var-202009-0362
Vulnerability from variot
A vulnerability in the Administration Web Interface of Cisco Unified Contact Center Express (Unified CCX) could allow an authenticated, remote attacker to upload arbitrary files and execute commands on the underlying operating system. To exploit this vulnerability, an attacker needs valid Administrator credentials. The vulnerability is due to insufficient restrictions for the content uploaded to an affected system. An attacker could exploit this vulnerability by uploading arbitrary files containing operating system commands that will be executed by an affected system. A successful exploit could allow the attacker to execute arbitrary commands with the privileges of the web interface and then elevate their privileges to root. This component supports functions such as self-service voice service, call distribution, and customer access control. A code issue vulnerability exists in Cisco Unified CCX releases prior to 12.5(1) where the program does not adequately restrict what is uploaded to an affected system. I've quoted the Cisco summary below as it's pretty accurate.
tl;dr is an admin user on the web console can gain command execution and then escalate to root. If this is an issue in your environment, then please patch.
Thanks to Cisco PSIRT who were responsive and professional.
Shouts to Andrew, Dave and Senad, Pedro R - if that's still even a thing on advisories
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-202009-0362", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "unified ip interactive voice response", "scope": "eq", "trust": 1.0, "vendor": "cisco", "version": "11.6\\(2\\)" }, { "model": "unified ip interactive voice response", "scope": "eq", "trust": 1.0, "vendor": "cisco", "version": "11.6\\(1\\)" }, { "model": "unified contact center express", "scope": "eq", "trust": 1.0, "vendor": "cisco", "version": "11.6\\(2\\)" }, { "model": "unified contact center express", "scope": "eq", "trust": 1.0, "vendor": "cisco", "version": "11.6\\(1\\)" }, { "model": "unified contact center express", "scope": "eq", "trust": 1.0, "vendor": "cisco", "version": "12.0\\(1\\)" }, { "model": "cisco unified contact center express", "scope": null, "trust": 0.8, "vendor": "\u30b7\u30b9\u30b3\u30b7\u30b9\u30c6\u30e0\u30ba", "version": null }, { "model": "cisco unified ip interactive voice response", "scope": null, "trust": 0.8, "vendor": "\u30b7\u30b9\u30b3\u30b7\u30b9\u30c6\u30e0\u30ba", "version": null } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2020-011570" }, { "db": "NVD", "id": "CVE-2019-1888" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:cisco:unified_contact_center_express:11.6\\(1\\):*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:cisco:unified_contact_center_express:11.6\\(2\\):*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:cisco:unified_contact_center_express:12.0\\(1\\):*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:cisco:unified_ip_interactive_voice_response:11.6\\(1\\):*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:cisco:unified_ip_interactive_voice_response:11.6\\(2\\):*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" } ] } ], "sources": [ { "db": "NVD", "id": "CVE-2019-1888" } ] }, "credits": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Jamie R", "sources": [ { "db": "PACKETSTORM", "id": "156531" }, { "db": "CNNVD", "id": "CNNVD-202002-997" } ], "trust": 0.7 }, "cve": "CVE-2019-1888", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "acInsufInfo": false, "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "author": "NVD", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "exploitabilityScore": 8.0, "impactScore": 10.0, "integrityImpact": "COMPLETE", "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "trust": 1.0, "userInteractionRequired": false, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0" }, { "acInsufInfo": null, "accessComplexity": "Low", "accessVector": "Network", "authentication": "Single", "author": "NVD", "availabilityImpact": "Complete", "baseScore": 9.0, "confidentialityImpact": "Complete", "exploitabilityScore": null, "id": "CVE-2019-1888", "impactScore": null, "integrityImpact": "Complete", "obtainAllPrivilege": null, "obtainOtherPrivilege": null, "obtainUserPrivilege": null, "severity": "High", "trust": 0.8, "userInteractionRequired": null, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0" }, { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "author": "VULHUB", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "exploitabilityScore": 8.0, "id": "VHN-151270", "impactScore": 10.0, "integrityImpact": "COMPLETE", "severity": "HIGH", "trust": 0.1, "vectorString": "AV:N/AC:L/AU:S/C:C/I:C/A:C", "version": "2.0" } ], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "NVD", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "exploitabilityScore": 1.2, "impactScore": 5.9, "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "trust": 1.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "ykramarz@cisco.com", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "exploitabilityScore": 1.2, "impactScore": 5.9, "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "trust": 1.0, "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" }, { "attackComplexity": "Low", "attackVector": "Network", "author": "NVD", "availabilityImpact": "High", "baseScore": 7.2, "baseSeverity": "High", "confidentialityImpact": "High", "exploitabilityScore": null, "id": "CVE-2019-1888", "impactScore": null, "integrityImpact": "High", "privilegesRequired": "High", "scope": "Unchanged", "trust": 0.8, "userInteraction": "None", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" } ], "severity": [ { "author": "NVD", "id": "CVE-2019-1888", "trust": 1.8, "value": "HIGH" }, { "author": "ykramarz@cisco.com", "id": "CVE-2019-1888", "trust": 1.0, "value": "HIGH" }, { "author": "CNNVD", "id": "CNNVD-202002-997", "trust": 0.6, "value": "HIGH" }, { "author": "VULHUB", "id": "VHN-151270", "trust": 0.1, "value": "HIGH" } ] } ], "sources": [ { "db": "VULHUB", "id": "VHN-151270" }, { "db": "JVNDB", "id": "JVNDB-2020-011570" }, { "db": "NVD", "id": "CVE-2019-1888" }, { "db": "NVD", "id": "CVE-2019-1888" }, { "db": "CNNVD", "id": "CNNVD-202002-997" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "A vulnerability in the Administration Web Interface of Cisco Unified Contact Center Express (Unified CCX) could allow an authenticated, remote attacker to upload arbitrary files and execute commands on the underlying operating system. To exploit this vulnerability, an attacker needs valid Administrator credentials. The vulnerability is due to insufficient restrictions for the content uploaded to an affected system. An attacker could exploit this vulnerability by uploading arbitrary files containing operating system commands that will be executed by an affected system. A successful exploit could allow the attacker to execute arbitrary commands with the privileges of the web interface and then elevate their privileges to root. This component supports functions such as self-service voice service, call distribution, and customer access control. A code issue vulnerability exists in Cisco Unified CCX releases prior to 12.5(1) where the program does not adequately restrict what is uploaded to an affected system. I\u0027ve quoted the Cisco summary below as it\u0027s pretty accurate. \n\ntl;dr is an admin user on the web console can gain command execution\nand then escalate to root. If this is an issue in your environment,\nthen please patch. \n\nThanks to Cisco PSIRT who were responsive and professional. \n\nShouts to Andrew, Dave and Senad, Pedro R - if that\u0027s still even a\nthing on advisories", "sources": [ { "db": "NVD", "id": "CVE-2019-1888" }, { "db": "JVNDB", "id": "JVNDB-2020-011570" }, { "db": "VULHUB", "id": "VHN-151270" }, { "db": "PACKETSTORM", "id": "156531" } ], "trust": 1.8 }, "exploit_availability": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "reference": "https://www.scap.org.cn/vuln/vhn-151270", "trust": 0.1, "type": "unknown" } ], "sources": [ { "db": "VULHUB", "id": "VHN-151270" } ] }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2019-1888", "trust": 2.6 }, { "db": "PACKETSTORM", "id": "156531", "trust": 0.8 }, { "db": "JVNDB", "id": "JVNDB-2020-011570", "trust": 0.8 }, { "db": "CNNVD", "id": "CNNVD-202002-997", "trust": 0.7 }, { "db": "AUSCERT", "id": "ESB-2020.0603", "trust": 0.6 }, { "db": "VULHUB", "id": "VHN-151270", "trust": 0.1 } ], "sources": [ { "db": "VULHUB", "id": "VHN-151270" }, { "db": "JVNDB", "id": "JVNDB-2020-011570" }, { "db": "PACKETSTORM", "id": "156531" }, { "db": "NVD", "id": "CVE-2019-1888" }, { "db": "CNNVD", "id": "CNNVD-202002-997" } ] }, "id": "VAR-202009-0362", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VULHUB", "id": "VHN-151270" } ], "trust": 0.01 }, "last_update_date": "2023-12-18T13:51:46.913000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "cisco-sa-uccx-privesc-Zd7bvwyf", "trust": 0.8, "url": "https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-uccx-privesc-zd7bvwyf" }, { "title": "Cisco Unified Contact Center Express Fixes for code issue vulnerabilities", "trust": 0.6, "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=110047" } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2020-011570" }, { "db": "CNNVD", "id": "CNNVD-202002-997" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "CWE-434", "trust": 1.1 }, { "problemtype": "Unlimited upload of dangerous types of files (CWE-434) [NVD Evaluation ]", "trust": 0.8 } ], "sources": [ { "db": "VULHUB", "id": "VHN-151270" }, { "db": "JVNDB", "id": "JVNDB-2020-011570" }, { "db": "NVD", "id": "CVE-2019-1888" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 2.4, "url": "https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-uccx-privesc-zd7bvwyf" }, { "trust": 0.9, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-1888" }, { "trust": 0.6, "url": "https://packetstormsecurity.com/files/156531/cisco-unified-contact-center-express-privilege-escalation.html" }, { "trust": 0.6, "url": "https://vigilance.fr/vulnerability/cisco-unified-contact-center-express-file-upload-via-administration-web-interface-31644" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2020.0603/" } ], "sources": [ { "db": "VULHUB", "id": "VHN-151270" }, { "db": "JVNDB", "id": "JVNDB-2020-011570" }, { "db": "PACKETSTORM", "id": "156531" }, { "db": "NVD", "id": "CVE-2019-1888" }, { "db": "CNNVD", "id": "CNNVD-202002-997" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "VULHUB", "id": "VHN-151270" }, { "db": "JVNDB", "id": "JVNDB-2020-011570" }, { "db": "PACKETSTORM", "id": "156531" }, { "db": "NVD", "id": "CVE-2019-1888" }, { "db": "CNNVD", "id": "CNNVD-202002-997" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2020-09-23T00:00:00", "db": "VULHUB", "id": "VHN-151270" }, { "date": "2021-04-06T00:00:00", "db": "JVNDB", "id": "JVNDB-2020-011570" }, { "date": "2020-02-25T15:26:11", "db": "PACKETSTORM", "id": "156531" }, { "date": "2020-09-23T01:15:14.410000", "db": "NVD", "id": "CVE-2019-1888" }, { "date": "2020-02-19T00:00:00", "db": "CNNVD", "id": "CNNVD-202002-997" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2020-09-29T00:00:00", "db": "VULHUB", "id": "VHN-151270" }, { "date": "2021-04-06T09:06:00", "db": "JVNDB", "id": "JVNDB-2020-011570" }, { "date": "2020-09-29T18:55:07.957000", "db": "NVD", "id": "CVE-2019-1888" }, { "date": "2020-09-30T00:00:00", "db": "CNNVD", "id": "CNNVD-202002-997" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-202002-997" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Cisco\u00a0Unified\u00a0Contact\u00a0Center\u00a0Express\u00a0 Unlimited Upload Vulnerability in File Vulnerability", "sources": [ { "db": "JVNDB", "id": "JVNDB-2020-011570" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "code problem", "sources": [ { "db": "CNNVD", "id": "CNNVD-202002-997" } ], "trust": 0.6 } }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.