CVE-2019-1589 : A vulnerability in the Trusted Platform Module (TPM) functionality of software for Cisco Nexus 9000 Series Fabric Switch

A vulnerability in the Trusted Platform Module (TPM) functionality of software for Cisco Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode could allow an unauthenticated, local attacker with physical access to view sensitive information on an affected device. The vulnerability is due to a lack of proper data-protection mechanisms for disk encryption keys that are used within the partitions on an affected device hard drive. An attacker could exploit this vulnerability by obtaining physical access to the affected device to view certain cleartext keys. A successful exploit could allow the attacker to execute a custom boot process or conduct further attacks on an affected device.

Published 2019-05-03 15:29:01

Updated 2020-10-13 20:08:08

Source Cisco Systems, Inc.

View at NVD, CVE.org

Vulnerability category: Information leak

Exploit prediction scoring system (EPSS) score for CVE-2019-1589

Probability of exploitation activity in the next 30 days: 0.06%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 26 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2019-1589

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
2.1	LOW	AV:L/AC:L/Au:N/C:P/I:N/A:N	3.9	2.9	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
4.2	MEDIUM	CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N	0.5	3.6	Cisco Systems, Inc.
Attack Vector: Physical Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None
4.6	MEDIUM	CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	0.9	3.6	NIST
Attack Vector: Physical Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2019-1589

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: ykramarz@cisco.com (Secondary)
CWE-311 Missing Encryption of Sensitive Data

The product does not encrypt sensitive or critical information before storage or transmission.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2019-1589

http://www.securityfocus.com/bid/108175

Cisco Nexus 9000 Series Fabric Switches CVE-2019-1589 Information Disclosure Vulnerability
Third Party Advisory;VDB Entry
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-aci-unmeasured-boot

Cisco Nexus 9000 Series Fabric Switches Application Centric Infrastructure Mode Unmeasured Boot Vulnerability
Vendor Advisory

Products affected by CVE-2019-1589

Cisco » Nx-os » Version: 8.3(0)sk(0.39)
cpe:2.3:o:cisco:nx-os:8.3\(0\)sk\(0.39\):*:*:*:*:*:*:*
Matching versions
When used together with: Cisco » Nexus 9000 » Version: N/A
When used together with: Cisco » Nexus 92160yc-x » Version: N/A
When used together with: Cisco » Nexus 92300yc » Version: N/A
When used together with: Cisco » Nexus 92304qc » Version: N/A
When used together with: Cisco » Nexus 9236c » Version: N/A
When used together with: Cisco » Nexus 9272q » Version: N/A
When used together with: Cisco » Nexus 93108tc-ex » Version: N/A
When used together with: Cisco » Nexus 93108tc-fx » Version: N/A
When used together with: Cisco » Nexus 93120tx » Version: N/A
When used together with: Cisco » Nexus 93128tx » Version: N/A
When used together with: Cisco » Nexus 93180lc-ex » Version: N/A
When used together with: Cisco » Nexus 93180yc-ex » Version: N/A
When used together with: Cisco » Nexus 93180yc-fx » Version: N/A
When used together with: Cisco » Nexus 93240yc-fx2 » Version: N/A
When used together with: Cisco » Nexus 9332c » Version: N/A
When used together with: Cisco » Nexus 9332pq » Version: N/A
When used together with: Cisco » Nexus 9336c-fx2 » Version: N/A
When used together with: Cisco » Nexus 9336pq » Version: N/A
When used together with: Cisco » Nexus 9348gc-fxp » Version: N/A
When used together with: Cisco » Nexus 9364c » Version: N/A
When used together with: Cisco » Nexus 9372px » Version: N/A
When used together with: Cisco » Nexus 9372px-e » Version: N/A
When used together with: Cisco » Nexus 9372tx » Version: N/A
When used together with: Cisco » Nexus 9372tx-e » Version: N/A
When used together with: Cisco » Nexus 9396px » Version: N/A
When used together with: Cisco » Nexus 9396tx » Version: N/A
When used together with: Cisco » Nexus 9508 » Version: N/A

Vulnerability Details : CVE-2019-1589

Exploit prediction scoring system (EPSS) score for CVE-2019-1589

CVSS scores for CVE-2019-1589

CWE ids for CVE-2019-1589

References for CVE-2019-1589

Products affected by CVE-2019-1589