Missing Authentication for Critical Function in Enterprise NFV Infrastructure Software



Published: 2019-08-07 | Updated: 2019-08-08
Risk High
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2019-1895
CWE-ID CWE-306
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		Enterprise NFV Infrastructure Software
Server applications / Virtualization software

Vendor Cisco Systems, Inc

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Missing Authentication for Critical Function

EUVDB-ID: #VU20001

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-1895

CWE-ID: CWE-306 - Missing Authentication for Critical Function

Exploit availability: No

Description

The vulnerability allows a remote attacker to access the Virtual Network Computing (VNC) console session of an administrative user on an affected device.

The vulnerability exists due to an insufficient authentication mechanism used to establish a VNC session. A remote attacker can intercept an administrator VNC session request prior to login, watch the administrator console session or interact with it and gain admin access to the affected device.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Enterprise NFV Infrastructure Software: before 3.12.1

External links

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190807-nfvis-vnc-authbypass


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###