1. Home
  2. CVE Database
  3. CVE-2020-3396
MEDIUM · 6.8

CVE-2020-3396

A vulnerability in the file system on the pluggable USB 3.0 Solid State Drive (SSD) for Cisco IOS XE Software could allow an authenticated, physical attacker to remove the USB 3.0 SSD and modify sensi...

Vulnerability Description

A vulnerability in the file system on the pluggable USB 3.0 Solid State Drive (SSD) for Cisco IOS XE Software could allow an authenticated, physical attacker to remove the USB 3.0 SSD and modify sensitive areas of the file system, including the namespace container protections. The vulnerability occurs because the USB 3.0 SSD control data is not stored on the internal boot flash. An attacker could exploit this vulnerability by removing the USB 3.0 SSD, modifying or deleting files on the USB 3.0 SSD by using another device, and then reinserting the USB 3.0 SSD on the original device. A successful exploit could allow the attacker to remove container protections and perform file actions outside the namespace of the container with root privileges.

CVSS Score

6.8

MEDIUM

CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
Attack Vector
PHYSICAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
NONE

Affected Products

VendorProductVersions
CiscoIos Xe16.12.1
Cisco1100-4G Integrated Services Router-
Cisco1100-4Gltegb Integrated Services Router-
Cisco1100-4Gltena Integrated Services Router-
Cisco1100-6G Integrated Services Router-
Cisco1100-Lte Integrated Services Router-
Cisco1100 Integrated Services Router-
Cisco4321\/K9-Rf Integrated Services Router-
Cisco4321\/K9-Ws Integrated Services Router-
Cisco4321\/K9 Integrated Services Router-
Cisco4331\/K9-Rf Integrated Services Router-
Cisco4331\/K9-Ws Integrated Services Router-
Cisco4331\/K9 Integrated Services Router-
Cisco4351\/K9-Rf Integrated Services Router-
Cisco4351\/K9-Ws Integrated Services Router-
Cisco4351\/K9 Integrated Services Router-
CiscoAsr 1000-X-
CiscoAsr 1001-
CiscoAsr 1001-X-
CiscoAsr 1002-

Related Weaknesses (CWE)

CWE-269CWE-284

References

FAQ

What is CVE-2020-3396?

CVE-2020-3396 is a vulnerability with a CVSS score of 6.8 (MEDIUM). A vulnerability in the file system on the pluggable USB 3.0 Solid State Drive (SSD) for Cisco IOS XE Software could allow an authenticated, physical attacker to remove the USB 3.0 SSD and modify sensi...

How severe is CVE-2020-3396?

CVE-2020-3396 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-3396?

Check the references section above for vendor advisories and patch information. Affected products include: Cisco Ios Xe, Cisco 1100-4G Integrated Services Router, Cisco 1100-4Gltegb Integrated Services Router, Cisco 1100-4Gltena Integrated Services Router, Cisco 1100-6G Integrated Services Router.