Sign-up

ID

VAR-201912-1394


CVE

CVE-2019-19642


TITLE

SuperMicro X8STi-F operating system command injection vulnerability

Trust: 1.2

sources: CNVD: CNVD-2019-44964 // CNNVD: CNNVD-201912-292

DESCRIPTION

On SuperMicro X8STi-F motherboards with IPMI firmware 2.06 and BIOS 02.68, the Virtual Media feature allows OS Command Injection by authenticated attackers who can send HTTP requests to the IPMI IP address. This requires a POST to /rpc/setvmdrive.asp with shell metacharacters in ShareHost or ShareName. The attacker can achieve a persistent backdoor. SuperMicro X8STi-F is a computer motherboard from American SuperMicro Corporation. An attacker could use this vulnerability to obtain a persistent backdoor by sending an HTTP request to the IPMI IP address

Trust: 2.16

sources: NVD: CVE-2019-19642 // JVNDB: JVNDB-2019-013246 // CNVD: CNVD-2019-44964

IOT TAXONOMY

category:['IoT']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2019-44964

AFFECTED PRODUCTS

vendor:supermicromodel:x8sti-f biosscope:eqversion:02.68

Trust: 2.2

vendor:supermicromodel:x8sti-fscope:eqversion:2.06

Trust: 1.6

vendor:super micro computermodel:x8sti-f biosscope:eqversion:02.68

Trust: 0.8

vendor:super micro computermodel:x8sti-fscope:eqversion:2.06

Trust: 0.8

vendor:supermicromodel:x8sti-f ipmiscope:eqversion:2.06

Trust: 0.6

vendor:supermicromodel:x8sti-fscope:eqversion: -

Trust: 0.6

sources: CNVD: CNVD-2019-44964 // JVNDB: JVNDB-2019-013246 // CNNVD: CNNVD-201912-292 // NVD: CVE-2019-19642

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-19642
value: HIGH

Trust: 1.0

NVD: CVE-2019-19642
value: HIGH

Trust: 0.8

CNVD: CNVD-2019-44964
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201912-292
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2019-19642
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2019-44964
severity: MEDIUM
baseScore: 6.0
vectorString: AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 6.8
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2019-19642
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2019-19642
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2019-44964 // JVNDB: JVNDB-2019-013246 // CNNVD: CNNVD-201912-292 // NVD: CVE-2019-19642

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.8

sources: JVNDB: JVNDB-2019-013246 // NVD: CVE-2019-19642

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201912-292

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201912-292

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-013246

PATCH
title:Top Pageurl:https://www.supermicro.com/en
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2019-013246

EXTERNAL IDS
db:NVDid:CVE-2019-19642
Trust: 3.0
db:JVNDBid:JVNDB-2019-013246
Trust: 0.8
db:CNVDid:CNVD-2019-44964
Trust: 0.6
db:CNNVDid:CNNVD-201912-292
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2019-44964 // 
            
            
            
            JVNDB: JVNDB-2019-013246 // 
            
            
            
            CNNVD: CNNVD-201912-292 // 
            
            
            
            NVD: CVE-2019-19642

REFERENCES
url:https://www.dark-sec.net/2019/12/supermicro-ipmi-exploitation.html
Trust: 3.0
url:https://nvd.nist.gov/vuln/detail/cve-2019-19642
Trust: 2.0
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-19642
Trust: 0.8
sources:
            
            
            CNVD: CNVD-2019-44964 // 
            
            
            
            JVNDB: JVNDB-2019-013246 // 
            
            
            
            CNNVD: CNNVD-201912-292 // 
            
            
            
            NVD: CVE-2019-19642

SOURCES
db:CNVDid:CNVD-2019-44964
db:JVNDBid:JVNDB-2019-013246
db:CNNVDid:CNNVD-201912-292
db:NVDid:CVE-2019-19642

LAST UPDATE DATE
2024-11-23T22:11:41.196000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2019-44964date:2019-12-11T00:00:00
db:JVNDBid:JVNDB-2019-013246date:2019-12-23T00:00:00
db:CNNVDid:CNNVD-201912-292date:2019-12-27T00:00:00
db:NVDid:CVE-2019-19642date:2024-11-21T04:35:06.833

SOURCES RELEASE DATE
db:CNVDid:CNVD-2019-44964date:2019-12-11T00:00:00
db:JVNDBid:JVNDB-2019-013246date:2019-12-23T00:00:00
db:CNNVDid:CNNVD-201912-292date:2019-12-07T00:00:00
db:NVDid:CVE-2019-19642date:2019-12-08T04:15:10.027