Main Vulnerability Database Vulnerabilities #VU20380

OS Command Injection in Cisco Integrated Management Controller - CVE-2019-1885

Published: August 23, 2019

Vulnerability identifier: #VU20380

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2019-1885

CWE-ID: CWE-78

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Cisco Systems, Inc

Affected software:
Cisco Integrated Management Controller

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to insufficient validation of user-supplied input in the Redfish protocol. A remote authenticated attacker can send a specially crafted commands to the web-based management interface and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

This vulnerability affects the following Cisco products that are running Cisco IMC Software:

UCS C-Series and S-Series Servers in standalone mode

How to mitigate CVE-2019-1885

Install updates from vendor's website.

Sources

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-ucs-cimc

OS Command Injection in Cisco Integrated Management Controller - CVE-2019-1885

Detailed vulnerability description

How to mitigate CVE-2019-1885

Sources

Please verify you're human