SB2020060514 - Multiple vulnerabilities in Cisco IOS XE Software

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2020060514

SB2020060514 - Multiple vulnerabilities in Cisco IOS XE Software

Published: June 5, 2020 Updated: June 5, 2020

Security Bulletin ID SB2020060514
Severity
High
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

High 33% Low 67%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Command Injection (CVE-ID: CVE-2020-3212)

The vulnerability allows a remote user to execute arbitrary commands on the system.

The vulnerability exists due to improper input sanitization in the web UI. A remote administrator can uplnout a specially crafted file and execute arbitrary commands on the target system.

This vulnerability affects the following products if they are running affected release of Cisco IOS XE Software: 

  • Cisco Catalyst 3850 Series Switches
  • Cisco Catalyst 3650 Series Switches
  • Cisco Catalyst 9300 Series Switches
  • Cisco Catalyst 9500 Series Switches
  • Cisco Catalyst 9200 Series Switches


2) Input validation error (CVE-ID: CVE-2020-3218)

The vulnerability allows a remote user to execute arbitrary code on the system.

The vulnerability exists due to insufficient validation of user-supplied input in the web UI. A remote administrator can first create a malicious file on the affected device itself, then upload a second malicious file to the device and execute arbitrary code on the target system.

This vulnerability affects the following products if they are running affected release of Cisco IOS XE Software: 

  • Cisco Catalyst 3850 Series Switches
  • Cisco Catalyst 3650 Series Switches
  • Cisco Catalyst 9300 Series Switches
  • Cisco Catalyst 9500 Series Switches
  • Cisco Catalyst 9200 Series Switches


3) Input validation error (CVE-ID: CVE-2020-3221)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper validation of parameters in a Flexible NetFlow Version 9 record. A remote attacker can send a specially crafted Flexible NetFlow Version 9 packet to the Control and Provisioning of Wireless Access Points (CAPWAP) data port of an affected device and perform a denial of service (DoS) attack.

This vulnerability affects the following products if they are running affected release of Cisco IOS XE Software: 

  •  Cisco Catalyst 9800 Series Wireless Controllers


Remediation

Install update from vendor's website.

References