CVE-2020-3141 is due to a lack of input and validation-checking mechanisms for certain HTTP requests to APIs on an affected device. These are tracked as CVE-2020-3141 and CVE-2020-3425 and can allow an authenticated, remote attacker with read-only privileges to elevate privileges to the level of an administrator user on an affected device.Ĭisco notes attackers don't need to exploit both of the bugs to attack an affected device. The second advisory concerns two privilege escalation vulnerabilities in the web management framework of IOS XE. While there's no workaround Cisco notes that disabling the HTTP Server feature blocks the attack vector for this bug and maybe a suitable mitigation until affected devices are upgraded. A successful exploit could allow the attacker to utilize parts of the web UI for which they are not authorized," explains Cisco.
"An attacker could exploit this vulnerability by sending a crafted HTTP request to the web UI. SEE: Network security policy (TechRepublic Premium) It's due to insufficient authorization of web UI access requests and could allow a user with read-only rights to perform actions with Admin user rights. One, tracked as CVE-2020-3400, is an authorization bypass vulnerability in the Cisco IOS XE software web user interface (UI) that may allow a remote attacker with valid credentials to use part of the UI. There are two advisories with a severity score of 8.8, the highest of this release's 25 high-severity advisories. We should be worriedĬisco's IOS stands for Internetworking Operating System and is based on Linux. There's been a rise in monitoring workers at home.iPhone 12: Which phone is really more secure?
#Cisco ios xe show log how to
iOS 15.2’s App Privacy Report: How to turn it on, and what it all means.