#VU20483 Permissions, Privileges, and Access Controls in Cisco NX-OS - CVE-2019-1969
Published: August 30, 2019
Vulnerability identifier: #VU20483
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2019-1969
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Cisco NX-OS
Cisco NX-OS
Software vendor:
Cisco Systems, Inc
Cisco Systems, Inc
Description
The vulnerability allows a remote attacker to perform SNMP polling of an affected device.
The vulnerability exists in the implementation of the Simple Network Management Protocol (SNMP) Access Control List (ACL) feature due to an incorrect length check when the configured ACL name is the maximum length, which is 32 ASCII characters. A remote attacker can perform SNMP polling of an affected device that should have been denied. The attacker has no control of the configuration of the SNMP ACL name.
This vulnerability affected the following products that are running a Cisco NX-OS Software with a specific SNMP ACL configured:
- Nexus 3000 Series Switches
- Nexus 3500 Platform Switches
- Nexus 3600 Platform Switches
- Nexus 9000 Series Switches in standalone NX-OS mode
- Nexus 9500 R-Series Switching Platform
Remediation
Install updates from vendor's website.