CVE-2019-1863
Current Description
A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Software could allow an authenticated, remote attacker to make unauthorized changes to the system configuration. The vulnerability is due to insufficient authorization enforcement. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected software. A successful exploit could allow a user with read-only privileges to change critical system configurations using administrator privileges.
Basic Data
| Published | August 21, 2019 |
|---|
| Last Modified | October 09, 2019 |
|---|
| Assigner | cve@mitre.org |
|---|
| Data Type | CVE |
|---|
| Data Format | MITRE |
|---|
| Data Version | 4.0 |
|---|
| Problem Type | CWE-285 |
|---|
| CVE Data Version | 4.0 |
|---|
Base Metric V2
| CVSS 2 - Version | 2.0 |
|---|
| CVSS 2 - Vector String | AV:N/AC:L/Au:S/C:C/I:C/A:C |
|---|
| CVSS 2 - Access Vector | NETWORK |
|---|
| CVSS 2 - Access Complexity | LOW |
|---|
| CVSS 2 - Authentication | SINGLE |
|---|
| CVSS 2 - Confidentiality Impact | COMPLETE |
|---|
| CVSS 2 - Availability Impact | COMPLETE |
|---|
| CVSS 2 - Base Score | 9.0 |
|---|
| Severity | HIGH |
|---|
| Exploitability Score | 8.0 |
|---|
| Impact Score | 10.0 |
|---|
| Obtain All Privilege | false |
|---|
| Obtain User Privilege | false |
|---|
| Obtain Other Privilege | false |
|---|
Base Metric V3
| CVSS 3 - Version | 3.0 |
|---|
| CVSS 3 - Vector String | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|---|
| CVSS 3 - Attack Vector | NETWORK |
|---|
| CVSS 3 - Attack Complexity | LOW |
|---|
| CVSS 3 - Privileges Required | LOW |
|---|
| CVSS 3 - User Interaction | NONE |
|---|
| CVSS 3 - Scope | UNCHANGED |
|---|
| CVSS 3 - Confidentiality Impact | HIGH |
|---|
| CVSS 3 - Integrity Impact | HIGH |
|---|
| CVSS 3 - Availability Impact | HIGH |
|---|
| CVSS 3 - Base Score | 8.8 |
|---|
| CVSS 3 - Base Severity | HIGH |
|---|
| Exploitability Score | 2.8 |
|---|
| Base Severity | HIGH |
|---|
Configurations
-
OR - Configuration 1
| Cpe Version | Part | Vendor | Product | Version | Update | Edition | Language | SW Edition | Target SW | Target HW | Other | Version Start Including | Version End Including | Version Start Excluding | Version End Excluding |
|---|
| 2.3 | Application | Cisco | Unified Computing System | 4.0(1c)hs3 | * | * | * | * | * | * | * | � | � | � | � |
-
AND
-
OR - Configuration 2
| Cpe Version | Part | Vendor | Product | Version | Update | Edition | Language | SW Edition | Target SW | Target HW | Other | Version Start Including | Version End Including | Version Start Excluding | Version End Excluding |
|---|
| 2.3 | Application | Cisco | Integrated Management Controller Supervisor | * | * | * | * | * | * | * | * | 1.5.0.0 | � | � | 1.5(9g) |
| 2.3 | Application | Cisco | Integrated Management Controller Supervisor | * | * | * | * | * | * | * | * | 2.0.0.0 | � | � | 2.0(13o) |
| 2.3 | Application | Cisco | Integrated Management Controller Supervisor | * | * | * | * | * | * | * | * | 3.0.0.0 | � | � | 3.0(4k) |
| 2.3 | Application | Cisco | Integrated Management Controller Supervisor | * | * | * | * | * | * | * | * | 4.0.0.0 | � | � | 4.0(4b) |
-
OR Running on/with:
| Cpe Version | Part | Vendor | Product | Version | Update | Edition | Language | SW Edition | Target SW | Target HW | Other | Version Start Including | Version End Including | Version Start Excluding | Version End Excluding |
|---|
| 2.3 | Hardware | Cisco | Encs 5100 | - | * | * | * | * | * | * | * | � | � | � | � |
| 2.3 | Hardware | Cisco | Encs 5400 | - | * | * | * | * | * | * | * | � | � | � | � |
| 2.3 | Hardware | Cisco | Ucs-e1120d-m3 | - | * | * | * | * | * | * | * | � | � | � | � |
| 2.3 | Hardware | Cisco | Ucs-e140s-m2 | - | * | * | * | * | * | * | * | � | � | � | � |
| 2.3 | Hardware | Cisco | Ucs-e160d-m2 | - | * | * | * | * | * | * | * | � | � | � | � |
| 2.3 | Hardware | Cisco | Ucs-e160s-m3 | - | * | * | * | * | * | * | * | � | � | � | � |
| 2.3 | Hardware | Cisco | Ucs-e168d-m2 | - | * | * | * | * | * | * | * | � | � | � | � |
| 2.3 | Hardware | Cisco | Ucs-e180d-m3 | - | * | * | * | * | * | * | * | � | � | � | � |
| 2.3 | Hardware | Cisco | Ucs C125 M5 | - | * | * | * | * | * | * | * | � | � | � | � |
| 2.3 | Hardware | Cisco | Ucs C4200 | - | * | * | * | * | * | * | * | � | � | � | � |
| 2.3 | Hardware | Cisco | Ucs S3260 | - | * | * | * | * | * | * | * | � | � | � | � |
-
AND
-
OR - Configuration 3
| Cpe Version | Part | Vendor | Product | Version | Update | Edition | Language | SW Edition | Target SW | Target HW | Other | Version Start Including | Version End Including | Version Start Excluding | Version End Excluding |
|---|
| 2.3 | Application | Cisco | Integrated Management Controller Supervisor | * | * | * | * | * | * | * | * | 4.0.0.0 | � | � | 4.0(1d) |
-
OR Running on/with:
| Cpe Version | Part | Vendor | Product | Version | Update | Edition | Language | SW Edition | Target SW | Target HW | Other | Version Start Including | Version End Including | Version Start Excluding | Version End Excluding |
|---|
| 2.3 | Hardware | Cisco | Encs 5100 | - | * | * | * | * | * | * | * | � | � | � | � |
| 2.3 | Hardware | Cisco | Encs 5400 | - | * | * | * | * | * | * | * | � | � | � | � |
| 2.3 | Hardware | Cisco | Ucs-e1120d-m3 | - | * | * | * | * | * | * | * | � | � | � | � |
| 2.3 | Hardware | Cisco | Ucs-e140s-m2 | - | * | * | * | * | * | * | * | � | � | � | � |
| 2.3 | Hardware | Cisco | Ucs-e160d-m2 | - | * | * | * | * | * | * | * | � | � | � | � |
| 2.3 | Hardware | Cisco | Ucs-e160s-m3 | - | * | * | * | * | * | * | * | � | � | � | � |
| 2.3 | Hardware | Cisco | Ucs-e168d-m2 | - | * | * | * | * | * | * | * | � | � | � | � |
| 2.3 | Hardware | Cisco | Ucs-e180d-m3 | - | * | * | * | * | * | * | * | � | � | � | � |
| 2.3 | Hardware | Cisco | Ucs C125 M5 | - | * | * | * | * | * | * | * | � | � | � | � |
| 2.3 | Hardware | Cisco | Ucs C4200 | - | * | * | * | * | * | * | * | � | � | � | � |
| 2.3 | Hardware | Cisco | Ucs S3260 | - | * | * | * | * | * | * | * | � | � | � | � |
-
AND
-
OR - Configuration 4
| Cpe Version | Part | Vendor | Product | Version | Update | Edition | Language | SW Edition | Target SW | Target HW | Other | Version Start Including | Version End Including | Version Start Excluding | Version End Excluding |
|---|
| 2.3 | Application | Cisco | Integrated Management Controller Supervisor | * | * | * | * | * | * | * | * | 4.0.0.0 | � | � | 4.0(2c) |
-
OR Running on/with:
| Cpe Version | Part | Vendor | Product | Version | Update | Edition | Language | SW Edition | Target SW | Target HW | Other | Version Start Including | Version End Including | Version Start Excluding | Version End Excluding |
|---|
| 2.3 | Hardware | Cisco | Encs 5100 | - | * | * | * | * | * | * | * | � | � | � | � |
| 2.3 | Hardware | Cisco | Encs 5400 | - | * | * | * | * | * | * | * | � | � | � | � |
| 2.3 | Hardware | Cisco | Ucs-e1120d-m3 | - | * | * | * | * | * | * | * | � | � | � | � |
| 2.3 | Hardware | Cisco | Ucs-e140s-m2 | - | * | * | * | * | * | * | * | � | � | � | � |
| 2.3 | Hardware | Cisco | Ucs-e160d-m2 | - | * | * | * | * | * | * | * | � | � | � | � |
| 2.3 | Hardware | Cisco | Ucs-e160s-m3 | - | * | * | * | * | * | * | * | � | � | � | � |
| 2.3 | Hardware | Cisco | Ucs-e168d-m2 | - | * | * | * | * | * | * | * | � | � | � | � |
| 2.3 | Hardware | Cisco | Ucs-e180d-m3 | - | * | * | * | * | * | * | * | � | � | � | � |
| 2.3 | Hardware | Cisco | Ucs C125 M5 | - | * | * | * | * | * | * | * | � | � | � | � |
| 2.3 | Hardware | Cisco | Ucs C4200 | - | * | * | * | * | * | * | * | � | � | � | � |
| 2.3 | Hardware | Cisco | Ucs S3260 | - | * | * | * | * | * | * | * | � | � | � | � |
Vulnerable Software List
References
| Name | Source | URL | Tags |
|---|
| 20190821 Cisco Integrated Management Controller Privilege Escalation Vulnerability | https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imc-privileg | CISCO | Vendor Advisory |
Follow @discotekdotca