CVE-2019-1728

EPSS 0.11%
Published 15.05.2019 17:29:01
Last modified 21.11.2024 04:37:11
Source psirt@cisco.com
Teams watchlist Login
Open Login

A vulnerability in the Secure Configuration Validation functionality of Cisco FXOS Software and Cisco NX-OS Software could allow an authenticated, local attacker to run arbitrary commands at system boot time with the privileges of root. The vulnerability is due to a lack of proper validation of system files when the persistent configuration information is read from the file system. An attacker could exploit this vulnerability by authenticating to the device and overwriting the persistent configuration storage with malicious executable files. An exploit could allow the attacker to run arbitrary commands at system startup and those commands will run as the root user. The attacker must have valid administrative credentials for the device.

Affected products Warnungen 0 Metrics 4 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Cisco ≫ Nx-os Version >= 8.1 < 8.1\(1b\)

   Cisco ≫ Mds 9000 Version-
   Cisco ≫ Mds 9100 Version-
   Cisco ≫ Mds 9200 Version-
   Cisco ≫ Mds 9500 Version-
   Cisco ≫ Mds 9700 Version-

Cisco ≫ Nx-os Version >= 8.2 < 8.3\(1\)

   Cisco ≫ Mds 9000 Version-
   Cisco ≫ Mds 9100 Version-
   Cisco ≫ Mds 9200 Version-
   Cisco ≫ Mds 9500 Version-
   Cisco ≫ Mds 9700 Version-

Cisco ≫ Nx-os Version >= 7.0\(3\)i7 < 7.0\(3\)i7\(3\)

   Cisco ≫ Nexus 3000 Version-
   Cisco ≫ Nexus 3100 Version-
   Cisco ≫ Nexus 3100-z Version-
   Cisco ≫ Nexus 3100v Version-
   Cisco ≫ Nexus 3200 Version-
   Cisco ≫ Nexus 3400 Version-
   Cisco ≫ Nexus 3500 Version-
   Cisco ≫ Nexus 3600 Version-
   Cisco ≫ Nexus 9000 Version-
   Cisco ≫ Nexus 9200 Version-
   Cisco ≫ Nexus 9300 Version-
   Cisco ≫ Nexus 9500 Version-

Cisco ≫ Nx-os Version >= 6.0\(2\)a8 < 6.0\(2\)a8\(11\)

   Cisco ≫ Nexus 3524-x Version-
   Cisco ≫ Nexus 3524-xl Version-
   Cisco ≫ Nexus 3548-x Version-
   Cisco ≫ Nexus 3548-xl Version-

Cisco ≫ Nx-os Version >= 7.0\(3\) < 7.0\(3\)i7\(3\)

   Cisco ≫ Nexus 3524-x Version-
   Cisco ≫ Nexus 3524-xl Version-
   Cisco ≫ Nexus 3548-x Version-
   Cisco ≫ Nexus 3548-xl Version-

Cisco ≫ Nx-os Version >= 7.3 < 7.3\(4\)n1\(1\)

   Cisco ≫ Nexus 5500 Version-
   Cisco ≫ Nexus 5600 Version-
   Cisco ≫ Nexus 6000 Version-

Cisco ≫ Nx-os Version >= 6.2 < 6.2\(22\)

Cisco ≫ Nexus 7000 Version-
Cisco ≫ Nexus 7700 Version-

Cisco ≫ Nx-os Version >= 7.2 < 7.3\(3\)d1\(1\)

Cisco ≫ Nexus 7000 Version-
Cisco ≫ Nexus 7700 Version-

Cisco ≫ Nx-os Version >= 8.0 < 8.3\(1\)

Cisco ≫ Nexus 7000 Version-
Cisco ≫ Nexus 7700 Version-

Cisco ≫ Nx-os Version >= 4.0 < 4.0\(1a\)

   Cisco ≫ Ucs 6248up Version-
   Cisco ≫ Ucs 6296up Version-
   Cisco ≫ Ucs 6332 Version-
   Cisco ≫ Usc 6324 Version-
   Cisco ≫ Usc 6332-16up Version-

Cisco ≫ Nx-os Version >= 2.4 < 2.4.1.101

   Cisco ≫ Firepower 4110 Version-
   Cisco ≫ Firepower 4115 Version-
   Cisco ≫ Firepower 4120 Version-
   Cisco ≫ Firepower 4125 Version-
   Cisco ≫ Firepower 4140 Version-
   Cisco ≫ Firepower 4145 Version-
   Cisco ≫ Firepower 4150 Version-
   Cisco ≫ Firepower 9300 Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.11%	0.255

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.7	0.8	5.9	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.2	3.9	10	AV:L/AC:L/Au:N/C:C/I:C/A:C
psirt@cisco.com	6.7	0.8	5.9	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-347 Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

http://www.securityfocus.com/bid/108391

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-nxos-conf-bypass

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2019-1728

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-1728

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-1728

EUVD