CVE-2020-3393 - Vulnerability Details

A vulnerability in the application-hosting subsystem of Cisco IOS XE Software could allow an authenticated, local attacker to elevate privileges to root on an affected device. The attacker could execute IOS XE commands outside the application-hosting subsystem Docker container as well as on the underlying Linux operating system. These commands could be run as the root user. The vulnerability is due to a combination of two factors: (a) incomplete input validation of the user payload of CLI commands, and (b) improper role-based access control (RBAC) when commands are issued at the command line within the application-hosting subsystem. An attacker could exploit this vulnerability by using a CLI command with crafted user input. A successful exploit could allow the lower-privileged attacker to execute arbitrary CLI commands with root privileges. The attacker would need valid user credentials to exploit this vulnerability.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

The EPSS score is 0.00105.

Exploitation none

Automatable no

Technical Impact total

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Cisco

Cisco IOS XE Software

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:cisco:ios_xe:16.12.1:*:*:*:*:*:*:*

OR	cpe:2.3:h:cisco:1100-4g_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:1100-4gltegb_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:1100-4gltena_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:1100-4p_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:1100-6g_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:1100-8p_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:1100-lte_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:1100_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:1101-4p_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:1101_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:1109-2p_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:1109-4p_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:1109_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:1111x-8p_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:1111x_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:111x_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:1120_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:1160_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:4221_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:4331_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:4431_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:4451_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:4461_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:asr_1000-x:-:::::::*
	cpe:2.3:h:cisco:asr_1001:-:::::::*
	cpe:2.3:h:cisco:asr_1001-x:-:::::::*
	cpe:2.3:h:cisco:asr_1002:-:::::::*
	cpe:2.3:h:cisco:asr_1002-x:-:::::::*
	cpe:2.3:h:cisco:asr_1004:-:::::::*
	cpe:2.3:h:cisco:asr_1006:-:::::::*
	cpe:2.3:h:cisco:asr_1013:-:::::::*
	cpe:2.3:h:cisco:asr1001-hx:-:::::::*
	cpe:2.3:h:cisco:asr1001-hx-rf:-:::::::*
	cpe:2.3:h:cisco:asr1001-x-rf:-:::::::*
	cpe:2.3:h:cisco:asr1001-x-ws:-:::::::*
	cpe:2.3:h:cisco:asr1002-hx:-:::::::*
	cpe:2.3:h:cisco:asr1002-hx-rf:-:::::::*
	cpe:2.3:h:cisco:asr1002-hx-ws:-:::::::*
	cpe:2.3:h:cisco:asr1002-x-rf:-:::::::*
	cpe:2.3:h:cisco:asr1002-x-ws:-:::::::*
	cpe:2.3:h:cisco:catalyst_9800-40:-:::::::*
	cpe:2.3:h:cisco:catalyst_9800-80:-:::::::*
	cpe:2.3:h:cisco:catalyst_9800-cl:-:::::::*
	cpe:2.3:h:cisco:catalyst_9800-l:-:::::::*
	cpe:2.3:h:cisco:catalyst_9800-l-c:-:::::::*
	cpe:2.3:h:cisco:catalyst_9800-l-f:-:::::::*
	cpe:2.3:h:cisco:catalyst_c9200-24p:-:::::::*
	cpe:2.3:h:cisco:catalyst_c9200-24t:-:::::::*
	cpe:2.3:h:cisco:catalyst_c9200-48p:-:::::::*
	cpe:2.3:h:cisco:catalyst_c9200-48t:-:::::::*
	cpe:2.3:h:cisco:catalyst_c9200l-24p-4g:-:::::::*
	cpe:2.3:h:cisco:catalyst_c9200l-24p-4x:-:::::::*
	cpe:2.3:h:cisco:catalyst_c9200l-24pxg-2y:-:::::::*
	cpe:2.3:h:cisco:catalyst_c9200l-24pxg-4x:-:::::::*
	cpe:2.3:h:cisco:catalyst_c9200l-24t-4g:-:::::::*
	cpe:2.3:h:cisco:catalyst_c9200l-24t-4x:-:::::::*
	cpe:2.3:h:cisco:catalyst_c9200l-48p-4g:-:::::::*
	cpe:2.3:h:cisco:catalyst_c9200l-48p-4x:-:::::::*
	cpe:2.3:h:cisco:catalyst_c9200l-48pxg-2y:-:::::::*
	cpe:2.3:h:cisco:catalyst_c9200l-48pxg-4x:-:::::::*
	cpe:2.3:h:cisco:catalyst_c9200l-48t-4g:-:::::::*
	cpe:2.3:h:cisco:catalyst_c9200l-48t-4x:-:::::::*
	cpe:2.3:h:cisco:catalyst_c9300-24p:-:::::::*
	cpe:2.3:h:cisco:catalyst_c9300-24s:-:::::::*
cpe:2.3:h:cisco:catalyst_c9300-24t:-:::::::*
cpe:2.3:h:cisco:catalyst_c9300-24u:-:::::::*
cpe:2.3:h:cisco:catalyst_c9300-24ux:-:::::::*
cpe:2.3:h:cisco:catalyst_c9300-48p:-:::::::*
cpe:2.3:h:cisco:catalyst_c9300-48s:-:::::::*
cpe:2.3:h:cisco:catalyst_c9300-48t:-:::::::*
cpe:2.3:h:cisco:catalyst_c9300-48u:-:::::::*
cpe:2.3:h:cisco:catalyst_c9300-48un:-:::::::*
cpe:2.3:h:cisco:catalyst_c9300-48uxm:-:::::::*
cpe:2.3:h:cisco:catalyst_c9300l-24p-4g:-:::::::*
cpe:2.3:h:cisco:catalyst_c9300l-24p-4x:-:::::::*
cpe:2.3:h:cisco:catalyst_c9300l-24t-4g:-:::::::*
cpe:2.3:h:cisco:catalyst_c9300l-24t-4x:-:::::::*
cpe:2.3:h:cisco:catalyst_c9300l-48p-4g:-:::::::*
cpe:2.3:h:cisco:catalyst_c9300l-48p-4x:-:::::::*
cpe:2.3:h:cisco:catalyst_c9300l-48t-4g:-:::::::*
cpe:2.3:h:cisco:catalyst_c9300l-48t-4x:-:::::::*
cpe:2.3:h:cisco:catalyst_c9404r:-:::::::*
cpe:2.3:h:cisco:catalyst_c9407r:-:::::::*
cpe:2.3:h:cisco:catalyst_c9410r:-:::::::*
cpe:2.3:h:cisco:catalyst_c9500-12q:-:::::::*
cpe:2.3:h:cisco:catalyst_c9500-16x:-:::::::*
cpe:2.3:h:cisco:catalyst_c9500-24q:-:::::::*
cpe:2.3:h:cisco:catalyst_c9500-24y4c:-:::::::*
cpe:2.3:h:cisco:catalyst_c9500-32c:-:::::::*
cpe:2.3:h:cisco:catalyst_c9500-32qc:-:::::::*
cpe:2.3:h:cisco:catalyst_c9500-40x:-:::::::*
cpe:2.3:h:cisco:catalyst_c9500-48y4c:-:::::::*
cpe:2.3:h:cisco:csr_1000v::::::::
cpe:2.3:h:cisco:ws-c3650-12x48uq:-:::::::*
cpe:2.3:h:cisco:ws-c3650-12x48ur:-:::::::*
cpe:2.3:h:cisco:ws-c3650-12x48uz:-:::::::*
cpe:2.3:h:cisco:ws-c3650-24pd:-:::::::*
cpe:2.3:h:cisco:ws-c3650-24pdm:-:::::::*
cpe:2.3:h:cisco:ws-c3650-24ps:-:::::::*
cpe:2.3:h:cisco:ws-c3650-24td:-:::::::*
cpe:2.3:h:cisco:ws-c3650-24ts:-:::::::*
cpe:2.3:h:cisco:ws-c3650-48fd:-:::::::*
cpe:2.3:h:cisco:ws-c3650-48fq:-:::::::*
cpe:2.3:h:cisco:ws-c3650-48fqm:-:::::::*
cpe:2.3:h:cisco:ws-c3650-48fs:-:::::::*
cpe:2.3:h:cisco:ws-c3650-48pd:-:::::::*
cpe:2.3:h:cisco:ws-c3650-48pq:-:::::::*
cpe:2.3:h:cisco:ws-c3650-48ps:-:::::::*
cpe:2.3:h:cisco:ws-c3650-48td:-:::::::*
cpe:2.3:h:cisco:ws-c3650-48tq:-:::::::*
cpe:2.3:h:cisco:ws-c3650-48ts:-:::::::*
cpe:2.3:h:cisco:ws-c3650-8x24uq:-:::::::*
cpe:2.3:h:cisco:ws-c3850:-:::::::*
cpe:2.3:h:cisco:ws-c3850-12s:-:::::::*
cpe:2.3:h:cisco:ws-c3850-12x48u:-:::::::*
cpe:2.3:h:cisco:ws-c3850-12xs:-:::::::*
cpe:2.3:h:cisco:ws-c3850-24p:-:::::::*
cpe:2.3:h:cisco:ws-c3850-24s:-:::::::*
cpe:2.3:h:cisco:ws-c3850-24t:-:::::::*
cpe:2.3:h:cisco:ws-c3850-24u:-:::::::*
cpe:2.3:h:cisco:ws-c3850-24xs:-:::::::*
cpe:2.3:h:cisco:ws-c3850-24xu:-:::::::*
cpe:2.3:h:cisco:ws-c3850-48f:-:::::::*
cpe:2.3:h:cisco:ws-c3850-48p:-:::::::*
cpe:2.3:h:cisco:ws-c3850-48t:-:::::::*
cpe:2.3:h:cisco:ws-c3850-48u:-:::::::*
cpe:2.3:h:cisco:ws-c3850-48xs:-:::::::*

No data.

Project Subscriptions

Vendors	Products
Cisco Subscribe	1100-4g Integrated Services Router Subscribe 1100-4gltegb Integrated Services Router Subscribe 1100-4gltena Integrated Services Router Subscribe 1100-4p Integrated Services Router Subscribe 1100-6g Integrated Services Router Subscribe 1100-8p Integrated Services Router Subscribe 1100-lte Integrated Services Router Subscribe 1100 Integrated Services Router Subscribe 1101-4p Integrated Services Router Subscribe 1101 Integrated Services Router Subscribe 1109-2p Integrated Services Router Subscribe 1109-4p Integrated Services Router Subscribe 1109 Integrated Services Router Subscribe 1111x-8p Integrated Services Router Subscribe 1111x Integrated Services Router Subscribe 111x Integrated Services Router Subscribe 1120 Integrated Services Router Subscribe 1160 Integrated Services Router Subscribe 4221 Integrated Services Router Subscribe 4331 Integrated Services Router Subscribe 4431 Integrated Services Router Subscribe 4451 Integrated Services Router Subscribe 4461 Integrated Services Router Subscribe Asr1001-hx Subscribe Asr1001-hx-rf Subscribe Asr1001-x-rf Subscribe Asr1001-x-ws Subscribe Asr1002-hx Subscribe Asr1002-hx-rf Subscribe Asr1002-hx-ws Subscribe Asr1002-x-rf Subscribe Asr1002-x-ws Subscribe Asr 1000-x Subscribe Asr 1001 Subscribe Asr 1001-x Subscribe Asr 1002 Subscribe Asr 1002-x Subscribe Asr 1004 Subscribe Asr 1006 Subscribe Asr 1013 Subscribe Catalyst 9800-40 Subscribe Catalyst 9800-80 Subscribe Catalyst 9800-cl Subscribe Catalyst 9800-l Subscribe Catalyst 9800-l-c Subscribe Catalyst 9800-l-f Subscribe Catalyst C9200-24p Subscribe Catalyst C9200-24t Subscribe Catalyst C9200-48p Subscribe Catalyst C9200-48t Subscribe Catalyst C9200l-24p-4g Subscribe Catalyst C9200l-24p-4x Subscribe Catalyst C9200l-24pxg-2y Subscribe Catalyst C9200l-24pxg-4x Subscribe Catalyst C9200l-24t-4g Subscribe Catalyst C9200l-24t-4x Subscribe Catalyst C9200l-48p-4g Subscribe Catalyst C9200l-48p-4x Subscribe Catalyst C9200l-48pxg-2y Subscribe Catalyst C9200l-48pxg-4x Subscribe Catalyst C9200l-48t-4g Subscribe Catalyst C9200l-48t-4x Subscribe Catalyst C9300-24p Subscribe Catalyst C9300-24s Subscribe Catalyst C9300-24t Subscribe Catalyst C9300-24u Subscribe Catalyst C9300-24ux Subscribe Catalyst C9300-48p Subscribe Catalyst C9300-48s Subscribe Catalyst C9300-48t Subscribe Catalyst C9300-48u Subscribe Catalyst C9300-48un Subscribe Catalyst C9300-48uxm Subscribe Catalyst C9300l-24p-4g Subscribe Catalyst C9300l-24p-4x Subscribe Catalyst C9300l-24t-4g Subscribe Catalyst C9300l-24t-4x Subscribe Catalyst C9300l-48p-4g Subscribe Catalyst C9300l-48p-4x Subscribe Catalyst C9300l-48t-4g Subscribe Catalyst C9300l-48t-4x Subscribe Catalyst C9404r Subscribe Catalyst C9407r Subscribe Catalyst C9410r Subscribe Catalyst C9500-12q Subscribe Catalyst C9500-16x Subscribe Catalyst C9500-24q Subscribe Catalyst C9500-24y4c Subscribe Catalyst C9500-32c Subscribe Catalyst C9500-32qc Subscribe Catalyst C9500-40x Subscribe Catalyst C9500-48y4c Subscribe Csr 1000v Subscribe Ios Xe Subscribe Ws-c3650-12x48uq Subscribe Ws-c3650-12x48ur Subscribe Ws-c3650-12x48uz Subscribe Ws-c3650-24pd Subscribe Ws-c3650-24pdm Subscribe Ws-c3650-24ps Subscribe Ws-c3650-24td Subscribe Ws-c3650-24ts Subscribe Ws-c3650-48fd Subscribe Ws-c3650-48fq Subscribe Ws-c3650-48fqm Subscribe Ws-c3650-48fs Subscribe Ws-c3650-48pd Subscribe Ws-c3650-48pq Subscribe Ws-c3650-48ps Subscribe Ws-c3650-48td Subscribe Ws-c3650-48tq Subscribe Ws-c3650-48ts Subscribe Ws-c3650-8x24uq Subscribe Ws-c3850 Subscribe Ws-c3850-12s Subscribe Ws-c3850-12x48u Subscribe Ws-c3850-12xs Subscribe Ws-c3850-24p Subscribe Ws-c3850-24s Subscribe Ws-c3850-24t Subscribe Ws-c3850-24u Subscribe Ws-c3850-24xs Subscribe Ws-c3850-24xu Subscribe Ws-c3850-48f Subscribe Ws-c3850-48p Subscribe Ws-c3850-48t Subscribe Ws-c3850-48u Subscribe Ws-c3850-48xs Subscribe

Advisories

Source	ID	Title
EUVD	EUVD-2020-24664	A vulnerability in the application-hosting subsystem of Cisco IOS XE Software could allow an authenticated, local attacker to elevate privileges to root on an affected device. The attacker could execute IOS XE commands outside the application-hosting subsystem Docker container as well as on the underlying Linux operating system. These commands could be run as the root user. The vulnerability is due to a combination of two factors: (a) incomplete input validation of the user payload of CLI commands, and (b) improper role-based access control (RBAC) when commands are issued at the command line within the application-hosting subsystem. An attacker could exploit this vulnerability by using a CLI command with crafted user input. A successful exploit could allow the lower-privileged attacker to execute arbitrary CLI commands with root privileges. The attacker would need valid user credentials to exploit this vulnerability.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-iox-app-host-mcZcnsBt

History

Thu, 19 Dec 2024 14:15:00 +0000

Type	Values Removed	Values Added
CPEs	cpe:2.3:a:cisco:ios_xe:16.12.1:::::::*	cpe:2.3:o:cisco:ios_xe:16.12.1:::::::*

Wed, 13 Nov 2024 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: cisco

Published: 2020-09-24T18:02:31.669408Z

Updated: 2024-11-13T17:54:13.042Z

Reserved: 2019-12-12T00:00:00

Link: CVE-2020-3393

Vulnrichment

Updated: 2024-08-04T07:30:58.334Z

NVD

Status : Modified

Published: 2020-09-24T18:15:17.587

Modified: 2024-12-19T13:52:35.190

Link: CVE-2020-3393

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Exploitation none

Automatable no

Technical Impact total

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object