SB2020060513 - Multiple vulnerabilities in Cisco IOS XE Software

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2020060513

SB2020060513 - Multiple vulnerabilities in Cisco IOS XE Software

Published: June 5, 2020 Updated: June 5, 2020

Security Bulletin ID SB2020060513
Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Command Injection (CVE-ID: CVE-2020-3219)

The vulnerability allows a remote attacker to execute arbitrary commands on the system.

The vulnerability exists due to improper input sanitization in the web UI. A remote authenticated attacker can submit a specially crafted input and execute arbitrary commands on the target system.

This vulnerability affects the following products if they are running affected release of Cisco IOS XE Software: 

  • Cisco Catalyst 3850 Series Switches
  • Cisco Catalyst 3650 Series Switches
  • Cisco Catalyst 9300 Series Switches
  • Cisco Catalyst 9500 Series Switches
  • Cisco Catalyst 9200 Series Switches


2) Command Injection (CVE-ID: CVE-2020-3207)

The vulnerability allows a local user to execute arbitrary commands on the system.

The vulnerability exists due to insufficient input validation checks while processing boot options. A local administrator can modify device boot options and execute arbitrary commands on the target system.

This vulnerability affects the following products if they are running affected release of Cisco IOS XE Software: 

  • Catalyst 3650 Series Switches
  • Catalyst 3850 Series Switches
  • Catalyst 9200 Series Switches
  • Catalyst 9300 Series Switches
  • Catalyst 9500 Series Switches


Remediation

Install update from vendor's website.

References