Risk | Low |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2023-20012 |
CWE-ID | CWE-287 |
Exploitation vector | Local |
Public exploit | N/A |
Vulnerable software Subscribe |
Cisco Nexus 9300-FX3 Series Fabric Extender (FEX) Hardware solutions / Routers & switches, VoIP, GSM, etc UCS 6400 Series Fabric Interconnects Hardware solutions / Routers & switches, VoIP, GSM, etc UCS 6500 Series Fabric Interconnects Hardware solutions / Routers & switches, VoIP, GSM, etc N9K-C93180YC-FX3 Hardware solutions / Routers & switches, VoIP, GSM, etc N9K-C93180YC-FX3S Hardware solutions / Routers & switches, VoIP, GSM, etc Cisco UCS Other software / Other software solutions |
Vendor | Cisco Systems, Inc |
Security Bulletin
This security bulletin contains one low risk vulnerability.
EUVDB-ID: #VU72510
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-20012
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to bypass authentication process.
The vulnerability exists due to the improper implementation of the password validation function. An attacker with physical access can bypass authentication and execute a limited set of commands local to the FEX, leading to a device reboot and denial of service (DoS) condition.
MitigationInstall updates from vendor's website.
Vulnerable software versionsCisco Nexus 9300-FX3 Series Fabric Extender (FEX): All versions
UCS 6400 Series Fabric Interconnects: All versions
UCS 6500 Series Fabric Interconnects: All versions
N9K-C93180YC-FX3: All versions
N9K-C93180YC-FX3S: All versions
Cisco UCS: 4.2
External linkshttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-elyfex-dos-gfvcByx
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.