Cisco IOS XE Software ASIC Register Write Vulnerability

medium Nessus Plugin ID 129536

Synopsis

The remote device is missing a vendor-supplied security patch

Description

According to its self-reported version, Cisco IOS XE Software is affected by a vulnerability. The vulnerability allows an authenticated, local attacker to write values to the underlying memory of an affected device. The vulnerability is due to improper input validation and authorization of specific commands that a user can execute within the CLI. An attacker could exploit this vulnerability by authenticating to an affected device and issuing a specific set of commands. A successful exploit could allow the attacker to modify the configuration of the device to cause it to be non-secure and abnormally functioning.

Please see the included Cisco BIDs and Cisco Security Advisory for more information

Solution

Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvj14070

See Also

http://www.nessus.org/u?9c9e2875

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvj14070

Plugin Details

Severity: Medium

ID: 129536

File Name: cisco-sa-20190925-awr.nasl

Version: 1.11

Type: combined

Family: CISCO

Published: 10/3/2019

Updated: 5/3/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 4.9

Temporal Score: 3.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:N/I:C/A:N

CVSS Score Source: CVE-2019-12660

CVSS v3

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:cisco:ios_xe

Required KB Items: Host/Cisco/IOS-XE/Version

Exploit Ease: No known exploits are available

Patch Publication Date: 9/25/2019

Vulnerability Publication Date: 9/25/2019

Reference Information

CVE: CVE-2019-12660

CWE: 668

CISCO-SA: cisco-sa-20190925-awr

IAVA: 2019-A-0352-S

CISCO-BUG-ID: CSCvj14070