Main Vulnerability Database SB2019080754

SB2019080754 - Missing Authentication for Critical Function in Enterprise NFV Infrastructure Software

Published: August 7, 2019 Updated: August 8, 2019

Security Bulletin ID SB2019080754

CSH Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Missing Authentication for Critical Function (CVE-ID: CVE-2019-1895)

CWE-ID: CWE-306 - Missing Authentication for Critical Function

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to access the Virtual Network Computing (VNC) console session of an administrative user on an affected device.

The vulnerability exists due to an insufficient authentication mechanism used to establish a VNC session. A remote attacker can intercept an administrator VNC session request prior to login, watch the administrator console session or interact with it and gain admin access to the affected device.

Remediation

Install update from vendor's website.

References

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190807-nfvis-vnc-authbypass