Cisco NX-OS SSH Key Information Disclosure Vulnerability (CVE-2019-1731) Advisory

Critical Vulnerability Information Vulnerability Name: Cisco NX-OS Software SSH Key Information Disclosure Vulnerability Severity Level: Medium CVE ID: CVE-2019-1731 CWE ID: CWE-755 Release Date: May 15, 2019 Update Date: May 16, 2019 CVSS Score: 5.1 (Base) Vulnerability Description: This vulnerability exists in the SSH CLI key management feature of Cisco NX-OS Software, allowing an authenticated local attacker to expose a user's private SSH key to all authenticated users on the target device. The attacker must authenticate using valid administrator device credentials. The vulnerability arises from incomplete error handling during SSH key export when a specific error type occurs. An attacker can exploit this vulnerability by authenticating to the device and entering a custom command in the CLI. Affected Products: Nexus 3000 Series, Nexus 3500 Platform, Nexus 3600 Platform, Nexus 5500 Platform, Nexus 5600 Platform, Nexus 6000 Series, Nexus 9000 Series (standalone NX-OS mode), Nexus 9500 R Series Switch Platform. Confirmed Unaffected Products: - Firepower 2100 Series - Firepower 4100 Series - Firepower 9300 Security Appliances - MDS 9000 Series Multilayer Switches - Nexus 1000V Switch (Microsoft Hyper-V) - Nexus 1000V Switch (VMware vSphere) - Nexus 7000 Series Switches - Nexus 7700 Series Switches - Nexus 9000 Series Fabric Switches (ACI mode) - UCS 6200 Series Fabric Interconnects - UCS 6300 Series Fabric Interconnects - UCS 6400 Series Fabric Interconnects Workaround: None Fix Software: Cisco has released software updates to fix this vulnerability. See the table for fixed versions.

Goal Reached Thanks to every supporter — we hit 100%!

Cisco NX-OS SSH Key Information Disclosure Vulnerability (CVE-2019-1731) Advisory