CVE-2019-1966 — HIGH (7.8) — White Hats Nepal

Q: How severe is CVE-2019-1966?

CVE-2019-1966 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-1966?

Check the references section above for vendor advisories and patch information. Affected products include: Cisco Nx-Os, Cisco Ucs 6248 Up Fabric Interconnect, Cisco Ucs 6296 Up Fabric Interconnect, Cisco Ucs 6324 Fabric Interconnect, Cisco Ucs 6332-16Up Fabric Interconnect.

Vulnerability Description

A vulnerability in a specific CLI command within the local management (local-mgmt) context for Cisco UCS Fabric Interconnect Software could allow an authenticated, local attacker to gain elevated privileges as the root user on an affected device. The vulnerability is due to extraneous subcommand options present for a specific CLI command within the local-mgmt context. An attacker could exploit this vulnerability by authenticating to an affected device, entering the local-mgmt context, and issuing a specific CLI command and submitting user input. A successful exploit could allow the attacker to execute arbitrary operating system commands as root on an affected device. The attacker would need to have valid user credentials for the device.

CVSS Score

7.8

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Cisco	Nx-Os	<= 3.2
Cisco	Ucs 6248 Up Fabric Interconnect	-
Cisco	Ucs 6296 Up Fabric Interconnect	-
Cisco	Ucs 6324 Fabric Interconnect	-
Cisco	Ucs 6332-16Up Fabric Interconnect	-
Cisco	Ucs 6332 Fabric Interconnect	-
Cisco	Ucs 6454 Fabric Interconnect	-
Cisco	Unified Computing System	3.2\(3b\)a

Related Weaknesses (CWE)

CWE-264

References

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-2Vendor Advisory
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-2Vendor Advisory

FAQ

What is CVE-2019-1966?

CVE-2019-1966 is a vulnerability with a CVSS score of 7.8 (HIGH). A vulnerability in a specific CLI command within the local management (local-mgmt) context for Cisco UCS Fabric Interconnect Software could allow an authenticated, local attacker to gain elevated priv...

How severe is CVE-2019-1966?

CVE-2019-1966 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-1966?

Check the references section above for vendor advisories and patch information. Affected products include: Cisco Nx-Os, Cisco Ucs 6248 Up Fabric Interconnect, Cisco Ucs 6296 Up Fabric Interconnect, Cisco Ucs 6324 Fabric Interconnect, Cisco Ucs 6332-16Up Fabric Interconnect.