#VU17843 XXE attack in Cisco IoT Field Network Director - CVE-2019-1698

Cybersecurity Help s.r.o.

Published: 2019-02-22

Vulnerability identifier: #VU17843

Vulnerability risk: Low

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-1698

CWE-ID: CWE-611

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Cisco IoT Field Network Director
Web applications / Remote management & hosting panels

Vendor: Cisco Systems, Inc

Description
The vulnerability allows a remote high-privileged attacker to conduct XXE-attack.

The vulnerability exists in the web-based user interface due to improper handling of XML External Entities (XXEs) when parsing an XML file. A remote attacker can import a specially crafted XML file with malicious entries, which could allow the attacker to read files within the affected application.

Mitigation
Update to version 4.4(0.26).

Vulnerable software versions

Cisco IoT Field Network Director: 4.2.1.2

External links
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190220-iot-fnd-xml

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

XXE attack in Cisco IoT Field Network Director