Details of VAR-201910-0372

ID

VAR-201910-0372

CVE

CVE-2019-12630

TITLE

Cisco Security Manager Vulnerabilities in unreliable data deserialization

Trust: 0.8

sources: JVNDB: JVNDB-2019-010259

DESCRIPTION

A vulnerability in the Java deserialization function used by Cisco Security Manager could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by sending a malicious serialized Java object to a specific listener on an affected system. A successful exploit could allow the attacker to execute arbitrary commands on the device with the privileges of casuser. Cisco Security Manager Contains an unreliable data deserialization vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Cisco Security Manager (CSM) is a set of enterprise-level management applications from Cisco, which is mainly used to configure firewall, VPN and intrusion prevention security services on Cisco network and security devices. A code issue vulnerability exists in the Java deserialization functionality in versions prior to Cisco CSM 4.18 due to the program not deserializing user-submitted content securely

Trust: 1.8

sources: NVD: CVE-2019-12630 // JVNDB: JVNDB-2019-010259 // VULHUB: VHN-144396 // VULMON: CVE-2019-12630

AFFECTED PRODUCTS

vendor:	cisco	model:	security manager	scope:	lt	version:	4.18	Trust: 1.0
vendor:	cisco	model:	security manager	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	security manager	scope:	eq	version:	3.2.1	Trust: 0.6
vendor:	cisco	model:	security manager	scope:	eq	version:	3.2	Trust: 0.6
vendor:	cisco	model:	security manager	scope:	eq	version:	3.0.2	Trust: 0.6
vendor:	cisco	model:	security manager	scope:	eq	version:	-	Trust: 0.6
vendor:	cisco	model:	security manager	scope:	eq	version:	3.1.1	Trust: 0.6
vendor:	cisco	model:	security manager	scope:	eq	version:	3.1	Trust: 0.6

sources: JVNDB: JVNDB-2019-010259 // CNNVD: CNNVD-201910-143 // NVD: CVE-2019-12630

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-12630
value:	CRITICAL
Trust: 1.0
ykramarz@cisco.com:	CVE-2019-12630
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-12630
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-201910-143
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-144396
value:	HIGH
Trust: 0.1
VULMON:	CVE-2019-12630
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2019-12630
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-144396
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-12630
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
ykramarz@cisco.com:	CVE-2019-12630
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.5
version:	3.0
Trust: 1.0
NVD:	CVE-2019-12630
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-144396 // VULMON: CVE-2019-12630 // JVNDB: JVNDB-2019-010259 // CNNVD: CNNVD-201910-143 // NVD: CVE-2019-12630 // NVD: CVE-2019-12630

PROBLEMTYPE DATA

problemtype:	CWE-502	Trust: 1.9
problemtype:	CWE-20	Trust: 1.0

sources: VULHUB: VHN-144396 // JVNDB: JVNDB-2019-010259 // NVD: CVE-2019-12630

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201910-143

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-201910-143

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-010259

PATCH

title:	cisco-sa-20191002-sm-java-deserial	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191002-sm-java-deserial	Trust: 0.8
title:	Cisco Security Manager Enter the fix for the verification error vulnerability	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=98878	Trust: 0.6
title:	Cisco: Cisco Security Manager Java Deserialization Vulnerability	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-20191002-sm-java-deserial	Trust: 0.1
title:	Java-Deserialization-CVEs	url:	https://github.com/PalindromeLabs/Java-Deserialization-CVEs	Trust: 0.1

sources: VULMON: CVE-2019-12630 // JVNDB: JVNDB-2019-010259 // CNNVD: CNNVD-201910-143

EXTERNAL IDS

db:	NVD	id:	CVE-2019-12630	Trust: 2.6
db:	JVNDB	id:	JVNDB-2019-010259	Trust: 0.8
db:	CNNVD	id:	CNNVD-201910-143	Trust: 0.7
db:	AUSCERT	id:	ESB-2019.3726	Trust: 0.6
db:	VULHUB	id:	VHN-144396	Trust: 0.1
db:	VULMON	id:	CVE-2019-12630	Trust: 0.1

sources: VULHUB: VHN-144396 // VULMON: CVE-2019-12630 // JVNDB: JVNDB-2019-010259 // CNNVD: CNNVD-201910-143 // NVD: CVE-2019-12630

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20191002-sm-java-deserial	Trust: 1.9
url:	https://nvd.nist.gov/vuln/detail/cve-2019-12630	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-12630	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2019.3726/	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/502.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/palindromelabs/java-deserialization-cves	Trust: 0.1
url:	https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/110321	Trust: 0.1

sources: VULHUB: VHN-144396 // VULMON: CVE-2019-12630 // JVNDB: JVNDB-2019-010259 // CNNVD: CNNVD-201910-143 // NVD: CVE-2019-12630

CREDITS

Francisco Ribeiro of Google

Trust: 0.6

sources: CNNVD: CNNVD-201910-143

SOURCES

db:	VULHUB	id:	VHN-144396
db:	VULMON	id:	CVE-2019-12630
db:	JVNDB	id:	JVNDB-2019-010259
db:	CNNVD	id:	CNNVD-201910-143
db:	NVD	id:	CVE-2019-12630

LAST UPDATE DATE

2024-11-23T22:51:38.901000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-144396	date:	2019-10-09T00:00:00
db:	VULMON	id:	CVE-2019-12630	date:	2019-10-09T00:00:00
db:	JVNDB	id:	JVNDB-2019-010259	date:	2019-10-10T00:00:00
db:	CNNVD	id:	CNNVD-201910-143	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2019-12630	date:	2024-11-21T04:23:13.470

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-144396	date:	2019-10-02T00:00:00
db:	VULMON	id:	CVE-2019-12630	date:	2019-10-02T00:00:00
db:	JVNDB	id:	JVNDB-2019-010259	date:	2019-10-10T00:00:00
db:	CNNVD	id:	CNNVD-201910-143	date:	2019-10-02T00:00:00
db:	NVD	id:	CVE-2019-12630	date:	2019-10-02T19:15:11.953