#VU96612 Protection Mechanism Failure in Cisco Systems, Inc products - CVE-2024-20286
Published: August 29, 2024
Vulnerability identifier: #VU96612
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-20286
CWE-ID: CWE-693
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Cisco MDS 9000 Series Multilayer Switches
Cisco Nexus 3000 Series Switches
Nexus 5500 Platform Switches
Nexus 5600 Platform Switches
Cisco Nexus 6000 Series Switches
Cisco Nexus 7000 Series Switches
Cisco Nexus 9000 Series Switches NX-OS Mode
Cisco NX-OS
Cisco MDS 9000 Series Multilayer Switches
Cisco Nexus 3000 Series Switches
Nexus 5500 Platform Switches
Nexus 5600 Platform Switches
Cisco Nexus 6000 Series Switches
Cisco Nexus 7000 Series Switches
Cisco Nexus 9000 Series Switches NX-OS Mode
Cisco NX-OS
Software vendor:
Cisco Systems, Inc
Cisco Systems, Inc
Description
The vulnerability allows a local user to bypass implemented security restrictions.
The vulnerability exists due to insufficient validation of user-supplied input. A local user can manipulate specific functions within the Python interpreter to escape the Python sandbox and execute arbitrary commands on the underlying operating system.
Remediation
Install updates from vendor's website.
External links
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-psbe-ce-YvbTn5du
- https://www.cisco.com/c/en/us/td/docs/dcn/nx-os/nexus9000/105x/programmability/cisco-nexus-9000-series-nx-os-programmability-guide-105x/m-n9k-python-api-101x.html?bookSearch=true#concept_A2CFF094ADCB414C983EA06AD8E9A410