CVE-2019-1590

Published: May 3, 2019Modified: Nov 21, 2024

8.1

Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.2 / Impact: 5.9

Source: NVD

Description

A vulnerability in the Transport Layer Security (TLS) certificate validation functionality of Cisco Nexus 9000 Series Application Centric Infrastructure (ACI) Mode Switch Software could allow an unauthenticated, remote attacker to perform insecure TLS client authentication on an affected device. The vulnerability is due to insufficient TLS client certificate validations for certificates sent between the various components of an ACI fabric. An attacker who has possession of a certificate that is trusted by the Cisco Manufacturing CA and the corresponding private key could exploit this vulnerability by presenting a valid certificate while attempting to connect to the targeted device. An exploit could allow the attacker to gain full control of all other components within the ACI fabric of an affected device.

Affected (2)

Products: Cisco: Nx Os

Cisco

1 product

Nx Os

Configuration A

2 vulnerable · 27 platform

Vulnerable Software	Affected Versions
Cisco Nx Os	Version 14.1(0.90)
Cisco Nx Os	Version 8.3(0)sk(0.39)

Running on/with	Platform Versions
Cisco Nexus 9000	All versions
Cisco Nexus 92160yc X	All versions
Cisco Nexus 92300yc	All versions
Cisco Nexus 92304qc	All versions
Cisco Nexus 9236c	All versions
Cisco Nexus 9272q	All versions
Cisco Nexus 93108tc Ex	All versions
Cisco Nexus 93108tc Fx	All versions
Cisco Nexus 93120tx	All versions
Cisco Nexus 93128tx	All versions
Cisco Nexus 93180lc Ex	All versions
Cisco Nexus 93180yc Ex	All versions
Cisco Nexus 93180yc Fx	All versions
Cisco Nexus 93240yc Fx2	All versions
Cisco Nexus 9332c	All versions
Cisco Nexus 9332pq	All versions
Cisco Nexus 9336c Fx2	All versions
Cisco Nexus 9336pq	All versions
Cisco Nexus 9348gc Fxp	All versions
Cisco Nexus 9364c	All versions
Cisco Nexus 9372px	All versions
Cisco Nexus 9372px E	All versions
Cisco Nexus 9372tx	All versions
Cisco Nexus 9372tx E	All versions
Cisco Nexus 9396px	All versions
Cisco Nexus 9396tx	All versions
Cisco Nexus 9508	All versions

Related CWEs

CWE-295

Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

References (2)

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-aci-insecure-fabric

Source: psirt@cisco.com

Vendor Advisory

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-aci-insecure-fabric

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.