CVE-2019-1762

28.03.2019, 01:29

A vulnerability in the Secure Storage feature of Cisco IOS and IOS XE Software could allow an authenticated, local attacker to access sensitive system information on an affected device. The vulnerability is due to improper memory operations performed at encryption time, when affected software handles configuration updates. An attacker could exploit this vulnerability by retrieving the contents of specific memory locations of an affected device. A successful exploit could result in the disclosure of keying materials that are part of the device configuration, which can be used to recover critical system information.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	4.4 MEDIUM	LOCAL	LOW	HIGH	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
cisco	CNA	4.4 MEDIUM	LOCAL	LOW	HIGH	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 4%

Vendor	Product	Version
cisco	ios	12.2\(6\)i1
cisco	ios	15.1\(2\)sg8a
cisco	ios	15.1\(3\)svg3d
cisco	ios	15.1\(3\)svi1b
cisco	ios	15.1\(3\)svm3
cisco	ios	15.1\(3\)svn2
cisco	ios	15.1\(3\)svo1
cisco	ios	15.1\(3\)svo2
cisco	ios	15.1\(3\)svp1
cisco	ios	15.1\(4\)m12c
cisco	ios	15.2\(3\)ea1
cisco	ios	15.2\(4\)jn1
cisco	ios	15.2\(4a\)ea5
cisco	ios	15.3\(3\)ja1n
cisco	ios	15.3\(3\)jf35
cisco	ios	15.3\(3\)ji2
cisco	ios	15.3\(3\)jn1
cisco	ios	15.3\(3\)jn2
cisco	ios	15.6\(2\)sp3b
cisco	ios	15.6\(3\)m1
cisco	ios	15.6\(3\)m1a
cisco	ios	15.6\(3\)m1b
cisco	ios	15.6\(3\)m2
cisco	ios	15.6\(3\)m2a
cisco	ios	15.6\(3\)m3
cisco	ios	15.6\(3\)m3a
cisco	ios	15.6\(3\)m4
cisco	ios	15.6\(3.1\)m
cisco	ios	15.7\(3\)m
cisco	ios	15.7\(3\)m0a
cisco	ios	15.7\(3\)m1
cisco	ios_xe	16.6.1
cisco	ios_xe	16.6.2
cisco	ios_xe	16.6.3
cisco	ios_xe	16.6.4
cisco	ios_xe	16.6.4a:a
cisco	ios_xe	16.6.4s:s
cisco	ios_xe	16.7.1
cisco	ios_xe	16.7.1a:a
cisco	ios_xe	16.7.1b:b
cisco	ios_xe	16.7.2
cisco	ios_xe	16.7.3
cisco	ios_xe	16.7.4
cisco	ios_xe	16.8.1
cisco	ios_xe	16.8.1a:a
cisco	ios_xe	16.8.1b:b
cisco	ios_xe	16.8.1c:c
cisco	ios_xe	16.8.1d:d
cisco	ios_xe	16.8.1e:e
cisco	ios_xe	16.8.1s:s
cisco	ios_xe	16.8.2
cisco	ios_xe	16.9.1
cisco	ios_xe	16.9.1a:a
cisco	ios_xe	16.9.1b:b
cisco	ios_xe	16.9.1c:c
cisco	ios_xe	16.9.1d:d
cisco	ios_xe	16.9.1s:s
cisco	ios_xe	16.9.2
cisco	ios_xe	16.9.2a:a

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References

http://www.securityfocus.com/bid/107594

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-info

http://www.securityfocus.com/bid/107594

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-info