#VU46108 OS Command Injection in Cisco Systems, Inc products - CVE-2020-3454
Published: August 27, 2020
Vulnerability identifier: #VU46108
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-3454
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Cisco NX-OS
Cisco MDS 9000 Series Multilayer Switches
Cisco Nexus 3000 Series Switches
Cisco Nexus 3600 Platform Switches
Cisco Nexus 5500 Series Switches
Cisco Nexus 5600 Series Switches
Cisco Nexus 6000 Series Switches
Cisco Nexus 7000 Series Switches
Cisco Nexus 9000 Series Switches NX-OS Mode
Cisco Nexus 9500 R-Series
Cisco NX-OS
Cisco MDS 9000 Series Multilayer Switches
Cisco Nexus 3000 Series Switches
Cisco Nexus 3600 Platform Switches
Cisco Nexus 5500 Series Switches
Cisco Nexus 5600 Series Switches
Cisco Nexus 6000 Series Switches
Cisco Nexus 7000 Series Switches
Cisco Nexus 9000 Series Switches NX-OS Mode
Cisco Nexus 9500 R-Series
Software vendor:
Cisco Systems, Inc
Cisco Systems, Inc
Description
The vulnerability allows a remote user to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation of specific Call Home configuration parameters when the software is configured for transport method HTTP. A remote administrator can modify parameters within the Call Home configuration and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install updates from vendor's website.