cnvd - cnvd-2019-39729

CNVD-2019-39729

Vulnerability from cnvd - Published: 2019-11-08

Title

Cisco HyperFlex Software数据伪造问题漏洞

Description

Cisco HyperFlex是Cisco的超融合基础架构(HCI)平台，专为满足多云IT的需求而打造，可通过简单的超融合基础设施为任何地方的任何应用提供支持。 Cisco HyperFlex软件3.5.2f、4.0.1b及更早版本中的统计信息收集服务存在计数器值注入漏洞。该漏洞源于统计信息收集服务的验证不足。攻击者可利用该漏洞通过将格式正确的数据值发送到受影响设备的统计信息收集服务导致Web界面统计信息视图向用户呈现无效数据。

Severity

中

Patch Name

Cisco HyperFlex Software数据伪造问题漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新：https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190918-hyperflex-valinj

Reference

https://nvd.nist.gov/vuln/detail/CVE-2019-12620

Impacted products

Name
['Cisco Cisco HyperFlex软件 <=3.5.2f', 'Cisco Cisco HyperFlex软件 <=4.0.1b']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-12620",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2019-12620"
    }
  },
  "description": "Cisco HyperFlex\u662fCisco\u7684\u8d85\u878d\u5408\u57fa\u7840\u67b6\u6784(HCI)\u5e73\u53f0\uff0c\u4e13\u4e3a\u6ee1\u8db3\u591a\u4e91IT\u7684\u9700\u6c42\u800c\u6253\u9020\uff0c\u53ef\u901a\u8fc7\u7b80\u5355\u7684\u8d85\u878d\u5408\u57fa\u7840\u8bbe\u65bd\u4e3a\u4efb\u4f55\u5730\u65b9\u7684\u4efb\u4f55\u5e94\u7528\u63d0\u4f9b\u652f\u6301\u3002\n\nCisco HyperFlex\u8f6f\u4ef63.5.2f\u30014.0.1b\u53ca\u66f4\u65e9\u7248\u672c\u4e2d\u7684\u7edf\u8ba1\u4fe1\u606f\u6536\u96c6\u670d\u52a1\u5b58\u5728\u8ba1\u6570\u5668\u503c\u6ce8\u5165\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7edf\u8ba1\u4fe1\u606f\u6536\u96c6\u670d\u52a1\u7684\u9a8c\u8bc1\u4e0d\u8db3\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u5c06\u683c\u5f0f\u6b63\u786e\u7684\u6570\u636e\u503c\u53d1\u9001\u5230\u53d7\u5f71\u54cd\u8bbe\u5907\u7684\u7edf\u8ba1\u4fe1\u606f\u6536\u96c6\u670d\u52a1\u5bfc\u81f4Web\u754c\u9762\u7edf\u8ba1\u4fe1\u606f\u89c6\u56fe\u5411\u7528\u6237\u5448\u73b0\u65e0\u6548\u6570\u636e\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1ahttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190918-hyperflex-valinj",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-39729",
  "openTime": "2019-11-08",
  "patchDescription": "Cisco HyperFlex\u662fCisco\u7684\u8d85\u878d\u5408\u57fa\u7840\u67b6\u6784(HCI)\u5e73\u53f0\uff0c\u4e13\u4e3a\u6ee1\u8db3\u591a\u4e91IT\u7684\u9700\u6c42\u800c\u6253\u9020\uff0c\u53ef\u901a\u8fc7\u7b80\u5355\u7684\u8d85\u878d\u5408\u57fa\u7840\u8bbe\u65bd\u4e3a\u4efb\u4f55\u5730\u65b9\u7684\u4efb\u4f55\u5e94\u7528\u63d0\u4f9b\u652f\u6301\u3002\r\n\r\nCisco HyperFlex\u8f6f\u4ef63.5.2f\u30014.0.1b\u53ca\u66f4\u65e9\u7248\u672c\u4e2d\u7684\u7edf\u8ba1\u4fe1\u606f\u6536\u96c6\u670d\u52a1\u5b58\u5728\u8ba1\u6570\u5668\u503c\u6ce8\u5165\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7edf\u8ba1\u4fe1\u606f\u6536\u96c6\u670d\u52a1\u7684\u9a8c\u8bc1\u4e0d\u8db3\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u5c06\u683c\u5f0f\u6b63\u786e\u7684\u6570\u636e\u503c\u53d1\u9001\u5230\u53d7\u5f71\u54cd\u8bbe\u5907\u7684\u7edf\u8ba1\u4fe1\u606f\u6536\u96c6\u670d\u52a1\u5bfc\u81f4Web\u754c\u9762\u7edf\u8ba1\u4fe1\u606f\u89c6\u56fe\u5411\u7528\u6237\u5448\u73b0\u65e0\u6548\u6570\u636e\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Cisco HyperFlex Software\u6570\u636e\u4f2a\u9020\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Cisco Cisco HyperFlex\u8f6f\u4ef6 \u003c=3.5.2f",
      "Cisco Cisco HyperFlex\u8f6f\u4ef6 \u003c=4.0.1b"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2019-12620",
  "serverity": "\u4e2d",
  "submitTime": "2019-09-19",
  "title": "Cisco HyperFlex Software\u6570\u636e\u4f2a\u9020\u95ee\u9898\u6f0f\u6d1e"
}

CVE-2019-12620 (GCVE-0-2019-12620)

Vulnerability from cvelistv5 – Published: 2019-09-18 16:15 – Updated: 2024-11-19 18:57

Title

Cisco HyperFlex Software Counter Value Injection Vulnerability

Summary

A vulnerability in the statistics collection service of Cisco HyperFlex Software could allow an unauthenticated, remote attacker to inject arbitrary values on an affected device. The vulnerability is due to insufficient authentication for the statistics collection service. An attacker could exploit this vulnerability by sending properly formatted data values to the statistics collection service of an affected device. A successful exploit could allow the attacker to cause the web interface statistics view to present invalid data to users.

Severity ?

5.3 (Medium)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE

CWE-345

Assigner

cisco

References

URL

Tags

https://tools.cisco.com/security/center/content/C…

vendor-advisoryx_refsource_CISCO

Impacted products

	Vendor	Product	Version
	Cisco	Cisco HyperFlex HX-Series	Affected: unspecified , < 3.5.2f (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T23:24:39.185Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "20190918 Cisco HyperFlex Software Counter Value Injection Vulnerability",
            "tags": [
              "vendor-advisory",
              "x_refsource_CISCO",
              "x_transferred"
            ],
            "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190918-hyperflex-valinj"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2019-12620",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-19T17:23:08.788414Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-19T18:57:00.555Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Cisco HyperFlex HX-Series",
          "vendor": "Cisco",
          "versions": [
            {
              "lessThan": "3.5.2f",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2019-09-18T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability in the statistics collection service of Cisco HyperFlex Software could allow an unauthenticated, remote attacker to inject arbitrary values on an affected device. The vulnerability is due to insufficient authentication for the statistics collection service. An attacker could exploit this vulnerability by sending properly formatted data values to the statistics collection service of an affected device. A successful exploit could allow the attacker to cause the web interface statistics view to present invalid data to users."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-345",
              "description": "CWE-345",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-09-18T16:15:18",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "name": "20190918 Cisco HyperFlex Software Counter Value Injection Vulnerability",
          "tags": [
            "vendor-advisory",
            "x_refsource_CISCO"
          ],
          "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190918-hyperflex-valinj"
        }
      ],
      "source": {
        "advisory": "cisco-sa-20190918-hyperflex-valinj",
        "defect": [
          [
            "CSCvj95584"
          ]
        ],
        "discovery": "INTERNAL"
      },
      "title": "Cisco HyperFlex Software Counter Value Injection Vulnerability",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@cisco.com",
          "DATE_PUBLIC": "2019-09-18T16:00:00-0700",
          "ID": "CVE-2019-12620",
          "STATE": "PUBLIC",
          "TITLE": "Cisco HyperFlex Software Counter Value Injection Vulnerability"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Cisco HyperFlex HX-Series",
                      "version": {
                        "version_data": [
                          {
                            "affected": "\u003c",
                            "version_affected": "\u003c",
                            "version_value": "3.5.2f"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Cisco"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A vulnerability in the statistics collection service of Cisco HyperFlex Software could allow an unauthenticated, remote attacker to inject arbitrary values on an affected device. The vulnerability is due to insufficient authentication for the statistics collection service. An attacker could exploit this vulnerability by sending properly formatted data values to the statistics collection service of an affected device. A successful exploit could allow the attacker to cause the web interface statistics view to present invalid data to users."
            }
          ]
        },
        "exploit": [
          {
            "lang": "en",
            "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."
          }
        ],
        "impact": {
          "cvss": {
            "baseScore": "5.3",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-345"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "20190918 Cisco HyperFlex Software Counter Value Injection Vulnerability",
              "refsource": "CISCO",
              "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190918-hyperflex-valinj"
            }
          ]
        },
        "source": {
          "advisory": "cisco-sa-20190918-hyperflex-valinj",
          "defect": [
            [
              "CSCvj95584"
            ]
          ],
          "discovery": "INTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2019-12620",
    "datePublished": "2019-09-18T16:15:18.927528Z",
    "dateReserved": "2019-06-04T00:00:00",
    "dateUpdated": "2024-11-19T18:57:00.555Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2019-39729

CVE-2019-12620 (GCVE-0-2019-12620)

Tags

Sightings

Nomenclature