Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

fstec логотип

BDU:2020-02737

Опубликовано: 03 июн. 2020
Источник: fstec
CVSS3: 9.8
CVSS2: 10
EPSS Средний

Описание

Уязвимость программной платформы Cisco IOx операционной системы Cisco IOS XE связана с недостатками разграничения доступа. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, повысить привилегии и выполнить произвольный код

Вендор

Cisco Systems Inc.

Наименование ПО

Cisco IOS XE

Версия ПО

16.5.1 (Cisco IOS XE)
16.3.1a (Cisco IOS XE)
16.5.1a (Cisco IOS XE)
16.3.1 (Cisco IOS XE)
16.3.2 (Cisco IOS XE)
16.3.3 (Cisco IOS XE)
16.3.4 (Cisco IOS XE)
16.3.5 (Cisco IOS XE)
16.3.5b (Cisco IOS XE)
16.4.1 (Cisco IOS XE)
16.6.1 (Cisco IOS XE)
16.6.4 (Cisco IOS XE)
16.4.3 (Cisco IOS XE)
16.7.2 (Cisco IOS XE)
16.3.6 (Cisco IOS XE)
16.4.2 (Cisco IOS XE)
16.5.1b (Cisco IOS XE)
16.5.2 (Cisco IOS XE)
16.5.3 (Cisco IOS XE)
16.6.2 (Cisco IOS XE)
16.6.3 (Cisco IOS XE)
16.7.1 (Cisco IOS XE)
16.8.1 (Cisco IOS XE)
16.8.1s (Cisco IOS XE)
16.9.1b (Cisco IOS XE)
16.3.7 (Cisco IOS XE)
16.6.4s (Cisco IOS XE)
16.6.4a (Cisco IOS XE)
16.8.1b (Cisco IOS XE)
16.8.1a (Cisco IOS XE)
16.8.1c (Cisco IOS XE)
16.8.2 (Cisco IOS XE)
16.9.1 (Cisco IOS XE)
16.9.2 (Cisco IOS XE)
16.9.1a (Cisco IOS XE)
16.9.1s (Cisco IOS XE)
16.9.1c (Cisco IOS XE)
16.9.1d (Cisco IOS XE)
16.9.2a (Cisco IOS XE)
16.7.3 (Cisco IOS XE)
16.10.1 (Cisco IOS XE)
16.9.2h (Cisco IOS XE)
16.12.1 (Cisco IOS XE)
16.8.3 (Cisco IOS XE)
16.9.2s (Cisco IOS XE)
16.9.3h (Cisco IOS XE)
16.3.8 (Cisco IOS XE)
16.6.5 (Cisco IOS XE)
16.10.2 (Cisco IOS XE)
16.3.9 (Cisco IOS XE)
16.6.5a (Cisco IOS XE)
16.6.6 (Cisco IOS XE)
16.6.5b (Cisco IOS XE)
16.9.3 (Cisco IOS XE)
16.9.4 (Cisco IOS XE)
16.9.3s (Cisco IOS XE)
16.9.3a (Cisco IOS XE)
16.9.4c (Cisco IOS XE)
16.10.1a (Cisco IOS XE)
16.10.1b (Cisco IOS XE)
16.10.1s (Cisco IOS XE)
16.10.1e (Cisco IOS XE)
16.10.3 (Cisco IOS XE)
16.11.1 (Cisco IOS XE)
16.11.1a (Cisco IOS XE)
16.11.1b (Cisco IOS XE)
16.11.1s (Cisco IOS XE)
16.11.1c (Cisco IOS XE)
16.12.1a (Cisco IOS XE)
16.12.1c (Cisco IOS XE)

Тип ПО

Операционная система

Операционные системы и аппаратные платформы

Cisco Systems Inc. Cisco IOS XE 16.5.1
Cisco Systems Inc. Cisco IOS XE 16.3.1a
Cisco Systems Inc. Cisco IOS XE 16.5.1a
Cisco Systems Inc. Cisco IOS XE 16.3.1
Cisco Systems Inc. Cisco IOS XE 16.3.2
Cisco Systems Inc. Cisco IOS XE 16.3.3
Cisco Systems Inc. Cisco IOS XE 16.3.4
Cisco Systems Inc. Cisco IOS XE 16.3.5
Cisco Systems Inc. Cisco IOS XE 16.3.5b
Cisco Systems Inc. Cisco IOS XE 16.4.1
Cisco Systems Inc. Cisco IOS XE 16.6.1
Cisco Systems Inc. Cisco IOS XE 16.6.4
Cisco Systems Inc. Cisco IOS XE 16.4.3
Cisco Systems Inc. Cisco IOS XE 16.7.2
Cisco Systems Inc. Cisco IOS XE 16.3.6
Cisco Systems Inc. Cisco IOS XE 16.4.2
Cisco Systems Inc. Cisco IOS XE 16.5.1b
Cisco Systems Inc. Cisco IOS XE 16.5.2
Cisco Systems Inc. Cisco IOS XE 16.5.3
Cisco Systems Inc. Cisco IOS XE 16.6.2
Cisco Systems Inc. Cisco IOS XE 16.6.3
Cisco Systems Inc. Cisco IOS XE 16.7.1
Cisco Systems Inc. Cisco IOS XE 16.8.1
Cisco Systems Inc. Cisco IOS XE 16.8.1s
Cisco Systems Inc. Cisco IOS XE 16.9.1b
Cisco Systems Inc. Cisco IOS XE 16.3.7
Cisco Systems Inc. Cisco IOS XE 16.6.4s
Cisco Systems Inc. Cisco IOS XE 16.6.4a
Cisco Systems Inc. Cisco IOS XE 16.8.1b
Cisco Systems Inc. Cisco IOS XE 16.8.1a
Cisco Systems Inc. Cisco IOS XE 16.8.1c
Cisco Systems Inc. Cisco IOS XE 16.8.2
Cisco Systems Inc. Cisco IOS XE 16.9.1
Cisco Systems Inc. Cisco IOS XE 16.9.2
Cisco Systems Inc. Cisco IOS XE 16.9.1a
Cisco Systems Inc. Cisco IOS XE 16.9.1s
Cisco Systems Inc. Cisco IOS XE 16.9.1c
Cisco Systems Inc. Cisco IOS XE 16.9.1d
Cisco Systems Inc. Cisco IOS XE 16.9.2a
Cisco Systems Inc. Cisco IOS XE 16.7.3
Cisco Systems Inc. Cisco IOS XE 16.10.1
Cisco Systems Inc. Cisco IOS XE 16.9.2h
Cisco Systems Inc. Cisco IOS XE 16.12.1
Cisco Systems Inc. Cisco IOS XE 16.8.3
Cisco Systems Inc. Cisco IOS XE 16.9.2s
Cisco Systems Inc. Cisco IOS XE 16.9.3h
Cisco Systems Inc. Cisco IOS XE 16.3.8
Cisco Systems Inc. Cisco IOS XE 16.6.5
Cisco Systems Inc. Cisco IOS XE 16.10.2
Cisco Systems Inc. Cisco IOS XE 16.3.9
Cisco Systems Inc. Cisco IOS XE 16.6.5a
Cisco Systems Inc. Cisco IOS XE 16.6.6
Cisco Systems Inc. Cisco IOS XE 16.6.5b
Cisco Systems Inc. Cisco IOS XE 16.9.3
Cisco Systems Inc. Cisco IOS XE 16.9.4
Cisco Systems Inc. Cisco IOS XE 16.9.3s
Cisco Systems Inc. Cisco IOS XE 16.9.3a
Cisco Systems Inc. Cisco IOS XE 16.9.4c
Cisco Systems Inc. Cisco IOS XE 16.10.1a
Cisco Systems Inc. Cisco IOS XE 16.10.1b
Cisco Systems Inc. Cisco IOS XE 16.10.1s
Cisco Systems Inc. Cisco IOS XE 16.10.1e
Cisco Systems Inc. Cisco IOS XE 16.10.3
Cisco Systems Inc. Cisco IOS XE 16.11.1
Cisco Systems Inc. Cisco IOS XE 16.11.1a
Cisco Systems Inc. Cisco IOS XE 16.11.1b
Cisco Systems Inc. Cisco IOS XE 16.11.1s
Cisco Systems Inc. Cisco IOS XE 16.11.1c
Cisco Systems Inc. Cisco IOS XE 16.12.1a
Cisco Systems Inc. Cisco IOS XE 16.12.1c

Уровень опасности уязвимости

Критический уровень опасности (базовая оценка CVSS 2.0 составляет 10)
Критический уровень опасности (базовая оценка CVSS 3.0 составляет 9,8)

Возможные меры по устранению уязвимости

Использование рекомендаций:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ioxPE-KgGvCAf9

Статус уязвимости

Подтверждена производителем

Наличие эксплойта

Данные уточняются

Информация об устранении

Уязвимость устранена

Ссылки на источники

Идентификаторы других систем описаний уязвимостей

EPSS

Процентиль: 94%
0.13371
Средний

9.8 Critical

CVSS3

10 Critical

CVSS2

Связанные уязвимости

nvd логотип

CVE-2020-3227

CVSS3: 9.8
nvd
больше 5 лет назад

A vulnerability in the authorization controls for the Cisco IOx application hosting infrastructure in Cisco IOS XE Software could allow an unauthenticated, remote attacker to execute Cisco IOx API commands without proper authorization. The vulnerability is due to incorrect handling of requests for authorization tokens. An attacker could exploit this vulnerability by using a crafted API call to request such a token. An exploit could allow the attacker to obtain an authorization token and execute any of the IOx API commands on an affected device.

github логотип

GHSA-qmfx-jqw3-rhhv

CVSS3: 9.8
github
больше 3 лет назад

A vulnerability in the authorization controls for the Cisco IOx application hosting infrastructure in Cisco IOS XE Software could allow an unauthenticated, remote attacker to execute Cisco IOx API commands without proper authorization. The vulnerability is due to incorrect handling of requests for authorization tokens. An attacker could exploit this vulnerability by using a crafted API call to request such a token. An exploit could allow the attacker to obtain an authorization token and execute any of the IOx API commands on an affected device.

EPSS

Процентиль: 94%
0.13371
Средний

9.8 Critical

CVSS3

10 Critical

CVSS2