First published: Fri Mar 08 2019(Updated: )
A vulnerability in the user account management interface of Cisco NX-OS Software could allow an authenticated, local attacker to gain elevated privileges on an affected device. The vulnerability is due to an incorrect authorization check of user accounts and their associated Group ID (GID). An attacker could exploit this vulnerability by taking advantage of a logic error that will permit the use of higher privileged commands than what is necessarily assigned. A successful exploit could allow an attacker to execute commands with elevated privileges on the underlying Linux shell of an affected device. Nexus 7000 and 7700 Series Switches are affected in versions prior to 6.2(22), 8.2(3), and 8.3(2). Nexus 3000 Series Switches are affected in versions prior to 7.0(3)I7(4). Nexus 3500 Platform Switches are affected in versions prior to 7.0(3)I7(4). Nexus 3600 Platform Switches are affected in versions prior to 7.0(3)F3(5). Nexus 9000 Series Switches-Standalone are affected in versions prior to 7.0(3)I7(4). Nexus 9500 R-Series Line Cards and Fabric Modules are affected in versions prior to 7.0(3)F3(5).
Credit: ykramarz@cisco.com ykramarz@cisco.com
Affected Software | Affected Version | How to fix |
---|---|---|
Cisco Nx-os | <7.0\(3\)i7\(4\) | |
Cisco Nexus 3000 | ||
Cisco Nexus 3500 | ||
Cisco Nexus 9000 | ||
Cisco Nx-os | <7.0\(3\)f3\(5\) | |
Cisco Nexus 3600 | ||
Cisco Nexus 9500 | ||
Cisco Nx-os | >8.2\(3\)<8.3\(2\) | |
Cisco Nexus 7000 | ||
Cisco Nexus 7700 | ||
Cisco Nx-os | >6.22\(22\)<8.2\(3\) | |
Cisco Nx-os | <6.2\(22\) | |
All of | ||
Cisco Nx-os | <7.0\(3\)i7\(4\) | |
Any of | ||
Cisco Nexus 3000 | ||
Cisco Nexus 3500 | ||
Cisco Nexus 9000 | ||
All of | ||
Cisco Nx-os | <7.0\(3\)f3\(5\) | |
Any of | ||
Cisco Nexus 3600 | ||
Cisco Nexus 9500 | ||
All of | ||
Cisco Nx-os | >8.2\(3\)<8.3\(2\) | |
Any of | ||
Cisco Nexus 7000 | ||
Cisco Nexus 7700 | ||
All of | ||
Cisco Nx-os | >6.22\(22\)<8.2\(3\) | |
Any of | ||
Cisco Nexus 7000 | ||
Cisco Nexus 7700 | ||
All of | ||
Cisco Nx-os | <6.2\(22\) | |
Any of | ||
Cisco Nexus 7000 | ||
Cisco Nexus 7700 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-1604 is a vulnerability in the user account management interface of Cisco NX-OS Software that allows an attacker to gain elevated privileges on an affected device.
CVE-2019-1604 affects Cisco NX-OS Software by allowing an authenticated, local attacker to gain elevated privileges on an affected device.
The severity level of CVE-2019-1604 is high, with a score of 7.8.
Cisco NX-OS Software versions up to and including 7.0(3)i7(4) and 7.0(3)f3(5) are affected by CVE-2019-1604.
To fix CVE-2019-1604, users should upgrade to a version of Cisco NX-OS Software that is not vulnerable.