Input validation error in Cisco Systems, Inc products - CVE-2020-3390
Published: September 24, 2020 / Updated: September 29, 2020
Vulnerability identifier: #VU47153
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-3390
CWE-ID: CWE-20
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vulnerable software:
Cisco Catalyst 9800 Wireless Controller
Cisco Embedded Wireless Controller on Catalyst 9100 Access Points
Cisco IOS XE
Cisco Catalyst 9800 Wireless Controller
Cisco Embedded Wireless Controller on Catalyst 9100 Access Points
Cisco IOS XE
Software vendor:
Cisco Systems, Inc
Cisco Systems, Inc
Description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in Simple Network Management Protocol (SNMP) trap generation for wireless clients. A remote attacker on the local network can send an 802.1x packet with crafted parameters during the wireless authentication setup phase of a connection and perform a denial of service (DoS) attack.
This vulnerability affects the following products running a vulnerable release of Cisco IOS XE Software:
- Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
- Catalyst 9800 Series Wireless Controllers
- Embedded Wireless Controller on Catalyst 9100 Access Points
Remediation
Install updates from vendor's website.