OpenCVE

A vulnerability in the Cisco SD-WAN Solution could allow an authenticated, adjacent attacker to bypass authentication and have direct unauthorized access to other vSmart containers. The vulnerability is due to an insecure default configuration of the affected system. An attacker could exploit this vulnerability by directly connecting to the exposed services. An exploit could allow the attacker to retrieve and modify critical system files.

No CVSS v4.0

No CVSS v3.1

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Adjacent Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:A/AC:L/Au:S/C:C/I:C/A:C

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Cisco	Sd-wan Vsmart Controller

Configuration 1 [-]

OR	cpe:2.3:a:cisco:sd-wan::::::::
	cpe:2.3:a:cisco:vsmart_controller:-:::::::*

No data.

References

Link	Providers
http://www.securityfocus.com/bid/106705
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-sdwan-unaccess

History

Wed, 20 Nov 2024 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: cisco

Published: 2019-01-24T15:00:00Z

Updated: 2024-11-20T17:28:47.253Z

Reserved: 2018-12-06T00:00:00

Link: CVE-2019-1647

Vulnrichment

Updated: 2024-08-04T18:20:28.485Z

NVD

Status : Modified

Published: 2019-01-24T15:29:00.703

Modified: 2019-10-09T23:47:36.190

Link: CVE-2019-1647

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Cisco SD-WAN Solution", "vendor": "Cisco", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2019-01-23T00:00:00", "descriptions": [{"lang": "en", "value": "A vulnerability in the Cisco SD-WAN Solution could allow an authenticated, adjacent attacker to bypass authentication and have direct unauthorized access to other vSmart containers. The vulnerability is due to an insecure default configuration of the affected system. An attacker could exploit this vulnerability by directly connecting to the exposed services. An exploit could allow the attacker to retrieve and modify critical system files."}], "exploits": [{"lang": "en", "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-01-25T10:57:01", "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco"}, "references": [{"name": "20190123 Cisco SD-WAN Solution Unauthorized Access Vulnerability", "tags": ["vendor-advisory", "x_refsource_CISCO"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-sdwan-unaccess"}, {"name": "106705", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/106705"}], "source": {"advisory": "cisco-sa-20190123-sdwan-unaccess", "defect": [["CSCvm25940"]], "discovery": "INTERNAL"}, "title": "Cisco SD-WAN Solution Unauthorized Access Vulnerability", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@cisco.com", "DATE_PUBLIC": "2019-01-23T16:00:00-0800", "ID": "CVE-2019-1647", "STATE": "PUBLIC", "TITLE": "Cisco SD-WAN Solution Unauthorized Access Vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Cisco SD-WAN Solution", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "Cisco"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability in the Cisco SD-WAN Solution could allow an authenticated, adjacent attacker to bypass authentication and have direct unauthorized access to other vSmart containers. The vulnerability is due to an insecure default configuration of the affected system. An attacker could exploit this vulnerability by directly connecting to the exposed services. An exploit could allow the attacker to retrieve and modify critical system files."}]}, "exploit": [{"lang": "en", "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."}], "impact": {"cvss": {"baseScore": "8.0", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-284"}]}]}, "references": {"reference_data": [{"name": "20190123 Cisco SD-WAN Solution Unauthorized Access Vulnerability", "refsource": "CISCO", "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-sdwan-unaccess"}, {"name": "106705", "refsource": "BID", "url": "http://www.securityfocus.com/bid/106705"}]}, "source": {"advisory": "cisco-sa-20190123-sdwan-unaccess", "defect": [["CSCvm25940"]], "discovery": "INTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T18:20:28.485Z"}, "title": "CVE Program Container", "references": [{"name": "20190123 Cisco SD-WAN Solution Unauthorized Access Vulnerability", "tags": ["vendor-advisory", "x_refsource_CISCO", "x_transferred"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-sdwan-unaccess"}, {"name": "106705", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/106705"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-20T16:56:06.143156Z", "id": "CVE-2019-1647", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-20T17:28:47.253Z"}}]}, "cveMetadata": {"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "assignerShortName": "cisco", "cveId": "CVE-2019-1647", "datePublished": "2019-01-24T15:00:00Z", "dateReserved": "2018-12-06T00:00:00", "dateUpdated": "2024-11-20T17:28:47.253Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-sdwan-unaccess", "name": "20190123 Cisco SD-WAN Solution Unauthorized Access Vulnerability", "tags": ["vendor-advisory", "x_refsource_CISCO", "x_transferred"]}, {"url": "http://www.securityfocus.com/bid/106705", "name": "106705", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T18:20:28.485Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2019-1647", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-11-20T16:56:06.143156Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-20T16:57:00.268Z"}}], "cna": {"title": "Cisco SD-WAN Solution Unauthorized Access Vulnerability", "source": {"defect": [["CSCvm25940"]], "advisory": "cisco-sa-20190123-sdwan-unaccess", "discovery": "INTERNAL"}, "metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Cisco", "product": "Cisco SD-WAN Solution", "versions": [{"status": "affected", "version": "n/a"}]}], "exploits": [{"lang": "en", "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."}], "datePublic": "2019-01-23T00:00:00", "references": [{"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-sdwan-unaccess", "name": "20190123 Cisco SD-WAN Solution Unauthorized Access Vulnerability", "tags": ["vendor-advisory", "x_refsource_CISCO"]}, {"url": "http://www.securityfocus.com/bid/106705", "name": "106705", "tags": ["vdb-entry", "x_refsource_BID"]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the Cisco SD-WAN Solution could allow an authenticated, adjacent attacker to bypass authentication and have direct unauthorized access to other vSmart containers. The vulnerability is due to an insecure default configuration of the affected system. An attacker could exploit this vulnerability by directly connecting to the exposed services. An exploit could allow the attacker to retrieve and modify critical system files."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284"}]}], "providerMetadata": {"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco", "dateUpdated": "2019-01-25T10:57:01"}, "x_legacyV4Record": {"impact": {"cvss": {"version": "3.0", "baseScore": "8.0", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}, "source": {"defect": [["CSCvm25940"]], "advisory": "cisco-sa-20190123-sdwan-unaccess", "discovery": "INTERNAL"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "n/a"}]}, "product_name": "Cisco SD-WAN Solution"}]}, "vendor_name": "Cisco"}]}}, "exploit": [{"lang": "en", "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."}], "data_type": "CVE", "references": {"reference_data": [{"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-sdwan-unaccess", "name": "20190123 Cisco SD-WAN Solution Unauthorized Access Vulnerability", "refsource": "CISCO"}, {"url": "http://www.securityfocus.com/bid/106705", "name": "106705", "refsource": "BID"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability in the Cisco SD-WAN Solution could allow an authenticated, adjacent attacker to bypass authentication and have direct unauthorized access to other vSmart containers. The vulnerability is due to an insecure default configuration of the affected system. An attacker could exploit this vulnerability by directly connecting to the exposed services. An exploit could allow the attacker to retrieve and modify critical system files."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-284"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2019-1647", "STATE": "PUBLIC", "TITLE": "Cisco SD-WAN Solution Unauthorized Access Vulnerability", "ASSIGNER": "psirt@cisco.com", "DATE_PUBLIC": "2019-01-23T16:00:00-0800"}}}}, "cveMetadata": {"cveId": "CVE-2019-1647", "state": "PUBLISHED", "dateUpdated": "2024-11-20T17:28:47.253Z", "dateReserved": "2018-12-06T00:00:00", "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "datePublished": "2019-01-24T15:00:00Z", "assignerShortName": "cisco"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cisco:sd-wan:*:*:*:*:*:*:*:*", "matchCriteriaId": "698D777B-1AB1-4A54-98EC-8948BF287DA9", "versionEndExcluding": "18.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:cisco:vsmart_controller:-:*:*:*:*:*:*:*", "matchCriteriaId": "2F16884C-A2EE-4867-8806-6418E000078C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the Cisco SD-WAN Solution could allow an authenticated, adjacent attacker to bypass authentication and have direct unauthorized access to other vSmart containers. The vulnerability is due to an insecure default configuration of the affected system. An attacker could exploit this vulnerability by directly connecting to the exposed services. An exploit could allow the attacker to retrieve and modify critical system files."}, {"lang": "es", "value": "Una vulnerabilidad en la soluci\u00f3n Cisco SD-WAN podr\u00eda permitir a un atacante adyacente autenticado omitir la autenticaci\u00f3n y tener acceso directo no autorizado a otros contenedores vSmart. Esta vulnerabilidad se debe a una configuraci\u00f3n por defecto insegura del sistema afectado. Un atacante podr\u00eda explotar esta vulnerabilidad conect\u00e1ndose directamente a los servicios expuestos. Un exploit podr\u00eda permitir que el atacante recupere archivos de configuraci\u00f3n y modifique archivos de sistema cr\u00edticos."}], "id": "CVE-2019-1647", "lastModified": "2019-10-09T23:47:36.190", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 7.7, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:A/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 5.1, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.1, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.1, "impactScore": 5.9, "source": "ykramarz@cisco.com", "type": "Secondary"}]}, "published": "2019-01-24T15:29:00.703", "references": [{"source": "ykramarz@cisco.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/106705"}, {"source": "ykramarz@cisco.com", "tags": ["Vendor Advisory"], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-sdwan-unaccess"}], "sourceIdentifier": "ykramarz@cisco.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-284"}], "source": "ykramarz@cisco.com", "type": "Secondary"}]}