CVE-2019-1589

EPSS 0.05%
Published 03.05.2019 15:29:00
Last modified 21.11.2024 04:36:52
Source psirt@cisco.com
Teams watchlist Login
Open Login

A vulnerability in the Trusted Platform Module (TPM) functionality of software for Cisco Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode could allow an unauthenticated, local attacker with physical access to view sensitive information on an affected device. The vulnerability is due to a lack of proper data-protection mechanisms for disk encryption keys that are used within the partitions on an affected device hard drive. An attacker could exploit this vulnerability by obtaining physical access to the affected device to view certain cleartext keys. A successful exploit could allow the attacker to execute a custom boot process or conduct further attacks on an affected device.

Affected products Warnungen 0 Metrics 4 CWE 2 References 5

Data is provided by the National Vulnerability Database (NVD)

Cisco ≫ Nx-os Version8.3(0)sk(0.39)

   Cisco ≫ Nexus 9000 Version-
   Cisco ≫ Nexus 92160yc-x Version-
   Cisco ≫ Nexus 92300yc Version-
   Cisco ≫ Nexus 92304qc Version-
   Cisco ≫ Nexus 9236c Version-
   Cisco ≫ Nexus 9272q Version-
   Cisco ≫ Nexus 93108tc-ex Version-
   Cisco ≫ Nexus 93108tc-fx Version-
   Cisco ≫ Nexus 93120tx Version-
   Cisco ≫ Nexus 93128tx Version-
   Cisco ≫ Nexus 93180lc-ex Version-
   Cisco ≫ Nexus 93180yc-ex Version-
   Cisco ≫ Nexus 93180yc-fx Version-
   Cisco ≫ Nexus 93240yc-fx2 Version-
   Cisco ≫ Nexus 9332c Version-
   Cisco ≫ Nexus 9332pq Version-
   Cisco ≫ Nexus 9336c-fx2 Version-
   Cisco ≫ Nexus 9336pq Version-
   Cisco ≫ Nexus 9348gc-fxp Version-
   Cisco ≫ Nexus 9364c Version-
   Cisco ≫ Nexus 9372px Version-
   Cisco ≫ Nexus 9372px-e Version-
   Cisco ≫ Nexus 9372tx Version-
   Cisco ≫ Nexus 9372tx-e Version-
   Cisco ≫ Nexus 9396px Version-
   Cisco ≫ Nexus 9396tx Version-
   Cisco ≫ Nexus 9508 Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.05%	0.125

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	4.6	0.9	3.6	CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	2.1	3.9	2.9	AV:L/AC:L/Au:N/C:P/I:N/A:N
psirt@cisco.com	4.2	0.5	3.6	CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-311 Missing Encryption of Sensitive Data

The product does not encrypt sensitive or critical information before storage or transmission.

http://www.securityfocus.com/bid/108175

Third Party Advisory

VDB Entry

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-aci-unmeasured-boot

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2019-1589

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-1589

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-1589

EUVD