CVE-2019-1839
Current Description
A vulnerability in Cisco Remote PHY Device Software could allow an authenticated, local attacker to execute commands on the underlying Linux shell of an affected device with root privileges. The vulnerability occurs because the affected software improperly sanitizes user-supplied input. An attacker who has valid administrator access to an affected device could exploit this vulnerability by supplying various CLI commands with crafted arguments. A successful exploit could allow the attacker to run arbitrary commands as the root user, allowing complete compromise of the system.
Basic Data
| Published | August 21, 2019 |
|---|
| Last Modified | October 09, 2019 |
|---|
| Assigner | cve@mitre.org |
|---|
| Data Type | CVE |
|---|
| Data Format | MITRE |
|---|
| Data Version | 4.0 |
|---|
| Problem Type | CWE-20 |
|---|
| CVE Data Version | 4.0 |
|---|
Base Metric V2
| CVSS 2 - Version | 2.0 |
|---|
| CVSS 2 - Vector String | AV:L/AC:L/Au:N/C:C/I:C/A:C |
|---|
| CVSS 2 - Access Vector | LOCAL |
|---|
| CVSS 2 - Access Complexity | LOW |
|---|
| CVSS 2 - Authentication | NONE |
|---|
| CVSS 2 - Confidentiality Impact | COMPLETE |
|---|
| CVSS 2 - Availability Impact | COMPLETE |
|---|
| CVSS 2 - Base Score | 7.2 |
|---|
| Severity | HIGH |
|---|
| Exploitability Score | 3.9 |
|---|
| Impact Score | 10.0 |
|---|
| Obtain All Privilege | false |
|---|
| Obtain User Privilege | false |
|---|
| Obtain Other Privilege | false |
|---|
Base Metric V3
| CVSS 3 - Version | 3.0 |
|---|
| CVSS 3 - Vector String | CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
|---|
| CVSS 3 - Attack Vector | LOCAL |
|---|
| CVSS 3 - Attack Complexity | LOW |
|---|
| CVSS 3 - Privileges Required | HIGH |
|---|
| CVSS 3 - User Interaction | NONE |
|---|
| CVSS 3 - Scope | UNCHANGED |
|---|
| CVSS 3 - Confidentiality Impact | HIGH |
|---|
| CVSS 3 - Integrity Impact | HIGH |
|---|
| CVSS 3 - Availability Impact | HIGH |
|---|
| CVSS 3 - Base Score | 6.7 |
|---|
| CVSS 3 - Base Severity | MEDIUM |
|---|
| Exploitability Score | 0.8 |
|---|
| Base Severity | MEDIUM |
|---|
Configurations
-
AND
-
OR - Configuration 1
| Cpe Version | Part | Vendor | Product | Version | Update | Edition | Language | SW Edition | Target SW | Target HW | Other | Version Start Including | Version End Including | Version Start Excluding | Version End Excluding |
|---|
| 2.3 | OS | Cisco | Remote Phy 120 Firmware | * | * | * | * | * | * | * | * | � | � | � | 6.4 |
-
OR Running on/with:
| Cpe Version | Part | Vendor | Product | Version | Update | Edition | Language | SW Edition | Target SW | Target HW | Other | Version Start Including | Version End Including | Version Start Excluding | Version End Excluding |
|---|
| 2.3 | Hardware | Cisco | Remote Phy 120 | - | * | * | * | * | * | * | * | � | � | � | � |
-
AND
-
OR - Configuration 2
| Cpe Version | Part | Vendor | Product | Version | Update | Edition | Language | SW Edition | Target SW | Target HW | Other | Version Start Including | Version End Including | Version Start Excluding | Version End Excluding |
|---|
| 2.3 | OS | Cisco | Remote Phy 220 Firmware | * | * | * | * | * | * | * | * | � | � | � | 3.1 |
-
OR Running on/with:
| Cpe Version | Part | Vendor | Product | Version | Update | Edition | Language | SW Edition | Target SW | Target HW | Other | Version Start Including | Version End Including | Version Start Excluding | Version End Excluding |
|---|
| 2.3 | Hardware | Cisco | Remote Phy 220 | - | * | * | * | * | * | * | * | � | � | � | � |
-
AND
-
OR - Configuration 3
| Cpe Version | Part | Vendor | Product | Version | Update | Edition | Language | SW Edition | Target SW | Target HW | Other | Version Start Including | Version End Including | Version Start Excluding | Version End Excluding |
|---|
| 2.3 | OS | Cisco | Remote Phy Shelf 7200 Firmware | * | * | * | * | * | * | * | * | � | � | � | 1.2 |
-
OR Running on/with:
| Cpe Version | Part | Vendor | Product | Version | Update | Edition | Language | SW Edition | Target SW | Target HW | Other | Version Start Including | Version End Including | Version Start Excluding | Version End Excluding |
|---|
| 2.3 | Hardware | Cisco | Remote Phy Shelf 7200 | - | * | * | * | * | * | * | * | � | � | � | � |
-
AND
-
OR - Configuration 4
| Cpe Version | Part | Vendor | Product | Version | Update | Edition | Language | SW Edition | Target SW | Target HW | Other | Version Start Including | Version End Including | Version Start Excluding | Version End Excluding |
|---|
| 2.3 | OS | Cisco | Cbr-8 Firmware | 1.1 | * | * | * | * | * | * | * | � | � | � | � |
| 2.3 | OS | Cisco | Cbr-8 Firmware | 6.1 | * | * | * | * | * | * | * | � | � | � | � |
| 2.3 | OS | Cisco | Cbr-8 Firmware | 6.2 | * | * | * | * | * | * | * | � | � | � | � |
-
OR Running on/with:
| Cpe Version | Part | Vendor | Product | Version | Update | Edition | Language | SW Edition | Target SW | Target HW | Other | Version Start Including | Version End Including | Version Start Excluding | Version End Excluding |
|---|
| 2.3 | Hardware | Cisco | Cbr-8 | - | * | * | * | * | * | * | * | � | � | � | � |
Vulnerable Software List
References
| Name | Source | URL | Tags |
|---|
| 20190821 Cisco Remote PHY Device Software Command Injection Vulnerability | https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-rphy | CISCO | Vendor Advisory |
Follow @discotekdotca