A vulnerability in the Web Services Management Agent (WSMA) function of Cisco IOS XE Software could allow an authenticated, remote attacker to execute arbitrary Cisco IOS commands as a privilege level 15 user.
The vulnerability occurs because the affected software improperly sanitizes user-supplied input. An attacker could exploit this vulnerability by submitting crafted HTTP requests to the targeted application. A successful exploit could allow the attacker to execute arbitrary commands on the affected device.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-iosxe-cmdinj ["https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-iosxe-cmdinj"]
This advisory is part of the March 27, 2019, release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes 17 Cisco Security Advisories that describe 19 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: March 2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication ["https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-71135"].
{"nessus": [{"lastseen": "2023-05-24T14:30:54", "description": "According to its self-reported version, Cisco IOS XE Software is affected by a vulnerability in the Web Services Management Agent (WSMA) function of Cisco IOS XE Software. The vulnerability allows an authenticated, remote attacker to execute arbitrary Cisco IOS commands as a privilege level 15 user. The vulnerability occurs because the affected software improperly sanitizes user-supplied input. An attacker could exploit this vulnerability by submitting crafted HTTP requests to the targeted application. A successful exploit could allow the attacker to execute arbitrary commands on the affected device.\n\nPlease see the included Cisco BIDs and Cisco Security Advisory for more information", "cvss3": {}, "published": "2019-10-02T00:00:00", "type": "nessus", "title": "Cisco IOS XE Software Command Injection Vulnerability (cisco-sa-20190327-iosxe-cmdinj)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-1755"], "modified": "2021-01-08T00:00:00", "cpe": ["cpe:/o:cisco:ios_xe"], "id": "CISCO-SA-20190327-IOSXE-CMDINJ.NASL", "href": "https://www.tenable.com/plugins/nessus/129499", "sourceData": "#TRUSTED 6b91a7588e0e3d1a77927cc02b42d01fae2bf123115dc764b281e1036c6edd011fc2c9dbc55f881c73fdcf7c8f097236d2beafb720fcc529f804cf246862d8342248c57b6f58a8a1de143c6f5dcedb0c64df418cff338076672676c11c9317e2599dd17ac9dd472da741c38efc951daec9bdc4e28135a4610e65c7977d0f0b919e7d16e4451b81a52c47794978302d5cc00b372ab0f65d1841b93f948c8ca9243b4eecb9b8f3863496f7fc19e7093f1267d261d08e76a6ad69fc2f8b635f22c4d92395b071900c3c2e011f725c0e83c6bb74be93cdce59ffe61924ba91d764be10582386ebd337521949c27ea2315503f6ff6b801cc8b19bd389d79239f4ecd8568325fff128a6b5c37015ff0029bb3790da7ed419075164aa8258457a5df6ebf184b7a6a00773880c1308f58a4282f499ff41f5d9605117b964a08aa5a2e52ccb74fbdae12ebd9c854491f918029e35301ff529074a6020ca9e197a4bd031910d614117e811444f2d57c0242bf06dc0c3df0646905f0e400a4926c7e484a911a5c378810cf87246df09c6ecd0f87c93902400a1a4d1fe6d2fc0b9ac644d19082464a13058d6d6e167f175377e82fe7e6714d4089bd06f919400880516ed11ac13c28d7fde88f4c21648a06c0a7a0b0063028a13a19b156a58451b7a5c8ee3c28c528d20250f0f2740c68fefb81027ac04a8f849e65bffeb560b8bcd71466e24\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(129499);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/08\");\n\n script_cve_id(\"CVE-2019-1755\");\n script_bugtraq_id(107380);\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvi36824\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20190327-iosxe-cmdinj\");\n\n script_name(english:\"Cisco IOS XE Software Command Injection Vulnerability (cisco-sa-20190327-iosxe-cmdinj)\");\n script_summary(english:\"Checks the version of Cisco IOS XE Software\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, Cisco IOS XE Software is affected by a vulnerability in the Web Services\nManagement Agent (WSMA) function of Cisco IOS XE Software. The vulnerability allows an authenticated, remote attacker\nto execute arbitrary Cisco IOS commands as a privilege level 15 user. The vulnerability occurs because the affected\nsoftware improperly sanitizes user-supplied input. An attacker could exploit this vulnerability by submitting crafted\nHTTP requests to the targeted application. A successful exploit could allow the attacker to execute arbitrary commands\non the affected device.\n\nPlease see the included Cisco BIDs and Cisco Security Advisory for more information\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-iosxe-cmdinj\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d6535745\");\n script_set_attribute(attribute:\"see_also\", value:\"http://tools.cisco.com/security/center/viewErp.x?alertId=ERP-71135\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi36824\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvi36824\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-1755\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_cwe_id(20);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/03/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/10/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:cisco:ios_xe\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_ios_xe_version.nasl\");\n script_require_keys(\"Host/Cisco/IOS-XE/Version\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('cisco_workarounds.inc');\ninclude('ccf.inc');\n\nproduct_info = cisco::get_product_info(name:'Cisco IOS XE Software');\n\nversion_list=make_list(\n '3.6.10E',\n '3.2.0JA',\n '16.8.1s',\n '16.8.1e',\n '16.8.1d',\n '16.8.1c',\n '16.8.1b',\n '16.8.1a',\n '16.8.1',\n '16.7.1b',\n '16.7.1a',\n '16.7.1',\n '16.6.3',\n '16.6.2',\n '16.6.1',\n '16.5.3',\n '16.5.2',\n '16.5.1b',\n '16.5.1a',\n '16.5.1',\n '16.4.3',\n '16.4.2',\n '16.4.1',\n '16.3.8',\n '16.3.7',\n '16.3.6',\n '16.3.5b',\n '16.3.5',\n '16.3.4',\n '16.3.3',\n '16.3.2',\n '16.3.1a',\n '16.3.1',\n '16.2.2',\n '16.2.1',\n '16.1.3',\n '16.1.2',\n '16.1.1'\n);\n\n\nworkarounds = make_list(CISCO_WORKAROUNDS['HTTP_Server_iosxe']);\nworkaround_params = make_list();\n\nreporting = make_array(\n 'port' , product_info['port'], \n 'severity' , SECURITY_HOLE,\n 'version' , product_info['version'],\n 'bug_id' , 'CSCvi36824',\n 'cmds' , make_list('show running-config')\n);\n\ncisco::check_and_report(\n product_info:product_info,\n workarounds:workarounds,\n workaround_params:workaround_params,\n reporting:reporting,\n vuln_versions:version_list\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2023-06-13T14:50:26", "description": "A vulnerability in the Web Services Management Agent (WSMA) function of Cisco IOS XE Software could allow an authenticated, remote attacker to execute arbitrary Cisco IOS commands as a privilege level 15 user. The vulnerability occurs because the affected software improperly sanitizes user-supplied input. An attacker could exploit this vulnerability by submitting crafted HTTP requests to the targeted application. A successful exploit could allow the attacker to execute arbitrary commands on the affected device.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-03-28T01:29:00", "type": "cve", "title": "CVE-2019-1755", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-1755"], "modified": "2019-10-09T23:47:00", "cpe": ["cpe:/o:cisco:ios_xe:16.8.1a", "cpe:/o:cisco:ios_xe:16.5.1b", "cpe:/o:cisco:ios_xe:16.8.1", "cpe:/o:cisco:ios_xe:16.2.2", "cpe:/o:cisco:ios_xe:16.8.1c", "cpe:/o:cisco:ios_xe:16.7.1b", "cpe:/o:cisco:ios_xe:16.1.3", "cpe:/o:cisco:ios_xe:16.3.3", "cpe:/o:cisco:ios_xe:16.3.7", "cpe:/o:cisco:ios_xe:16.1.1", "cpe:/o:cisco:ios_xe:16.8.1d", "cpe:/o:cisco:ios_xe:16.3.1a", "cpe:/o:cisco:ios_xe:3.6.10e", "cpe:/o:cisco:ios_xe:16.3.6", "cpe:/o:cisco:ios_xe:16.6.2", "cpe:/o:cisco:ios_xe:16.2.1", "cpe:/o:cisco:ios_xe:16.6.1", "cpe:/o:cisco:ios_xe:16.6.3", "cpe:/o:cisco:ios_xe:16.8.1b", "cpe:/o:cisco:ios_xe:16.4.3", "cpe:/o:cisco:ios_xe:16.3.8", "cpe:/o:cisco:ios_xe:16.1.2", "cpe:/o:cisco:ios_xe:16.7.1", "cpe:/o:cisco:ios_xe:16.5.2", "cpe:/o:cisco:ios_xe:16.7.1a", "cpe:/o:cisco:ios_xe:16.8.1e", "cpe:/o:cisco:ios_xe:16.3.5", "cpe:/o:cisco:ios_xe:16.3.4", "cpe:/o:cisco:ios_xe:16.5.3", "cpe:/o:cisco:ios_xe:16.5.1", "cpe:/o:cisco:ios_xe:16.8.1s", "cpe:/o:cisco:ios_xe:3.2.0ja", "cpe:/o:cisco:ios_xe:16.3.1", "cpe:/o:cisco:ios_xe:16.3.2", "cpe:/o:cisco:ios_xe:16.5.1a", "cpe:/o:cisco:ios_xe:16.4.2", "cpe:/o:cisco:ios_xe:16.4.1", "cpe:/o:cisco:ios_xe:16.3.5b"], "id": "CVE-2019-1755", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1755", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:cisco:ios_xe:16.3.8:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ios_xe:16.3.3:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ios_xe:16.4.2:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ios_xe:16.7.1:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ios_xe:16.8.1a:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ios_xe:16.1.2:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ios_xe:16.6.2:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ios_xe:16.3.6:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ios_xe:16.8.1b:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ios_xe:16.3.2:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ios_xe:16.3.1:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ios_xe:16.8.1d:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ios_xe:16.8.1c:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ios_xe:16.3.1a:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ios_xe:16.5.2:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ios_xe:16.1.1:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ios_xe:16.2.2:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ios_xe:16.8.1:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ios_xe:16.7.1b:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ios_xe:16.3.7:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ios_xe:16.5.1:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ios_xe:3.6.10e:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ios_xe:16.6.1:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ios_xe:16.1.3:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ios_xe:16.3.5b:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ios_xe:16.5.3:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ios_xe:16.5.1a:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ios_xe:16.7.1a:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ios_xe:16.6.3:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ios_xe:16.4.3:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ios_xe:3.2.0ja:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ios_xe:16.3.4:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ios_xe:16.8.1e:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ios_xe:16.5.1b:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ios_xe:16.2.1:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ios_xe:16.4.1:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ios_xe:16.8.1s:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:ios_xe:16.3.5:*:*:*:*:*:*:*"]}], "threatpost": [{"lastseen": "2020-03-08T12:01:01", "description": "UDPATE\n\nCisco Systems issued [24 patches Wednesday](<https://tools.cisco.com/security/center/publicationListing.x?product=Cisco&sort=-day_sir#~Vulnerabilities>) tied to vulnerabilities in its IOS XE operating system and warned customers that two small business routers (RV320 and RV325) are vulnerable to attack and that no patches are available for either. A total of 19 of the bugs were rated high severity by Cisco, with the others rated medium.\n\nThe two router vulnerabilities are rated high and are part of Cisco\u2019s Dual Gigabit WAN VPN RV320 and RV325 line of small business routers. Both router flaws were first patched in January, however Cisco said on Wednesday that both patches were \u201cincomplete\u201d and that both routers were still vulnerable to attack. It added in both cases that, \u201cfirmware updates that address [these vulnerabilities] are not currently available.\u201d It added there are no workarounds that address either vulnerability.\n\nOne of the router flaws ([CVE-2019-1652](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject>)) is a command injection vulnerability \u201cdue to improper validation of user-supplied input,\u201d Cisco wrote. The bug could allow an authenticated, remote attacker with administrative privileges on an affected device to execute arbitrary commands.\n\nThe second router bug ([CVE-2019-1653](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info>)) is an information disclosure vulnerability also impacting Cisco Small Business RV320 and RV325 routers. \u201cA vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to retrieve sensitive information,\u201d Cisco wrote.\n\n**IOS XE Bugs**\n\nOf the high severity vulnerabilities 15 were tied to Cisco\u2019s Internetworking Operating System (IOS) XE, which runs on Cisco networking gear such as its switches, controllers and routers. Bugs ranged from privilege escalation, injection and denial of service vulnerabilities.\n\nOne bug ([CVE-2019-1745](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-xecmd>)) is a Cisco IOS XE software command injection vulnerability. According to Cisco, the vulnerability could be exploited by a local adversary that could inject arbitrary commands into the OS that are executed with elevated privileges.\n\n\u201cThe vulnerability is due to insufficient input validation of commands supplied by the user. An attacker could exploit this vulnerability by authenticating to a device and submitting crafted input to the affected commands. An exploit could allow the attacker to gain root privileges on the affected device,\u201d wrote Cisco.\n\nThe two command injection patches ([CVE-2019-1756](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-iosxe-cmdinject>), [CVE-2019-1755](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-iosxe-cmdinject>)) allow a remote authenticated attacker to execute commands on devices running the vulnerable Cisco IOS XE software.\n\n\u201cThe vulnerability occurs because the affected software improperly sanitizes user-supplied input. An attacker who has valid administrator access to an affected device could exploit this vulnerability by supplying a username with a malicious payload in the web UI and subsequently making a request to a specific endpoint in the web UI,\u201d Cisco said of CVE-2019-1756.\n\n**Four Critical Non-Cisco Bugs Also Reported **\n\nAs part of its flurry of patch announcements, Cisco also posted information regarding four vulnerabilities rated critical for non-Cisco products. The critical bugs include:\n\nMoodle mybackpack functionality server side request forgery vulnerability ([CVE-2019-3809](<https://tools.cisco.com/security/center/viewAlert.x?alertId=59842>)) that could allow an unauthenticated, remote attacker to conduct a server side request forgery attack on a targeted system.\n\nA second critical vulnerability was found in Elastic Kibana Security Audit Logger that could lead to an arbitrary code execution ([CVE-2019-7610](<https://tools.cisco.com/security/center/viewAlert.x?alertId=59833>)).\n\nCisco also reported a Python urllib security bypass vulnerability ([CVE-2019-9948](<https://tools.cisco.com/security/center/viewAlert.x?alertId=59825>)) and a Elastic Kibana Timelion Visualizer arbitrary code execution vulnerability ([CVE-2019-7609](<https://tools.cisco.com/security/center/viewAlert.x?alertId=59832>)).\n\n_(This article was updated at 11pm EDT 3/27 to reflect more accurately a lack of patches available for the Cisco RV320 and RV325 routers)_\n", "cvss3": {}, "published": "2019-03-27T21:48:15", "type": "threatpost", "title": "Cisco Releases Flood of Patches for IOS XE, But Leaves Some Routers Open to Attack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-1652", "CVE-2019-1653", "CVE-2019-1745", "CVE-2019-1755", "CVE-2019-1756", "CVE-2019-3809", "CVE-2019-7609", "CVE-2019-7610", "CVE-2019-9948"], "modified": "2019-03-27T21:48:15", "id": "THREATPOST:0B3F568CF532B4D11A2D561F09E1490F", "href": "https://threatpost.com/cisco-releases-flood-of-patches-for-ios-xe-and-small-business-routers/143228/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
Cisco IOS XE Software Command Injection Vulnerability
