CVE-2019-1648

A vulnerability in the user group configuration of the Cisco SD-WAN Solution could allow an authenticated, local attacker to gain elevated privileges on an affected device. The vulnerability is due to a failure to properly validate certain parameters included within the group configuration. An attacker could exploit this vulnerability by writing a crafted file to the directory where the user group configuration is located in the underlying operating system. A successful exploit could allow the attacker to gain root-level privileges and take full control of the device.
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:cisco:vedge_100_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:cisco:vedge_100:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:cisco:vedge_1000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:cisco:vedge_1000:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:cisco:vedge_2000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:cisco:vedge_2000:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:cisco:vedge_5000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:cisco:vedge_5000:-:*:*:*:*:*:*:*

Configuration 5 (hide)

OR cpe:2.3:a:cisco:sd-wan:*:*:*:*:*:*:*:*
cpe:2.3:a:cisco:vbond_orchestrator:-:*:*:*:*:*:*:*
cpe:2.3:a:cisco:vmanage_network_management:-:*:*:*:*:*:*:*
cpe:2.3:a:cisco:vsmart_controller:-:*:*:*:*:*:*:*

History

21 Nov 2024, 04:37

Type Values Removed Values Added
References () http://www.securityfocus.com/bid/106719 - Third Party Advisory, VDB Entry () http://www.securityfocus.com/bid/106719 - Third Party Advisory, VDB Entry
References () https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-sdwan-sol-escal - Vendor Advisory () https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-sdwan-sol-escal - Vendor Advisory

Information

Published : 2019-01-24 15:29

Updated : 2024-11-21 04:37


NVD link : CVE-2019-1648

Mitre link : CVE-2019-1648

CVE.ORG link : CVE-2019-1648


JSON object : View

Products Affected

cisco

  • vedge_2000
  • vedge_2000_firmware
  • vedge_1000_firmware
  • vedge_5000_firmware
  • vmanage_network_management
  • vedge_5000
  • sd-wan
  • vedge_1000
  • vedge_100
  • vbond_orchestrator
  • vsmart_controller
  • vedge_100_firmware
CWE
CWE-264

Permissions, Privileges, and Access Controls

CWE-20

Improper Input Validation