CVE-2019-1729

EPSS 0.1%
Published 15.05.2019 17:29:01
Last modified 21.11.2024 04:37:11
Source psirt@cisco.com
Teams watchlist Login
Open Login

A vulnerability in the CLI implementation of a specific command used for image maintenance for Cisco NX-OS Software could allow an authenticated, local attacker to overwrite any file on the file system including system files. These file overwrites by the attacker are accomplished at the root privilege level. The vulnerability occurs because there is no verification of user-input parameters and or digital-signature verification for image files when using a specific CLI command. An attacker could exploit this vulnerability by authenticating to the device and issuing a command at the CLI. Because an exploit could allow the attacker to overwrite any file on the disk, including system files, a denial of service (DoS) condition could occur. The attacker must have valid administrator credentials for the affected device to exploit this vulnerability.

Affected products Warnungen 0 Metrics 4 CWE 2 References 5

Data is provided by the National Vulnerability Database (NVD)

Cisco ≫ Nx-os Version < 7.0\(3\)i4\(9\)

   Cisco ≫ Nexus 3000 Version-
   Cisco ≫ Nexus 3100 Version-
   Cisco ≫ Nexus 3100-z Version-
   Cisco ≫ Nexus 3100v Version-
   Cisco ≫ Nexus 3200 Version-
   Cisco ≫ Nexus 3400 Version-
   Cisco ≫ Nexus 3500 Version-
   Cisco ≫ Nexus 3524-x Version-
   Cisco ≫ Nexus 3524-xl Version-
   Cisco ≫ Nexus 3548-x Version-
   Cisco ≫ Nexus 3548-xl Version-
   Cisco ≫ Nexus 9000 Version-
   Cisco ≫ Nexus 9200 Version-
   Cisco ≫ Nexus 9300 Version-

Cisco ≫ Nx-os Version >= 7.0\(3\)i7 < 7.0\(3\)i7\(4\)

Cisco ≫ Nx-os Version >= 7.0\(3\) < 7.0\(3\)f3\(5\)

   Cisco ≫ Nexus 36180yc-r Version-
   Cisco ≫ Nexus 3636c-r Version-
   Cisco ≫ Nexus 9504 Version-
   Cisco ≫ Nexus 9508 Version-
   Cisco ≫ Nexus 9516 Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.1%	0.244

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6	0.8	5.2	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
nvd@nist.gov	6.6	3.9	9.2	AV:L/AC:L/Au:N/C:N/I:C/A:C
psirt@cisco.com	6.7	0.8	5.9	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-347 Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

http://www.securityfocus.com/bid/108378

Third Party Advisory

VDB Entry

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-nxos-file-write

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2019-1729

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-1729

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-1729

EUVD