CVE-2019-1728 – Cisco FXOS and NX-OS Software Secure Configuration Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2019-1728
A vulnerability in the Secure Configuration Validation functionality of Cisco FXOS Software and Cisco NX-OS Software could allow an authenticated, local attacker to run arbitrary commands at system boot time with the privileges of root. The vulnerability is due to a lack of proper validation of system files when the persistent configuration information is read from the file system. An attacker could exploit this vulnerability by authenticating to the device and overwriting the persistent configuration storage with malicious executable files. An exploit could allow the attacker to run arbitrary commands at system startup and those commands will run as the root user. The attacker must have valid administrative credentials for the device. • http://www.securityfocus.com/bid/108391 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-nxos-conf-bypass • CWE-347: Improper Verification of Cryptographic Signature •
CVE-2019-1729 – Cisco NX-OS Software Arbitrary File Overwrite Vulnerability
https://notcve.org/view.php?id=CVE-2019-1729
A vulnerability in the CLI implementation of a specific command used for image maintenance for Cisco NX-OS Software could allow an authenticated, local attacker to overwrite any file on the file system including system files. These file overwrites by the attacker are accomplished at the root privilege level. The vulnerability occurs because there is no verification of user-input parameters and or digital-signature verification for image files when using a specific CLI command. An attacker could exploit this vulnerability by authenticating to the device and issuing a command at the CLI. Because an exploit could allow the attacker to overwrite any file on the disk, including system files, a denial of service (DoS) condition could occur. • http://www.securityfocus.com/bid/108378 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-nxos-file-write • CWE-20: Improper Input Validation CWE-347: Improper Verification of Cryptographic Signature •
CVE-2019-1726 – Cisco NX-OS Software CLI Bypass to Internal Service Vulnerability
https://notcve.org/view.php?id=CVE-2019-1726
A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to access internal services that should be restricted on an affected device, such as the NX-API. The vulnerability is due to insufficient validation of arguments passed to a certain CLI command. An attacker could exploit this vulnerability by including malicious input as the argument to the affected command. A successful exploit could allow the attacker to bypass intended restrictions and access internal services of the device. An attacker would need valid device credentials to exploit this vulnerability. • http://www.securityfocus.com/bid/108409 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-nxos-cli-bypass • CWE-20: Improper Input Validation CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2015-4232
https://notcve.org/view.php?id=CVE-2015-4232
Cisco NX-OS 6.2(10) on Nexus and MDS 9000 devices allows local users to execute arbitrary OS commands by entering crafted tar parameters in the CLI, aka Bug ID CSCus44856. Cisco NX-OS 6.2(10) en los dispositivos Nexus y MDS 9000 permite a usuarios locales ejecutar comandos del sistema operativo arbitrarios mediante la entrada de parámetro tar manipulados en la interfaz líneas de comando, también conocido como Bug ID CSCus44856. • http://tools.cisco.com/security/center/viewAlert.x?alertId=39569 http://www.securityfocus.com/bid/75503 http://www.securitytracker.com/id/1032764 • CWE-264: Permissions, Privileges, and Access Controls •