Multiple vulnerabilities in Enterprise NFV Infrastructure Software



Published: 2019-07-06 | Updated: 2020-08-08
Risk Medium
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2019-1893
CVE-2019-1894
CWE-ID CWE-77
CWE-20
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Enterprise NFV Infrastructure Software
Server applications / Virtualization software

Vendor Cisco Systems, Inc

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Command Injection

EUVDB-ID: #VU35751

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-1893

CWE-ID: CWE-77 - Command injection

Exploit availability: No

Description

The vulnerability allows a local authenticated user to execute arbitrary code.

A vulnerability in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system (OS) of an affected device as root. The vulnerability is due to insufficient input validation of a configuration file that is accessible to a local shell user. An attacker could exploit this vulnerability by including malicious input during the execution of this file. A successful exploit could allow the attacker to execute arbitrary commands on the underlying OS as root.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Enterprise NFV Infrastructure Software: 3.9.1

External links

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190703-nfvis-commandinj


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Input validation error

EUVDB-ID: #VU35752

Risk: Medium

CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-1894

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to execute arbitrary code.

A vulnerability in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, remote attacker with administrator privileges to overwrite or read arbitrary files on the underlying operating system (OS) of an affected device. The vulnerability is due to improper input validation in NFVIS filesystem commands. An attacker could exploit this vulnerability by using crafted variables during the execution of an affected command. A successful exploit could allow the attacker to overwrite or read arbitrary files on the underlying OS.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Enterprise NFV Infrastructure Software: 3.9.1

External links

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190703-nfvis-file-readwrite


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###