CVE-2020-3210

EPSS 0.05%
Published 03.06.2020 18:15:19
Last modified 21.11.2024 05:30:34
Source psirt@cisco.com
Teams watchlist Login
Open Login

A vulnerability in the CLI parsers of Cisco IOS Software for Cisco 809 and 829 Industrial Integrated Services Routers (Industrial ISRs) and Cisco 1000 Series Connected Grid Routers (CGR1000) could allow an authenticated, local attacker to execute arbitrary shell commands on the Virtual Device Server (VDS) of an affected device. The attacker must have valid user credentials at privilege level 15. The vulnerability is due to insufficient validation of arguments that are passed to specific VDS-related CLI commands. An attacker could exploit this vulnerability by authenticating to the targeted device and including malicious input as the argument of an affected command. A successful exploit could allow the attacker to execute arbitrary commands in the context of the Linux shell of VDS with the privileges of the root user.

Affected products Warnungen 0 Metrics 4 CWE 2 References 4

Data is provided by the National Vulnerability Database (NVD)

Cisco ≫ Ios Version12.2(60)ez16

   Cisco ≫ 1120 Version-
   Cisco ≫ 1240
   Cisco ≫ 809
   Cisco ≫ 829

Cisco ≫ Ios Version15.0(2)sg11a

   Cisco ≫ 1120 Version-
   Cisco ≫ 1240
   Cisco ≫ 809
   Cisco ≫ 829

Cisco ≫ Ios Version15.3(3)jaa1

   Cisco ≫ 1120 Version-
   Cisco ≫ 1240
   Cisco ≫ 809
   Cisco ≫ 829

Cisco ≫ Ios Version15.3(3)jpj

   Cisco ≫ 1120 Version-
   Cisco ≫ 1240
   Cisco ≫ 809
   Cisco ≫ 829

Cisco ≫ Ios Version15.9(3)m

   Cisco ≫ 1120 Version-
   Cisco ≫ 1240
   Cisco ≫ 809
   Cisco ≫ 829

Cisco ≫ Ios Version15.9(3)m0a

   Cisco ≫ 1120 Version-
   Cisco ≫ 1240
   Cisco ≫ 809
   Cisco ≫ 829

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.05%	0.111

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.7	0.8	5.9	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.2	3.9	10	AV:L/AC:L/Au:N/C:C/I:C/A:C
psirt@cisco.com	6.7	0.8	5.9	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-iot-vds-cmd-inj-VfJtqGhE

Patch

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2020-3210

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-3210

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-3210

EUVD