CVE-2019-15992

A vulnerability in the implementation of the Lua interpreter integrated in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker to execute arbitrary code with root privileges on the underlying Linux operating system of an affected device. The vulnerability is due to insufficient restrictions on the allowed Lua function calls within the context of user-supplied Lua scripts. A successful exploit could allow the attacker to trigger a heap overflow condition and execute arbitrary code with root privileges on the underlying Linux operating system of an affected device.

CVSS v3 7.2 HIGH
CVSS v2.0 9.0 HIGH

7.2^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

9.0^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:S/C:C/I:C/A:C

Exploitability : 8.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191112-asa-ftd-lua-rce	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:cisco:adaptive_security_appliance::::::::
	cpe:2.3:o:cisco:adaptive_security_appliance_software::::::::
	cpe:2.3:o:cisco:adaptive_security_appliance_software::::::::
	cpe:2.3:o:cisco:adaptive_security_appliance_software::::::::
	cpe:2.3:o:cisco:adaptive_security_appliance_software::::::::
	cpe:2.3:o:cisco:adaptive_security_appliance_software::::::::
	cpe:2.3:o:cisco:adaptive_security_appliance_software::::::::
	cpe:2.3:o:cisco:adaptive_security_appliance_software::::::::

Configuration 2 (hide)

OR	cpe:2.3:a:cisco:firepower_management_center::::::::
	cpe:2.3:a:cisco:firepower_management_center::::::::
	cpe:2.3:a:cisco:firepower_management_center::::::::
	cpe:2.3:a:cisco:firepower_management_center::::::::

Configuration 3 (hide)

cpe:2.3:a:cisco:firepower_threat_defense:-:*:*:*:*:*:*:*

History

16 Aug 2023, 16:18

Type	Values Removed	Values Added
CPE		cpe:2.3:o:cisco:adaptive_security_appliance_software::::::::

13 Sep 2021, 14:33

Type	Values Removed	Values Added
CWE	~~CWE-119~~	CWE-787

Information

Published : 2020-09-23 01:15

Updated : 2024-02-04 21:23

NVD link : CVE-2019-15992

Mitre link : CVE-2019-15992

CVE.ORG link : CVE-2019-15992

JSON object : View

Products Affected

cisco

adaptive_security_appliance
adaptive_security_appliance_software
firepower_management_center
firepower_threat_defense

CWE

CWE-787

Out-of-bounds Write

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

7.2 /10