Protection Mechanism Failure in Cisco Systems, Inc products - CVE-2024-20285
Published: August 29, 2024
Vulnerability identifier: #VU96611
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-20285
CWE-ID: CWE-693
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Cisco MDS 9000 Series Multilayer Switches
Cisco Nexus 3000 Series Switches
Nexus 5500 Platform Switches
Nexus 5600 Platform Switches
Cisco Nexus 6000 Series Switches
Cisco Nexus 7000 Series Switches
Cisco Nexus 9000 Series Switches NX-OS Mode
Cisco NX-OS
Cisco MDS 9000 Series Multilayer Switches
Cisco Nexus 3000 Series Switches
Nexus 5500 Platform Switches
Nexus 5600 Platform Switches
Cisco Nexus 6000 Series Switches
Cisco Nexus 7000 Series Switches
Cisco Nexus 9000 Series Switches NX-OS Mode
Cisco NX-OS
Detailed vulnerability description
The vulnerability allows a local user to bypass implemented security restrictions.
The vulnerability exists due to insufficient validation of user-supplied input. A local user can manipulate specific functions within the Python interpreter to escape the Python sandbox and execute arbitrary commands on the underlying operating system.
How to mitigate CVE-2024-20285
Install updates from vendor's website.
Sources
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-psbe-ce-YvbTn5du
- https://www.cisco.com/c/en/us/td/docs/dcn/nx-os/nexus9000/105x/programmability/cisco-nexus-9000-series-nx-os-programmability-guide-105x/m-n9k-python-api-101x.html?bookSearch=true#concept_A2CFF094ADCB414C983EA06AD8E9A410