CVE-2019-1966: Cisco Unified Computing System Fabric Interconnect root Privilege Escalation Vulnerability
First published: Thu Aug 29 2019(Updated: )
A vulnerability in a specific CLI command within the local management (local-mgmt) context for Cisco UCS Fabric Interconnect Software could allow an authenticated, local attacker to gain elevated privileges as the root user on an affected device. The vulnerability is due to extraneous subcommand options present for a specific CLI command within the local-mgmt context. An attacker could exploit this vulnerability by authenticating to an affected device, entering the local-mgmt context, and issuing a specific CLI command and submitting user input. A successful exploit could allow the attacker to execute arbitrary operating system commands as root on an affected device. The attacker would need to have valid user credentials for the device.
Credit: ykramarz@cisco.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cisco Nx-os | <=3.2 | |
| Cisco Nx-os | =4.0 | |
| Cisco Ucs 6248 Up Fabric Interconnect | ||
| Cisco Ucs 6296 Up Fabric Interconnect | ||
| Cisco Ucs 6324 Fabric Interconnect | ||
| Cisco Ucs 6332-16up Fabric Interconnect | ||
| Cisco Ucs 6332 Fabric Interconnect | ||
| Cisco Ucs 6454 Fabric Interconnect | ||
| Cisco Unified Computing System | =3.2\(3b\)a | |
| Cisco Unified Computing System | =4.0\(1a\)a |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID of this Cisco vulnerability?
The vulnerability ID is CVE-2019-1966.
What is the severity of CVE-2019-1966?
The severity of CVE-2019-1966 is high, with a severity value of 7.8.
How does CVE-2019-1966 affect Cisco UCS Fabric Interconnect Software?
CVE-2019-1966 allows an authenticated, local attacker to gain elevated privileges as the root user on an affected device running Cisco UCS Fabric Interconnect Software.
What is the affected software for CVE-2019-1966?
The affected software includes Cisco Nx-os versions up to and including 3.2, as well as Cisco Nx-os version 4.0.
How can I fix CVE-2019-1966?
To fix CVE-2019-1966, it is recommended to upgrade to a fixed software release as described in the vendor advisory.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/references
- agent/weakness
- agent/title
- agent/last-modified-date
- agent/author
- agent/first-publish-date
- agent/tags
- agent/description
- agent/event
- vendor/cisco
- canonical/cisco nx-os
- version/cisco nx-os/3.2
- version/cisco nx-os/4.0
- canonical/cisco ucs 6248 up fabric interconnect
- canonical/cisco ucs 6296 up fabric interconnect
- canonical/cisco ucs 6324 fabric interconnect
- canonical/cisco ucs 6332-16up fabric interconnect
- canonical/cisco ucs 6332 fabric interconnect
- canonical/cisco ucs 6454 fabric interconnect
- canonical/cisco unified computing system
- version/cisco unified computing system/3.2\(3b\)a
- version/cisco unified computing system/4.0\(1a\)a