Command Injection in Cisco IOS XE - CVE-2020-3207

 

Command Injection in Cisco IOS XE - CVE-2020-3207

Published: June 5, 2020


Vulnerability identifier: #VU28761
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-3207
CWE-ID: CWE-77
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Cisco IOS XE

Detailed vulnerability description

The vulnerability allows a local user to execute arbitrary commands on the system.

The vulnerability exists due to insufficient input validation checks while processing boot options. A local administrator can modify device boot options and execute arbitrary commands on the target system.

This vulnerability affects the following products if they are running affected release of Cisco IOS XE Software: 

  • Catalyst 3650 Series Switches
  • Catalyst 3850 Series Switches
  • Catalyst 9200 Series Switches
  • Catalyst 9300 Series Switches
  • Catalyst 9500 Series Switches


How to mitigate CVE-2020-3207

Install updates from vendor's website.

Sources