Lucene search

CiscoCVE-2019-1648

HistoryJan 24, 2019 - 3:29 p.m.

CVE-2019-1648

2019-01-2415:29:00

CWE-264

CWE-20

cisco

web.nvd.nist.gov

vulnerability

cisco

sd-wan solution

user group configuration

authenticated

local attacker

elevated privileges

cve-2019-1648

nvd

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.6

Confidence

High

EPSS

Percentile

5.1%

JSON

A vulnerability in the user group configuration of the Cisco SD-WAN Solution could allow an authenticated, local attacker to gain elevated privileges on an affected device. The vulnerability is due to a failure to properly validate certain parameters included within the group configuration. An attacker could exploit this vulnerability by writing a crafted file to the directory where the user group configuration is located in the underlying operating system. A successful exploit could allow the attacker to gain root-level privileges and take full control of the device.

Affected configurations

Nvd

Node

ciscovedge_100_firmware

AND

ciscovedge_100Match-

Node

ciscovedge_1000_firmware

AND

ciscovedge_1000Match-

Node

ciscovedge_2000_firmware

AND

ciscovedge_2000Match-

Node

ciscovedge_5000_firmware

AND

ciscovedge_5000Match-

Node

ciscosd-wanRange<18.4.0

ciscovbond_orchestratorMatch-

ciscovmanage_network_managementMatch-

ciscovsmart_controllerMatch-

VendorProductVersionCPE
ciscovedge_100_firmware*cpe:2.3:o:cisco:vedge_100_firmware:*:*:*:*:*:*:*:*
ciscovedge_100-cpe:2.3:h:cisco:vedge_100:-:*:*:*:*:*:*:*
ciscovedge_1000_firmware*cpe:2.3:o:cisco:vedge_1000_firmware:*:*:*:*:*:*:*:*
ciscovedge_1000-cpe:2.3:h:cisco:vedge_1000:-:*:*:*:*:*:*:*
ciscovedge_2000_firmware*cpe:2.3:o:cisco:vedge_2000_firmware:*:*:*:*:*:*:*:*
ciscovedge_2000-cpe:2.3:h:cisco:vedge_2000:-:*:*:*:*:*:*:*
ciscovedge_5000_firmware*cpe:2.3:o:cisco:vedge_5000_firmware:*:*:*:*:*:*:*:*
ciscovedge_5000-cpe:2.3:h:cisco:vedge_5000:-:*:*:*:*:*:*:*
ciscosd-wan*cpe:2.3:a:cisco:sd-wan:*:*:*:*:*:*:*:*
ciscovbond_orchestrator-cpe:2.3:a:cisco:vbond_orchestrator:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cisco	vedge_100_firmware	*	cpe:2.3:o:cisco:vedge_100_firmware::::::::
cisco	vedge_100	-	cpe:2.3:h:cisco:vedge_100:-:::::::*
cisco	vedge_1000_firmware	*	cpe:2.3:o:cisco:vedge_1000_firmware::::::::
cisco	vedge_1000	-	cpe:2.3:h:cisco:vedge_1000:-:::::::*
cisco	vedge_2000_firmware	*	cpe:2.3:o:cisco:vedge_2000_firmware::::::::
cisco	vedge_2000	-	cpe:2.3:h:cisco:vedge_2000:-:::::::*
cisco	vedge_5000_firmware	*	cpe:2.3:o:cisco:vedge_5000_firmware::::::::
cisco	vedge_5000	-	cpe:2.3:h:cisco:vedge_5000:-:::::::*
cisco	sd-wan	*	cpe:2.3:a:cisco:sd-wan::::::::
cisco	vbond_orchestrator	-	cpe:2.3:a:cisco:vbond_orchestrator:-:::::::*

Rows per page:

1-10 of 121

CNA Affected

[
  {
    "product": "Cisco SD-WAN Solution",
    "vendor": "Cisco",
    "versions": [
      {
        "status": "affected",
        "version": "n/a"
      }
    ]
  }
]

References

www.securityfocus.com/bid/106719

tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-sdwan-sol-escal

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.6

Confidence

High

EPSS

Percentile

5.1%

JSON

Related for CVE-2019-1648