CVE-2020-3235 — HIGH (7.7) — White Hats Nepal

Vulnerability Description

A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS Software and Cisco IOS XE Software on Catalyst 4500 Series Switches could allow an authenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to insufficient input validation when the software processes specific SNMP object identifiers. An attacker could exploit this vulnerability by sending a crafted SNMP packet to an affected device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition. Note: To exploit this vulnerability by using SNMPv2c or earlier, the attacker must know the SNMP read-only community string for an affected system. To exploit this vulnerability by using SNMPv3, the attacker must know the user credentials for the affected system.

CVSS Score

7.7

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Cisco	Ios	12.2\(52\)sg
Cisco	Ios Xe	3.2.0sg
Cisco	Catalyst 4503-E	All versions
Cisco	Catalyst 4506-E	-
Cisco	Catalyst 4507R\+E	-
Cisco	Catalyst 4510R\+E	-
Oracle	Goldengate Management Pack	12.2.1.2.0

Related Weaknesses (CWE)

CWE-20 CWE-118

References

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sVendor Advisory
https://www.oracle.com/security-alerts/cpuoct2020.htmlPatchThird Party Advisory
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sVendor Advisory
https://www.oracle.com/security-alerts/cpuoct2020.htmlPatchThird Party Advisory

FAQ

What is CVE-2020-3235?

CVE-2020-3235 is a vulnerability with a CVSS score of 7.7 (HIGH). A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS Software and Cisco IOS XE Software on Catalyst 4500 Series Switches could allow an authenticated, remote attacke...

How severe is CVE-2020-3235?

CVE-2020-3235 has been rated HIGH with a CVSS base score of 7.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-3235?

Check the references section above for vendor advisories and patch information. Affected products include: Cisco Ios, Cisco Ios Xe, Cisco Catalyst 4503-E, Cisco Catalyst 4506-E, Cisco Catalyst 4507R\+E.