Multiple vulnerabilities in Enterprise NFV Infrastructure Software

Published: 2019-08-26

Risk	Low
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2019-1984 CVE-2019-12623
CWE-ID	CWE-20 CWE-538
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	Enterprise NFV Infrastructure Software Server applications / Virtualization software
Vendor	Cisco Systems, Inc

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Input validation error

EUVDB-ID: #VU20383

Risk: Low

CVSSv4.0: 4.8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-1984

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to overwrite files on the underlying operating system (OS) of an affected device.

The vulnerability exists due to improper input validation in an NFVIS file-system command. A remote authenticated administrator can use specially crafted variables during the execution of an affected command and overwrite arbitrary files on the underlying OS.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Enterprise NFV Infrastructure Software: All versions

CPE2.3

cpe:2.3:a:cisco_systems:enterprise_nfv_infrastructure_software:*:*:*:*:*:*:*:*

External links

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-nfv-filewrite

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) File and Directory Information Exposure

EUVDB-ID: #VU20389

Risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-12623

CWE-ID: CWE-538 - File And Directory Information Exposure