Information disclosure in Cisco Network Convergence System 1000 Series



Published: 2019-02-22
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2019-1681
CWE-ID CWE-22
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		Cisco Network Convergence System 1000 Series
Hardware solutions / Firmware

Vendor Cisco Systems, Inc

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Path traversal

EUVDB-ID: #VU17845

Risk: Low

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-1681

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists in the TFTP service due to input validation error when processing directory traversal sequences. A remote attacker can use directory traversal techniques in malicious requests sent to the TFTP service to retrieve arbitrary files from the targeted device.

Mitigation

Update to version 7.0.1.19, 6.6.11.12, 6.6.1.19, 6.5.2.10 or 6.5.2.9.

Vulnerable software versions

Cisco Network Convergence System 1000 Series: 6.5.1

External links

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190220-ncs


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###