CVE-2019-17274 - Vulnerability Details - OpenCVE

NetApp FAS 8300/8700 and AFF A400 Baseboard Management Controller (BMC) firmware versions 13.x prior to 13.1P1 were shipped with a default account enabled that could allow unauthorized arbitrary command execution via local access.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Netapp	All Flash Fabric-attached Storage A400 All Flash Fabric-attached Storage A400 Firmware Fabric-attached Storage 8300 Fabric-attached Storage 8300 Firmware Fabric-attached Storage 8700 Fabric-attached Storage 8700 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:netapp:fabric-attached_storage_8700_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netapp:fabric-attached_storage_8700:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:netapp:fabric-attached_storage_8300_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netapp:fabric-attached_storage_8300:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:netapp:all_flash_fabric-attached_storage_a400_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:netapp:all_flash_fabric-attached_storage_a400:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://security.netapp.com/advisory/ntap-20200226-0001/

History

No history.

MITRE

Status: PUBLISHED

Assigner: netapp

Published: 2020-02-26T17:38:35

Updated: 2024-08-05T01:33:17.371Z

Reserved: 2019-10-07T00:00:00

Link: CVE-2019-17274

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-02-26T18:15:11.030

Modified: 2024-11-21T04:32:00.540

Link: CVE-2019-17274

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "NetApp FAS 8300/8700 and AFF A400 Baseboard Management Controller", "vendor": "NetApp", "versions": [{"status": "affected", "version": "13.x prior to 13.1P1"}]}], "descriptions": [{"lang": "en", "value": "NetApp FAS 8300/8700 and AFF A400 Baseboard Management Controller (BMC) firmware versions 13.x prior to 13.1P1 were shipped with a default account enabled that could allow unauthorized arbitrary command execution via local access."}], "problemTypes": [{"descriptions": [{"description": "Default Privileged Account", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-02-26T17:38:35", "orgId": "11fdca00-0482-4c88-a206-37f9c182c87d", "shortName": "netapp"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20200226-0001/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-alert@netapp.com", "ID": "CVE-2019-17274", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "NetApp FAS 8300/8700 and AFF A400 Baseboard Management Controller", "version": {"version_data": [{"version_value": "13.x prior to 13.1P1"}]}}]}, "vendor_name": "NetApp"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "NetApp FAS 8300/8700 and AFF A400 Baseboard Management Controller (BMC) firmware versions 13.x prior to 13.1P1 were shipped with a default account enabled that could allow unauthorized arbitrary command execution via local access."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Default Privileged Account"}]}]}, "references": {"reference_data": [{"name": "https://security.netapp.com/advisory/ntap-20200226-0001/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20200226-0001/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T01:33:17.371Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20200226-0001/"}]}]}, "cveMetadata": {"assignerOrgId": "11fdca00-0482-4c88-a206-37f9c182c87d", "assignerShortName": "netapp", "cveId": "CVE-2019-17274", "datePublished": "2020-02-26T17:38:35", "dateReserved": "2019-10-07T00:00:00", "dateUpdated": "2024-08-05T01:33:17.371Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:netapp:fabric-attached_storage_8700_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "66649BB0-329B-4C1C-BCAD-2285275433BB", "versionEndIncluding": "13.1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:netapp:fabric-attached_storage_8700:-:*:*:*:*:*:*:*", "matchCriteriaId": "DF9B5939-68D6-47E1-AFCA-F709F46136C6", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:netapp:fabric-attached_storage_8300_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "68A5ACAE-B921-4804-9828-38BA92394C74", "versionEndIncluding": "13.1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:netapp:fabric-attached_storage_8300:-:*:*:*:*:*:*:*", "matchCriteriaId": "43E89C80-A70B-48A3-A076-D9F031C25D1C", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:netapp:all_flash_fabric-attached_storage_a400_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "6AB5F3D3-2D4D-47C6-AC8C-1B8C42A49C59", "versionEndIncluding": "13.1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:netapp:all_flash_fabric-attached_storage_a400:-:*:*:*:*:*:*:*", "matchCriteriaId": "2527D2C3-EDA7-4B8A-82AB-A4F20C731E2D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "NetApp FAS 8300/8700 and AFF A400 Baseboard Management Controller (BMC) firmware versions 13.x prior to 13.1P1 were shipped with a default account enabled that could allow unauthorized arbitrary command execution via local access."}, {"lang": "es", "value": "NetApp FAS 8300/8700 y AFF A400 Baseboard Management Controller (BMC) versiones de firmware 13.x anteriores a 13.1P1, fueron enviadas con una cuenta predeterminada habilitada que podr\u00eda permitir una ejecuci\u00f3n de comandos arbitrarios no autorizada por medio de un acceso local."}], "id": "CVE-2019-17274", "lastModified": "2024-11-21T04:32:00.540", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.2, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-02-26T18:15:11.030", "references": [{"source": "security-alert@netapp.com", "tags": ["Vendor Advisory"], "url": "https://security.netapp.com/advisory/ntap-20200226-0001/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://security.netapp.com/advisory/ntap-20200226-0001/"}], "sourceIdentifier": "security-alert@netapp.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1188"}], "source": "nvd@nist.gov", "type": "Primary"}]}