Improper access control in Cisco Systems, Inc products - CVE-2020-3418
Published: September 24, 2020 / Updated: September 29, 2020
Vulnerability identifier: #VU47141
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-3418
CWE-ID: CWE-284
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vulnerable software:
Cisco Catalyst 9800 Wireless Controller
Cisco Embedded Wireless Controller on Catalyst 9100 Access Points
Cisco IOS XE
Cisco Catalyst 9800 Wireless Controller
Cisco Embedded Wireless Controller on Catalyst 9100 Access Points
Cisco IOS XE
Software vendor:
Cisco Systems, Inc
Cisco Systems, Inc
Description
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to an incomplete access control list (ACL) being applied prior to RUN state. A remote attacker on the local network can send ICMPv6 traffic prior to RUN state.
This vulnerability affects the following products running a vulnerable release of Cisco IOS XE Software:
- Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
- Catalyst 9800 Series Wireless Controllers
- Embedded Wireless Controller on Catalyst 9100 Access Points
Remediation
Install updates from vendor's website.