cbcvebase.
CVE-2019-1804
published 2019-05-03

CVE-2019-1804: A vulnerability in the SSH key management for the Cisco Nexus 9000 Series Application Centric Infrastructure (ACI) Mode Switch Software could allow an…

PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.48%
87.6th percentile
A vulnerability in the SSH key management for the Cisco Nexus 9000 Series Application Centric Infrastructure (ACI) Mode Switch Software could allow an unauthenticated, remote attacker to connect to the affected system with the privileges of the root user. The vulnerability is due to the presence of a default SSH key pair that is present in all devices. An attacker could exploit this vulnerability by opening an SSH connection via IPv6 to a targeted device using the extracted key materials. An exploit could allow the attacker to access the system with the privileges of the root user. This vulnerability is only exploitable over IPv6; IPv4 is not vulnerable.

Affected

15 ranges
VendorProductVersion rangeFixed in
ciscocisco_nx-os_software_for_nexus_9000_series_fabric_switches_aci_mode_11.0.1b>= unspecified < n/an/a
cisconexus_9000_series_fabric_switches_application_centric_infrastructure_mode_defaul
cisconexus_93108tc-ex_firmware
cisconexus_93120tx_firmware
cisconexus_93128tx_firmware
cisconexus_93180yc-ex_firmware
cisconexus_9332pq_firmware
cisconexus_9372px_firmware
cisconexus_9372tx_firmware
cisconexus_9396px_firmware
cisconexus_9396tx_firmware
cisconexus_9500_firmware
cisconexus_9504_firmware
cisconexus_9508_firmware
cisconexus_9516_firmware

Detection & IOCsextracted from sources · hover to see the quote

  • Exploit traffic is exclusively over IPv6 (SSH); IPv4 connections cannot be used to exploit this vulnerability — monitor for unexpected inbound IPv6 SSH connections to Nexus 9000 ACI-mode switches
  • Exploitation involves opening an SSH connection using extracted default key materials; detect SSH authentication successes using key-based auth from unexpected/external sources on Nexus 9000 ACI-mode devices
  • Successful exploitation grants root-level access; alert on SSH sessions authenticated as root on Nexus 9000 ACI-mode switches
  • ·The vulnerable default SSH key pair is present in ALL Cisco Nexus 9000 Series ACI-mode devices; any unpatched device shares the same key material, making the default key itself the attack primitive
  • ·No workarounds exist; only the vendor-released software update remediates the vulnerability (Cisco Bug ID: CSCvo80686)

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_cisco9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.