XXE attack in Cisco IoT Field Network Director



Published: 2019-02-22
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2019-1698
CWE-ID CWE-611
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Cisco IoT Field Network Director
Web applications / Remote management & hosting panels

Vendor Cisco Systems, Inc

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) XXE attack

EUVDB-ID: #VU17843

Risk: Low

CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-1698

CWE-ID: CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

Exploit availability: No

Description

The vulnerability allows a remote high-privileged attacker to conduct XXE-attack.

The vulnerability exists in the web-based user interface due to improper handling of XML External Entities (XXEs) when parsing an XML file. A remote attacker can import a specially crafted XML file with malicious entries, which could allow the attacker to read files within the affected application.

Mitigation

Update to version 4.4(0.26).

Vulnerable software versions

Cisco IoT Field Network Director: 4.2.1.2

External links

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190220-iot-fnd-xml


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###