CVE-2019-1762 – Cisco IOS and IOS XE Software Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2019-1762
A vulnerability in the Secure Storage feature of Cisco IOS and IOS XE Software could allow an authenticated, local attacker to access sensitive system information on an affected device. The vulnerability is due to improper memory operations performed at encryption time, when affected software handles configuration updates. An attacker could exploit this vulnerability by retrieving the contents of specific memory locations of an affected device. A successful exploit could result in the disclosure of keying materials that are part of the device configuration, which can be used to recover critical system information. Una vulnerabilidad en la funcionalidad de almacenamiento seguro de los softwares Cisco IOS y Cisco IOS XE podría permitir que un atacante local no autenticado acceda a información sensible del sistema en un dispositivo afectado. • http://www.securityfocus.com/bid/107594 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-info • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2019-1759 – Cisco IOS XE Software Gigabit Ethernet Management Interface Access Control List Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2019-1759
A vulnerability in access control list (ACL) functionality of the Gigabit Ethernet Management interface of Cisco IOS XE Software could allow an unauthenticated, remote attacker to reach the configured IP addresses on the Gigabit Ethernet Management interface. The vulnerability is due to a logic error that was introduced in the Cisco IOS XE Software 16.1.1 Release, which prevents the ACL from working when applied against the management interface. An attacker could exploit this issue by attempting to access the device via the management interface. Una vulnerabilidad en la funcionalidad de listas de control de acceso (ACL) de la interfaz Gigabit Ethernet Management del software Cisco IOS XE podría permitir que un atacante remoto no autenticado alcance las direcciones IP configuradas de la interfaz Gigabit Ethernet Management. La vulnerabilidad se debe a un error de lógica que se introdujo en la versión 16.1.1 del software Cisco IOS XE, que evita que la ACL trabaje cuando se aplica contra la interfaz de gestión. • https://github.com/r3m0t3nu11/CVE-2019-1759-csrf-js-rce http://www.securityfocus.com/bid/107660 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-mgmtacl • CWE-284: Improper Access Control CWE-287: Improper Authentication •
CVE-2019-1750 – Cisco IOS XE Software Catalyst 4500 Cisco Discovery Protocol Denial of Service Vulnerability
https://notcve.org/view.php?id=CVE-2019-1750
A vulnerability in the Easy Virtual Switching System (VSS) of Cisco IOS XE Software on Catalyst 4500 Series Switches could allow an unauthenticated, adjacent attacker to cause the switches to reload. The vulnerability is due to incomplete error handling when processing Cisco Discovery Protocol (CDP) packets used with the Easy Virtual Switching System. An attacker could exploit this vulnerability by sending a specially crafted CDP packet. An exploit could allow the attacker to cause the device to reload, resulting in a denial of service (DoS) condition. Una vulnerabilidad en el VSS (Easy Virtual Switching System) del software Cisco IOS XE en los switches Catalyst 4500 Series podría permitir que un atacante adyacente no autenticado provoque la recarga de los switches. • http://www.securityfocus.com/bid/107607 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-evss • CWE-20: Improper Input Validation CWE-388: 7PK - Errors •
CVE-2019-1746 – Cisco IOS and IOS XE Software Cluster Management Protocol Denial of Service Vulnerability
https://notcve.org/view.php?id=CVE-2019-1746
A vulnerability in the Cluster Management Protocol (CMP) processing code in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to trigger a denial of service (DoS) condition on an affected device. The vulnerability is due to insufficient input validation when processing CMP management packets. An attacker could exploit this vulnerability by sending malicious CMP management packets to an affected device. A successful exploit could cause the switch to crash, resulting in a DoS condition. The switch will reload automatically. • http://www.securityfocus.com/bid/107612 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-cmp-dos • CWE-20: Improper Input Validation •
CVE-2019-1745 – Cisco IOS XE Software Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2019-1745
A vulnerability in Cisco IOS XE Software could allow an authenticated, local attacker to inject arbitrary commands that are executed with elevated privileges. The vulnerability is due to insufficient input validation of commands supplied by the user. An attacker could exploit this vulnerability by authenticating to a device and submitting crafted input to the affected commands. An exploit could allow the attacker to gain root privileges on the affected device. Una vulnerabilidad en el software Cisco IOS XE podría permitir que un atacante local autenticado inyecte comandos arbitrarios que se ejecutan con privilegios elevados. • http://www.securityfocus.com/bid/107588 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-xecmd • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •