Permissions, Privileges, and Access Controls in Cisco IOS XE - CVE-2020-3215
Published: June 8, 2020
Vulnerability identifier: #VU28796
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-3215
CWE-ID: CWE-264
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Cisco IOS XE
Cisco IOS XE
Software vendor:
Cisco Systems, Inc
Cisco Systems, Inc
Description
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to insufficient validation of a user-supplied open virtual appliance (OVA). A local user can instal a malicious OVA on an affected device and gain elevated privileges on the target system.
This vulnerability affects the following products if they are running affected release of Cisco IOS XE Software:
- Cisco ASR 1000 Series Aggregation Services Routers
- Cisco Cloud Services Router 1000V Series
- Cisco Catalyst 3850 Series Switches
- Cisco Catalyst 3650 Series Switches
- Cisco 4000 Series Integrated Services Routers
- Cisco 1000 Series Integrated Services Routers
- Cisco Catalyst 9300 Series Switches
- Cisco Catalyst 9500 Series Switches
- Cisco Catalyst 9400 Series Switches
- Cisco 1100 Series Industrial Integrated Services Routers
- Cisco Catalyst 9200 Series Switches
- Cisco Catalyst 9600 Series Switches
- Cisco Catalyst 9800 Series Wireless Controllers
Remediation
Install updates from vendor's website.