Main Vulnerability Database Vulnerabilities #VU28565

#VU28565 Permissions, Privileges, and Access Controls in Cisco IOS XE - CVE-2020-3229

Published: June 4, 2020

Vulnerability identifier: #VU28565

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2020-3229

CWE-ID: CWE-264

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Cisco IOS XE

Software vendor:
Cisco Systems, Inc

Description

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to incorrect handling of Role Based Access Control (RBAC) functionality for the administration GUI. A remote authenticated attacker can send a modified HTTP request and execute CLI commands or configuration changes with elevated privileges.

This vulnerability affects the following products if they are running affected release of Cisco IOS XE Software:

Cisco Integrated Services Virtual Router
Cisco ASR 1000 Series Aggregation Services Routers
Cisco Catalyst 3850 Series Switches
Cisco Catalyst 3650 Series Switches
Cisco 1000 Series Integrated Services Routers
Cisco Catalyst 9300 Series Switches
Cisco Catalyst 9500 Series Switches
Cisco Catalyst 9200 Series Switches
Cisco Catalyst 9800 Series Wireless Controllers

Remediation

Install updates from vendor's website.

External links

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webui-PZgQxjfG

#VU28565 Permissions, Privileges, and Access Controls in Cisco IOS XE - CVE-2020-3229

Description

Remediation

External links

Please verify you're human