CNNVD-202002-997
db:NVDid:CVE-2019-1888

LAST UPDATE DATE

2024-08-14T15:17:30.891000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-151270date:2020-09-29T00:00:00
db:JVNDBid:JVNDB-2020-011570date:2021-04-06T09:06:00
db:CNNVDid:CNNVD-202002-997date:2020-09-30T00:00:00
db:NVDid:CVE-2019-1888date:2020-09-29T18:55:07.957

SOURCES RELEASE DATE

db:VULHUBid:VHN-151270date:2020-09-23T00:00:00
db:JVNDBid:JVNDB-2020-011570date:2021-04-06T00:00:00
db:PACKETSTORMid:156531date:2020-02-25T15:26:11
db:CNNVDid:CNNVD-202002-997date:2020-02-19T00:00:00
db:NVDid:CVE-2019-1888date:2020-09-23T01:15:14.410