Input validation error in Cisco Application Policy Infrastructure Controller



Published: 2020-01-27
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2020-3139
CWE-ID CWE-20
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		Cisco Application Policy Infrastructure Controller
Web applications / Remote management & hosting panels

Vendor Cisco Systems, Inc

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Input validation error

EUVDB-ID: #VU24667

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-3139

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass configured deny entries for specific IP ports.

The vulnerability exists in the out of band (OOB) management interface due to the configuration of specific IP table entries for which there is a programming logic error that results in the IP port being permitted. A remote attacker can send traffic to the OOB management interface and bypass configured IP table rules to drop specific IP port traffic. The attacker has no control over the configuration of the device itself.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Cisco Application Policy Infrastructure Controller: 1.0.1e - 4.2.2g

External links

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iptable-bypass-GxW88XjL


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###