Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2020-3167

A vulnerability in the CLI of Cisco FXOS Software and Cisco UCS Manager Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system (OS). The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by including crafted arguments to specific commands. A successful exploit could allow the attacker to execute arbitrary commands on the underlying OS with the privileges of the currently logged-in user for all affected platforms excluding Cisco UCS 6400 Series Fabric Interconnects. On Cisco UCS 6400 Series Fabric Interconnects, the injected commands are executed with root privileges.

Published

2020-02-26T17:15:12.843

Last Modified

2024-11-21T05:30:28.020

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.8 (HIGH)

CVSSv2 Vector

AV:L/AC:L/Au:N/C:C/I:C/A:C

Access Vector: LOCAL
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE

Exploitability Score

3.9

Impact Score

10.0

Weaknesses

Type: Secondary
CWE-78
Type: Primary
CWE-78

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	cisco	firepower_threat_defense	< 6.2.3.13	Yes
Application	cisco	firepower_threat_defense	< 6.4.0.8	Yes
Application	cisco	firepower_threat_defense	< 6.5.0.2	Yes
Operating System	cisco	adaptive_security_appliance_software	< 9.9.2.66	Yes
Operating System	cisco	adaptive_security_appliance_software	< 9.12.3.6	Yes
Operating System	cisco	adaptive_security_appliance_software	< 9.13.1.5	Yes
Hardware	cisco	firepower_1010	-	No
Hardware	cisco	firepower_1120	-	No
Hardware	cisco	firepower_1140	-	No
Hardware	cisco	firepower_1150	-	No
Hardware	cisco	firepower_2110	-	No
Hardware	cisco	firepower_2120	-	No
Hardware	cisco	firepower_2130	-	No
Hardware	cisco	firepower_2140	-	No
Operating System	cisco	firepower_extensible_operating_system	< 2.4.1.234	Yes
Hardware	cisco	firepower_4110	-	No
Hardware	cisco	firepower_4115	-	No
Hardware	cisco	firepower_4120	-	No
Hardware	cisco	firepower_4125	-	No
Hardware	cisco	firepower_4140	-	No
Hardware	cisco	firepower_4145	-	No
Hardware	cisco	firepower_4150	-	No
Hardware	cisco	firepower_9300	-	No
Application	cisco	ucs_manager	< 3.2\(3n\)	Yes
Application	cisco	ucs_manager	< 4.0\(4g\)	Yes
Hardware	cisco	ucs_6248up	-	No
Hardware	cisco	ucs_6296up	-	No
Hardware	cisco	ucs_6324	-	No
Hardware	cisco	ucs_6332	-	No
Hardware	cisco	ucs_6332-16up	-	No
Hardware	cisco	ucs_64108	-	No
Hardware	cisco	ucs_6454	-	No

References

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200226-fxos-ucs-cmdinj Vendor Advisory ([email protected])
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200226-fxos-ucs-cmdinj Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)