Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.2983
Multiple vulnerabilities have been identified in Cisco
Enterprise NFV Infrastructure Software
8 August 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco Enterprise NFV Infrastructure Software
Publisher: Cisco Systems
Operating System: Virtualisation
Cisco
Impact/Access: Administrator Compromise -- Remote/Unauthenticated
Increased Privileges -- Existing Account
Modify Arbitrary Files -- Existing Account
Cross-site Scripting -- Existing Account
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2019-1973 CVE-2019-1972 CVE-2019-1971
CVE-2019-1961 CVE-2019-1960 CVE-2019-1959
CVE-2019-1953 CVE-2019-1952 CVE-2019-1946
CVE-2019-1895
Reference: ESB-2019.0522
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190807-nfv-xss
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190807-nfv-fileread
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190807-nfv-pwrecov
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190807-nfv-cli-path
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190807-nfvis-vnc-authbypass
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190807-nfv-privescal
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190807-nfvis-authbypass
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190807-nfv-read
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190807-nfv-commandinj
Comment: This bulletin contains nine (9) Cisco Systems security advisories.
CVE-2019-1895 is an Authentication Bypass vulnerability that allows
the attacker access to the VNC console session of an Administrative
user.
CVE-2019-1971 allows a remote attacker to perform a command injection
attack and execute arbitrary commands with root privileges.
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco Enterprise NFV Infrastructure Software Cross-site Scripting Vulnerability
Priority: Medium
Advisory ID: cisco-sa-20190807-nfv-xss
First Published: 2019 August 7 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvn12411
CVE-2019-1973
CWE-79
CVSS Score:
4.8 AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:X/RL:X/RC:X
Summary
o A vulnerability in the web portal framework of Cisco Enterprise NFV
Infrastructure Software (NFVIS) could allow an authenticated, remote
attacker to conduct a cross-site scripting (XSS) attack against a user of
the web-based interface.
The vulnerability is due to improper input validation of log file content
stored on the affected device. An attacker could exploit this vulnerability
by modifying a log file with malicious code and getting a user to view the
modified log file. A successful exploit could allow the attacker to execute
arbitrary script code in the context of the affected interface or to access
sensitive, browser-based information.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190807-nfv-xss
Affected Products
o Vulnerable Products
At the time of publication, this vulnerability affected Cisco Enterprise
NFVIS devices running releases earlier than Release 3.11.1.
See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page , to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Fixed Releases
At the time of publication, Cisco Enterprise NFVIS releases 3.11.1 and
later contained the fix for this vulnerability.
See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during internal security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Action Links for This Advisory
o Understanding Cross-Site Scripting (XSS) Threat Vectors
Related to This Advisory
o Cross-Site Scripting
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190807-nfv-xss
Revision History
o +---------+--------------------------+---------+--------+-----------------+
| Version | Description | Section | Status | Date |
+---------+--------------------------+---------+--------+-----------------+
| 1.0 | Initial public release. | - | Final | 2019-August-07 |
+---------+--------------------------+---------+--------+-----------------+
- ---
Cisco Enterprise NFV Infrastructure Software Web Portal Arbitrary File Read
Vulnerability
Priority: Medium
Advisory ID: cisco-sa-20190807-nfv-fileread
First Published: 2019 August 7 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvm76624
CVE-2019-1961
CWE-532
CVSS Score:
4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:X/RL:X/RC:X
Summary
o A vulnerability in Cisco Enterprise NFV Infrastructure Software (NFVIS)
could allow an authenticated, remote attacker to read arbitrary files on
the underlying operating system (OS) of an affected device.
The vulnerability is due to the improper input validation of tar packages
uploaded through the Web Portal to the Image Repository. An attacker could
exploit this vulnerability by uploading a crafted tar package and viewing
the log entries that are generated. A successful exploit could allow the
attacker to read arbitrary files on the underlying OS.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190807-nfv-fileread
Affected Products
o Vulnerable Products
At the time of publication, this vulnerability affected Cisco Enterprise
NFVIS releases earlier than Release 3.10.1.
See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page , to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Fixed Releases
At the time of publication, Cisco Enterprise NFVIS releases 3.10.1 and
later contained the fix for this vulnerability.
See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during internal security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190807-nfv-fileread
Revision History
o +---------+--------------------------+---------+--------+-----------------+
| Version | Description | Section | Status | Date |
+---------+--------------------------+---------+--------+-----------------+
| 1.0 | Initial public release. | - | Final | 2019-August-07 |
+---------+--------------------------+---------+--------+-----------------+
- ---
Cisco Enterprise NFV Infrastructure Software Password Recovery Vulnerability
Priority: Medium
Advisory ID: cisco-sa-20190807-nfv-pwrecov
First Published: 2019 August 7 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvk44389
CVE-2019-1953
CWE-532
CVSS Score:
6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:X/RL:X/RC:X
Summary
o A vulnerability in the web portal of Cisco Enterprise NFV Infrastructure
Software (NFVIS) could allow an authenticated, remote attacker to view a
password in clear text.
The vulnerability is due to incorrectly logging the admin password when a
user is forced to modify the default password when logging in to the web
portal for the first time. Subsequent password changes are not logged and
other accounts are not affected. An attacker could exploit this
vulnerability by viewing the admin clear text password and using it to
access the affected system. The attacker would need a valid user account to
exploit this vulnerability.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190807-nfv-pwrecov
Affected Products
o Vulnerable Products
At the time of publication, this vulnerability affected Cisco Enterprise
NFVIS releases earlier than Release 3.9.1.
See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page , to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Fixed Releases
At the time of publication, Cisco Enterprise NFVIS releases 3.9.1 and later
contained the fix for this vulnerability.
See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during internal security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190807-nfv-pwrecov
Revision History
o +---------+--------------------------+---------+--------+-----------------+
| Version | Description | Section | Status | Date |
+---------+--------------------------+---------+--------+-----------------+
| 1.0 | Initial public release. | - | Final | 2019-August-07 |
+---------+--------------------------+---------+--------+-----------------+
- ---
Cisco Enterprise NFV Infrastructure Software Path Traversal Vulnerability
Priority: Medium
Advisory ID: cisco-sa-20190807-nfv-cli-path
First Published: 2019 August 7 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvm76615
CVE-2019-1952
CWE-22
CVSS Score:
6.7 AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
Summary
o A vulnerability in the CLI of Cisco Enterprise NFV Infrastructure Software
(NFVIS) could allow an authenticated, local attacker to overwrite or read
arbitrary files. The attacker would need valid administrator
privilege-level credentials.
This vulnerability is due to improper input validation of CLI command
arguments. An attacker could exploit this vulnerability by using directory
traversal techniques when executing a vulnerable command. A successful
exploit could allow the attacker to overwrite or read arbitrary files on an
affected device.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190807-nfv-cli-path
Affected Products
o Vulnerable Products
At the time of publication, this vulnerability affected Cisco Enterprise
NFVIS devices that are running software releases earlier than Release
3.10.1.
See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page , to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Fixed Releases
At the time of publication, Cisco Enterprise NFVIS releases 3.10.1 and
later contained the fix for this vulnerability.
See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during internal security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190807-nfv-cli-path
Revision History
o +---------+--------------------------+---------+--------+-----------------+
| Version | Description | Section | Status | Date |
+---------+--------------------------+---------+--------+-----------------+
| 1.0 | Initial public release. | - | Final | 2019-August-07 |
+---------+--------------------------+---------+--------+-----------------+
- ---
Cisco Enterprise NFV Infrastructure Software VNC Authentication Bypass
Vulnerability
Priority: High
Advisory ID: cisco-sa-20190807-nfvis-vnc-authbypass
First Published: 2019 August 7 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvm75496CSCvp00281
CVE-2019-1895
CWE-306
CVSS Score:
9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
Summary
o A vulnerability in the Virtual Network Computing (VNC) console
implementation of Cisco Enterprise NFV Infrastructure Software (NFVIS)
could allow an unauthenticated, remote attacker to access the VNC console
session of an administrative user on an affected device.
The vulnerability is due to an insufficient authentication mechanism used
to establish a VNC session. An attacker could exploit this vulnerability by
intercepting an administrator VNC session request prior to login. A
successful exploit could allow the attacker to watch the administrator
console session or interact with it, allowing admin access to the affected
device.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190807-nfvis-vnc-authbypass
Affected Products
o Vulnerable Products
This vulnerability affects Cisco Enterprise NFV Infrastructure Software
(NFVIS) releases earlier than 3.12.1.
Determining the Cisco Enterprise NFVIS Release
To determine which Cisco Enterprise NFVIS release is running on a device,
administrators can use the show version command in the CLI. The following
example shows the output of this command for a device that is running Cisco
Enterprise NFVIS Release 3.11.2:
nfvis# show version
Cisco NFV Infrastructure Software
Version 3.11.2-FC2
.
.
.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page , to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Fixed Releases
Cisco fixed this vulnerability in Cisco Enterprise NFVIS releases 3.12.1
and later.
Customers can download Cisco Enterprise NFVIS from the Software Center on
Cisco.com by doing the following:
1. Click Browse all .
2. Choose Routers > Network Functions Virtualization > Enterprise NFV
Infrastructure Software > NFV Infrastructure Software .
3. Access releases by using the left pane of the Enterprise NFV
Infrastructure Software page.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during internal security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190807-nfvis-vnc-authbypass
Revision History
o +---------+--------------------------+---------+--------+-----------------+
| Version | Description | Section | Status | Date |
+---------+--------------------------+---------+--------+-----------------+
| 1.0 | Initial public release. | - | Final | 2019-August-07 |
+---------+--------------------------+---------+--------+-----------------+
- ---
Cisco Enterprise NFV Infrastructure Software Privilege Escalation Vulnerability
Priority: Medium
Advisory ID: cisco-sa-20190807-nfv-privescal
First Published: 2019 August 7 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvn12412
CVE-2019-1972
CWE-264
CVSS Score:
6.7 AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
Summary
o A vulnerability the Cisco Enterprise NFV Infrastructure Software (NFVIS)
restricted CLI could allow an authenticated, local attacker with valid
administrator-level credentials to elevate privileges and execute arbitrary
commands on the underlying operating system as root .
The vulnerability is due to insufficient restrictions during the execution
of an affected CLI command. An attacker could exploit this vulnerability by
leveraging the insufficient restrictions during the execution of an
affected command. A successful exploit could allow the attacker to elevate
privileges and execute arbitrary commands on the underlying operating
system as root .
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190807-nfv-privescal
Affected Products
o Vulnerable Products
At the time of publication, this vulnerability affected Cisco Enterprise
NFVIS releases 3.6.3 through 3.10.3.
See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page , to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Fixed Releases
At the time of publication, Cisco Enterprise NFVIS releases 3.11.1 and
later contained the fix for this vulnerability.
See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during internal security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190807-nfv-privescal
Revision History
o +---------+--------------------------+---------+--------+-----------------+
| Version | Description | Section | Status | Date |
+---------+--------------------------+---------+--------+-----------------+
| 1.0 | Initial public release. | - | Final | 2019-August-07 |
+---------+--------------------------+---------+--------+-----------------+
- ---
Cisco Enterprise NFV Infrastructure Software Web-Based Management Interface
Authentication Bypass Vulnerability
Priority: Medium
Advisory ID: cisco-sa-20190807-nfvis-authbypass
First Published: 2019 August 7 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvm76618
CVE-2019-1946
CWE-287
CVSS Score:
6.5 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:X/RL:X/RC:X
Summary
o A vulnerability in the web-based management interface of Cisco Enterprise
NFV Infrastructure Software (NFVIS) could allow an unauthenticated, remote
attacker to bypass authentication and get limited access to the web-based
management interface.
The vulnerability is due to an incorrect implementation of authentication
in the web-based management interface. An attacker could exploit this
vulnerability by sending a crafted authentication request to the web-based
management interface on an affected system. A successful exploit could
allow the attacker to view limited configuration details and potentially
upload a virtual machine image.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190807-nfvis-authbypass
Affected Products
o Vulnerable Products
At the time of publication, this vulnerability affected Cisco Enterprise
NFVIS releases earlier than Release 3.10.1.
See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page , to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Fixed Releases
At the time of publication, Cisco Enterprise NFVIS releases 3.10.1 and
later contained the fix for this vulnerability.
See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during internal security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190807-nfvis-authbypass
Revision History
o +---------+--------------------------+---------+--------+-----------------+
| Version | Description | Section | Status | Date |
+---------+--------------------------+---------+--------+-----------------+
| 1.0 | Initial public release. | - | Final | 2019-August-07 |
+---------+--------------------------+---------+--------+-----------------+
- ---
Cisco Enterprise NFV Infrastructure Software Arbitrary File Read
Vulnerabilities
Priority: Medium
Advisory ID: cisco-sa-20190807-nfv-read
First Published: 2019 August 7 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvm76669CSCvn12428
CVE-2019-1959
CVE-2019-1960
CWE-20
CVSS Score:
4.4 AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:X/RL:X/RC:X
Summary
o Multiple vulnerabilities in Cisco Enterprise NFV Infrastructure Software
(NFVIS) could allow an authenticated, local attacker to read arbitrary
files on the underlying operating system (OS) of an affected device.
For more information about these vulnerabilities, see the Details section
of this advisory.
Cisco has released software updates that address these vulnerabilities.
There are no workarounds that address these vulnerabilities.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190807-nfv-read
Affected Products
o Vulnerable Products
At the time of publication, these vulnerabilities affected Cisco Enterprise
NFVIS releases earlier than Release 3.11.1.
See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by these vulnerabilities.
Details
o Two vulnerabilities in Cisco Enterprise NFV Infrastructure Software (NFVIS)
could allow an authenticated, local attacker to read arbitrary files on the
underlying operating system (OS) of an affected device.
The vulnerabilities are not dependent on one another; exploitation of one
of the vulnerabilities is not required to exploit the other vulnerability.
In addition, a software release that is affected by one of the
vulnerabilities may not be affected by the other vulnerability.
Details about the vulnerabilities are as follows.
Cisco Enterprise NFV Infrastructure Software Arbitrary File Read
Vulnerability
A vulnerability in Cisco Enterprise NFV Infrastructure Software (NFVIS)
could allow an authenticated, local attacker to read arbitrary files on the
underlying operating system (OS) of an affected device.
The vulnerability is due to the improper input validation of arguments used
with a vulnerable CLI command. An attacker could exploit this vulnerability
by using a crafted argument during the execution of an affected command. A
successful exploit could allow the attacker to read arbitrary files on the
underlying OS.
The CVE ID for this vulnerability is: CVE-2019-1959
The bug ID for this vulnerability is: CSCvn12428
Cisco Enterprise NFV Infrastructure Software Arbitrary File Read
Vulnerability
A vulnerability in Cisco Enterprise NFV Infrastructure Software (NFVIS)
could allow an authenticated, local attacker to read arbitrary files on the
underlying operating system (OS) of an affected device.
The vulnerability is due to the improper input validation of arguments used
with a vulnerable CLI command. An attacker could exploit this vulnerability
by using a crafted argument during the execution of an affected command. A
successful exploit could allow the attacker to read arbitrary files on the
underlying OS.
The CVE ID for this vulnerability is: CVE-2019-1960
The bug ID for this vulnerability is: CSCvm76669
Workarounds
o There are no workarounds that address these vulnerabilities.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page , to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Fixed Releases
At the time of publication, Cisco Enterprise NFVIS releases 3.11.1 and
later contained the fixed for these vulnerabilities.
See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerabilities that are
described in this advisory.
Source
o These vulnerabilities were found during internal security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190807-nfv-read
Revision History
o +---------+--------------------------+---------+--------+-----------------+
| Version | Description | Section | Status | Date |
+---------+--------------------------+---------+--------+-----------------+
| 1.0 | Initial public release. | - | Final | 2019-August-07 |
+---------+--------------------------+---------+--------+-----------------+
- ---
Cisco Enterprise NFV Infrastructure Software Command Injection Vulnerability
Priority: Medium
Advisory ID: cisco-sa-20190807-nfv-commandinj
First Published: 2019 August 7 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvm76628
CVE-2019-1971
CWE-78
CVSS Score:
8.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
Summary
o A vulnerability in the web portal of Cisco Enterprise NFV Infrastructure
Software (NFVIS) could allow an unauthenticated, remote attacker to perform
a command injection attack and execute arbitrary commands with root
privileges.
The vulnerability is due to insufficient input validation by the web portal
framework. An attacker could exploit this vulnerability by providing
malicious input during web portal authentication. A successful exploit
could allow the attacker to execute arbitrary commands with root privileges
on the underlying operating system.
There are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190807-nfv-commandinj
Affected Products
o Vulnerable Products
At the time of publication, this vulnerability affected Cisco Enterprise
NFVIS releases 3.6.2 through 3.8.1.
See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page , to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Fixed Releases
See the Details section in the bug ID(s) at the top of this advisory for
the most complete and current information.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during internal security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190807-nfv-commandinj
Revision History
o +---------+--------------------------+---------+--------+-----------------+
| Version | Description | Section | Status | Date |
+---------+--------------------------+---------+--------+-----------------+
| 1.0 | Initial public release. | - | Final | 2019-August-07 |
+---------+--------------------------+---------+--------+-----------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXUtvBGaOgq3Tt24GAQhltg/+KHDQbEijLaJpxDPYXQbHZOrK0Prbb7ql
UZKBXhw3P5r+IN425nIt/+uYj9z+QDxcruX79DLEQPbu7kAa6hZKqsOQX07pb4jv
xvTxyoOaIFQlGPUv1vCzpwVDF0Rhw8UiPdG4Bka42dQgv6fMxLmYVHPqcfVGX/RU
V208QBdCjs3ny/CHxnlR6TozhG+VzW49gQYWhZI6iiQzoCBapLwI0zSnMoaHGKpN
LPxeElx5IO/9Jzhsb+NlBmu77pizhIMFJEZQF5aAo0j1SlxVf3Is+LFzAoS7eSCC
cbjnVMwgoUR5MlxIavnduFudHzRLE2I7BmyXuvsu5A4vC2uQLdIIiQuShkqunmzn
tHvjJjbKUrcX0gWq1oNadEOE5XcW7bjSiNPgsg5RTzGgc7rPG7KZBKJ4qz/UIIhc
7mhf3CHHzuHs2D01rOiNv3o/z/dZlKxwkJcHbXm02el5npHkDQhwC0Ce+R7HScWZ
MatI9Dq/M0XAvGKmodhy5wcHQPv0sbN3Ft+bIWJGT8bDBNLbckBGMK4fIb4NIvNO
sN2lJBM7wYw8Iiz3TeFTU78IZwVXIJGYjpu82sy7GDfrqKyxEX+g0QNcOFcUQ0Ey
v9BQYbstXjKXfv4N4zdKuYQG1plxgJnvGDhK6nhdKfIzWHAiEi1zyg9W95gaoA5s
hl/Jbdrlr20=
=h2G7
-----END PGP SIGNATURE-----