CVE-2019-1784

Published: May 15, 2019Modified: Nov 21, 2024

6.7

Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 0.8 / Impact: 5.9

Source: NVD

Description

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying Linux operating system with the privilege level of root. The vulnerability is due to insufficient validation of arguments passed to a specific CLI command on the affected device. An attacker could exploit this vulnerability by including malicious input as the argument of an affected command. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux operating system with elevated privileges. An attacker would need valid administrator credentials to exploit this vulnerability.

Affected (5)

Products: Cisco: Nx Os

1 product

Configuration A

1 vulnerable · 11 platform

Vulnerable Software	Affected Versions
Cisco Nx Os	Before 7.3\(5\)n1\(1\)

Running on/with	Platform Versions
Cisco Nexus 5548p	All versions
Cisco Nexus 5548up	All versions
Cisco Nexus 5596t	All versions
Cisco Nexus 5596up	All versions
Cisco Nexus 56128p	All versions
Cisco Nexus 5624q	All versions
Cisco Nexus 5648q	All versions
Cisco Nexus 5672up	All versions
Cisco Nexus 5696q	All versions
Cisco Nexus 6001	All versions
Cisco Nexus 6004	All versions

Configuration B

3 vulnerable · 2 platform

Vulnerable Software	Affected Versions
Cisco Nx Os	From 7.2 to 7.3\(3\)d1\(1\)
Cisco Nx Os	From 8.0 to 8.2\(3\)
Cisco Nx Os	From 8.3 to 8.3\(1\)

Running on/with	Platform Versions
Cisco 7000	All versions
Cisco 7700	All versions

Configuration C

1 vulnerable · 5 platform

Vulnerable Software	Affected Versions
Cisco Nx Os	Before 4.0\(1a\)

Running on/with	Platform Versions
Cisco Ucs 6248up	All versions
Cisco Ucs 6296up	All versions
Cisco Ucs 6324	All versions
Cisco Ucs 6332	All versions
Cisco Ucs 6332 16up	All versions

Related CWEs

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

References (4)

http://www.securityfocus.com/bid/108369

Source: psirt@cisco.com

Third Party AdvisoryVDB Entry

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-nxos-cmd-inject-1784

Source: psirt@cisco.com

Vendor Advisory

http://www.securityfocus.com/bid/108369

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-nxos-cmd-inject-1784

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.