Missing Authentication for Critical Function in Enterprise NFV Infrastructure Software

Published: 2019-08-07 | Updated: 2019-08-08

Risk	High
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2019-1895
CWE-ID	CWE-306
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	Enterprise NFV Infrastructure Software Server applications / Virtualization software
Vendor	Cisco Systems, Inc

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Missing Authentication for Critical Function

EUVDB-ID: #VU20001

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-1895

CWE-ID: CWE-306 - Missing Authentication for Critical Function

Exploit availability: No

Description

The vulnerability allows a remote attacker to access the Virtual Network Computing (VNC) console session of an administrative user on an affected device.

The vulnerability exists due to an insufficient authentication mechanism used to establish a VNC session. A remote attacker can intercept an administrator VNC session request prior to login, watch the administrator console session or interact with it and gain admin access to the affected device.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Enterprise NFV Infrastructure Software: All versions

CPE2.3

cpe:2.3:a:cisco_systems:enterprise_nfv_infrastructure_software:*:*:*:*:*:*:*:*

External links

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190807-nfvis-vnc-authbypass

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.