Main Vulnerability Database Vulnerabilities #VU20001

#VU20001 Missing Authentication for Critical Function in Enterprise NFV Infrastructure Software - CVE-2019-1895

Published: August 8, 2019

Vulnerability identifier: #VU20001

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2019-1895

CWE-ID: CWE-306

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Enterprise NFV Infrastructure Software

Software vendor:
Cisco Systems, Inc

Description

The vulnerability allows a remote attacker to access the Virtual Network Computing (VNC) console session of an administrative user on an affected device.

The vulnerability exists due to an insufficient authentication mechanism used to establish a VNC session. A remote attacker can intercept an administrator VNC session request prior to login, watch the administrator console session or interact with it and gain admin access to the affected device.

Remediation

Install updates from vendor's website.

External links

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190807-nfvis-vnc-authbypass