CVE-2020-3393 : A vulnerability in the application-hosting subsystem of Cisco IOS XE Software co

A vulnerability in the application-hosting subsystem of Cisco IOS XE Software could allow an authenticated, local attacker to elevate privileges to root on an affected device. The attacker could execute IOS XE commands outside the application-hosting subsystem Docker container as well as on the underlying Linux operating system. These commands could be run as the root user. The vulnerability is due to a combination of two factors: (a) incomplete input validation of the user payload of CLI commands, and (b) improper role-based access control (RBAC) when commands are issued at the command line within the application-hosting subsystem. An attacker could exploit this vulnerability by using a CLI command with crafted user input. A successful exploit could allow the lower-privileged attacker to execute arbitrary CLI commands with root privileges. The attacker would need valid user credentials to exploit this vulnerability.

Published 2020-09-24 18:15:18

Updated 2024-12-19 13:52:35

Source Cisco Systems, Inc.

View at NVD, CVE.org

Products affected by CVE-2020-3393

Cisco » Ios Xe » Version: 16.12.1
cpe:2.3:o:cisco:ios_xe:16.12.1:*:*:*:*:*:*:*
Matching versions
When used together with: Cisco » 1100-4g Integrated Services Router » Version: N/A
When used together with: Cisco » 1100-4gltegb Integrated Services Router » Version: N/A
When used together with: Cisco » 1100-4gltena Integrated Services Router » Version: N/A
When used together with: Cisco » 1100-4p Integrated Services Router » Version: N/A
When used together with: Cisco » 1100-6g Integrated Services Router » Version: N/A
When used together with: Cisco » 1100-8p Integrated Services Router » Version: N/A
When used together with: Cisco » 1100-lte Integrated Services Router » Version: N/A
When used together with: Cisco » 1100 Integrated Services Router » Version: N/A
When used together with: Cisco » 1101-4p Integrated Services Router » Version: N/A
When used together with: Cisco » 1101 Integrated Services Router » Version: N/A
When used together with: Cisco » 1109-2p Integrated Services Router » Version: N/A
When used together with: Cisco » 1109-4p Integrated Services Router » Version: N/A
When used together with: Cisco » 1109 Integrated Services Router » Version: N/A
When used together with: Cisco » 1111x-8p Integrated Services Router » Version: N/A
When used together with: Cisco » 1111x Integrated Services Router » Version: N/A
When used together with: Cisco » 111x Integrated Services Router » Version: N/A
When used together with: Cisco » 1120 Integrated Services Router » Version: N/A
When used together with: Cisco » 1160 Integrated Services Router » Version: N/A
When used together with: Cisco » 4221 Integrated Services Router » Version: N/A
When used together with: Cisco » 4331 Integrated Services Router » Version: N/A
When used together with: Cisco » 4431 Integrated Services Router » Version: N/A
When used together with: Cisco » 4451 Integrated Services Router » Version: N/A
When used together with: Cisco » 4461 Integrated Services Router » Version: N/A
When used together with: Cisco » Asr 1000-x » Version: N/A
When used together with: Cisco » Asr 1001 » Version: N/A
When used together with: Cisco » Asr 1001-x » Version: N/A
When used together with: Cisco » Asr 1002 » Version: N/A
When used together with: Cisco » Asr 1002-x » Version: N/A
When used together with: Cisco » Asr 1004 » Version: N/A
When used together with: Cisco » Asr 1006 » Version: N/A
When used together with: Cisco » Asr 1013 » Version: N/A
When used together with: Cisco » Asr1001-hx » Version: N/A
When used together with: Cisco » Asr1001-hx-rf » Version: N/A
When used together with: Cisco » Asr1001-x-rf » Version: N/A
When used together with: Cisco » Asr1001-x-ws » Version: N/A
When used together with: Cisco » Asr1002-hx » Version: N/A
When used together with: Cisco » Asr1002-hx-rf » Version: N/A
When used together with: Cisco » Asr1002-hx-ws » Version: N/A
When used together with: Cisco » Asr1002-x-rf » Version: N/A
When used together with: Cisco » Asr1002-x-ws » Version: N/A
When used together with: Cisco » Catalyst 9800-40 » Version: N/A
When used together with: Cisco » Catalyst 9800-80 » Version: N/A
When used together with: Cisco » Catalyst 9800-cl » Version: N/A
When used together with: Cisco » Catalyst 9800-l » Version: N/A
When used together with: Cisco » Catalyst 9800-l-c » Version: N/A
When used together with: Cisco » Catalyst 9800-l-f » Version: N/A
When used together with: Cisco » Catalyst C9200-24p » Version: N/A
When used together with: Cisco » Catalyst C9200-24t » Version: N/A
When used together with: Cisco » Catalyst C9200-48p » Version: N/A
When used together with: Cisco » Catalyst C9200-48t » Version: N/A
When used together with: Cisco » Catalyst C9200l-24p-4g » Version: N/A
When used together with: Cisco » Catalyst C9200l-24p-4x » Version: N/A
When used together with: Cisco » Catalyst C9200l-24pxg-2y » Version: N/A
When used together with: Cisco » Catalyst C9200l-24pxg-4x » Version: N/A
When used together with: Cisco » Catalyst C9200l-24t-4g » Version: N/A
When used together with: Cisco » Catalyst C9200l-24t-4x » Version: N/A
When used together with: Cisco » Catalyst C9200l-48p-4g » Version: N/A
When used together with: Cisco » Catalyst C9200l-48p-4x » Version: N/A
When used together with: Cisco » Catalyst C9200l-48pxg-2y » Version: N/A
When used together with: Cisco » Catalyst C9200l-48pxg-4x » Version: N/A
When used together with: Cisco » Catalyst C9200l-48t-4g » Version: N/A
When used together with: Cisco » Catalyst C9200l-48t-4x » Version: N/A
When used together with: Cisco » Catalyst C9300-24p » Version: N/A
When used together with: Cisco » Catalyst C9300-24s » Version: N/A
When used together with: Cisco » Catalyst C9300-24t » Version: N/A
When used together with: Cisco » Catalyst C9300-24u » Version: N/A
When used together with: Cisco » Catalyst C9300-24ux » Version: N/A
When used together with: Cisco » Catalyst C9300-48p » Version: N/A
When used together with: Cisco » Catalyst C9300-48s » Version: N/A
When used together with: Cisco » Catalyst C9300-48t » Version: N/A
When used together with: Cisco » Catalyst C9300-48u » Version: N/A
When used together with: Cisco » Catalyst C9300-48un » Version: N/A
When used together with: Cisco » Catalyst C9300-48uxm » Version: N/A
When used together with: Cisco » Catalyst C9300l-24p-4g » Version: N/A
When used together with: Cisco » Catalyst C9300l-24p-4x » Version: N/A
When used together with: Cisco » Catalyst C9300l-24t-4g » Version: N/A
When used together with: Cisco » Catalyst C9300l-24t-4x » Version: N/A
When used together with: Cisco » Catalyst C9300l-48p-4g » Version: N/A
When used together with: Cisco » Catalyst C9300l-48p-4x » Version: N/A
When used together with: Cisco » Catalyst C9300l-48t-4g » Version: N/A
When used together with: Cisco » Catalyst C9300l-48t-4x » Version: N/A
When used together with: Cisco » Catalyst C9404r » Version: N/A
When used together with: Cisco » Catalyst C9407r » Version: N/A
When used together with: Cisco » Catalyst C9410r » Version: N/A
When used together with: Cisco » Catalyst C9500-12q » Version: N/A
When used together with: Cisco » Catalyst C9500-16x » Version: N/A
When used together with: Cisco » Catalyst C9500-24q » Version: N/A
When used together with: Cisco » Catalyst C9500-24y4c » Version: N/A
When used together with: Cisco » Catalyst C9500-32c » Version: N/A
When used together with: Cisco » Catalyst C9500-32qc » Version: N/A
When used together with: Cisco » Catalyst C9500-40x » Version: N/A
When used together with: Cisco » Catalyst C9500-48y4c » Version: N/A
When used together with: Cisco » Csr 1000v
When used together with: Cisco » Ws-c3650-12x48uq » Version: N/A
When used together with: Cisco » Ws-c3650-12x48ur » Version: N/A
When used together with: Cisco » Ws-c3650-12x48uz » Version: N/A
When used together with: Cisco » Ws-c3650-24pd » Version: N/A
When used together with: Cisco » Ws-c3650-24pdm » Version: N/A
When used together with: Cisco » Ws-c3650-24ps » Version: N/A
When used together with: Cisco » Ws-c3650-24td » Version: N/A
When used together with: Cisco » Ws-c3650-24ts » Version: N/A
When used together with: Cisco » Ws-c3650-48fd » Version: N/A
When used together with: Cisco » Ws-c3650-48fq » Version: N/A
When used together with: Cisco » Ws-c3650-48fqm » Version: N/A
When used together with: Cisco » Ws-c3650-48fs » Version: N/A
When used together with: Cisco » Ws-c3650-48pd » Version: N/A
When used together with: Cisco » Ws-c3650-48pq » Version: N/A
When used together with: Cisco » Ws-c3650-48ps » Version: N/A
When used together with: Cisco » Ws-c3650-48td » Version: N/A
When used together with: Cisco » Ws-c3650-48tq » Version: N/A
When used together with: Cisco » Ws-c3650-48ts » Version: N/A
When used together with: Cisco » Ws-c3650-8x24uq » Version: N/A
When used together with: Cisco » Ws-c3850 » Version: N/A
When used together with: Cisco » Ws-c3850-12s » Version: N/A
When used together with: Cisco » Ws-c3850-12x48u » Version: N/A
When used together with: Cisco » Ws-c3850-12xs » Version: N/A
When used together with: Cisco » Ws-c3850-24p » Version: N/A
When used together with: Cisco » Ws-c3850-24s » Version: N/A
When used together with: Cisco » Ws-c3850-24t » Version: N/A
When used together with: Cisco » Ws-c3850-24u » Version: N/A
When used together with: Cisco » Ws-c3850-24xs » Version: N/A
When used together with: Cisco » Ws-c3850-24xu » Version: N/A
When used together with: Cisco » Ws-c3850-48f » Version: N/A
When used together with: Cisco » Ws-c3850-48p » Version: N/A
When used together with: Cisco » Ws-c3850-48t » Version: N/A
When used together with: Cisco » Ws-c3850-48u » Version: N/A
When used together with: Cisco » Ws-c3850-48xs » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2020-3393

EPSS FAQ

0.03%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 8 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-3393

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.2	HIGH	AV:L/AC:L/Au:N/C:C/I:C/A:C	3.9	10.0	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
6.0	MEDIUM	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N	0.8	5.2	Cisco Systems, Inc.
Attack Vector: Local Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: None
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
6.0	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N	0.8	5.2	Cisco Systems, Inc.	2024-12-19
Attack Vector: Local Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: None

CWE ids for CVE-2020-3393

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: nvd@nist.gov (Primary)
CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Assigned by: ykramarz@cisco.com (Secondary)

References for CVE-2020-3393

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-iox-app-host-mcZcnsBt

Cisco IOS XE Software IOx Application Hosting Privilege Escalation Vulnerability
Vendor Advisory

Jump to

Vulnerability Details : CVE-2020-3393

Products affected by CVE-2020-3393

Exploit prediction scoring system (EPSS) score for CVE-2020-3393

CVSS scores for CVE-2020-3393

CWE ids for CVE-2020-3393

References for CVE-2020-3393