CVE-2020-3227
published 2020-06-03CVE-2020-3227: A vulnerability in the authorization controls for the Cisco IOx application hosting infrastructure in Cisco IOS XE Software could allow an unauthenticated…
PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.41%
87.4th percentile
A vulnerability in the authorization controls for the Cisco IOx application hosting infrastructure in Cisco IOS XE Software could allow an unauthenticated, remote attacker to execute Cisco IOx API commands without proper authorization. The vulnerability is due to incorrect handling of requests for authorization tokens. An attacker could exploit this vulnerability by using a crafted API call to request such a token. An exploit could allow the attacker to obtain an authorization token and execute any of the IOx API commands on an affected device.
Affected
72 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | cisco_ios_xe_software_16.3.1 | — | — |
| cisco | ios_xe | — | — |
| cisco | ios_xe | — | — |
| cisco | ios_xe | — | — |
| cisco | ios_xe | — | — |
| cisco | ios_xe | — | — |
| cisco | ios_xe | — | — |
| cisco | ios_xe | — | — |
| cisco | ios_xe | — | — |
| cisco | ios_xe | — | — |
| cisco | ios_xe | — | — |
| cisco | ios_xe | — | — |
| cisco | ios_xe | — | — |
| cisco | ios_xe | — | — |
| cisco | ios_xe | — | — |
| cisco | ios_xe | — | — |
| cisco | ios_xe | — | — |
| cisco | ios_xe | — | — |
| cisco | ios_xe | — | — |
| cisco | ios_xe | — | — |
| cisco | ios_xe | — | — |
| cisco | ios_xe | — | — |
| cisco | ios_xe | — | — |
| cisco | ios_xe | — | — |
| cisco | ios_xe | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect crafted API calls targeting the Cisco IOx authorization token endpoint — an unauthenticated request for an authorization token via the IOx API is the exploit primitive ↗
- →Monitor for unauthenticated IOx API command execution on IOS XE devices, particularly any IOx API calls that are not preceded by a legitimate authenticated session ↗
- →Track Cisco bug IDs CSCvq18527 and CSCvq83400 for patch status on affected IOS XE devices running the IOx application hosting infrastructure ↗
- ·The vulnerability is rooted in incorrect handling of authorization token requests within the IOx application hosting infrastructure — verify that IOx is enabled on the device, as unexposed devices are not affected ↗
- ·No workarounds exist; the only remediation is applying Cisco's software updates for IOS XE ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_cisco9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qmfx-jqw3-rhhv: A vulnerability in the authorization controls for the Cisco IOx application hosting infrastructure in Cisco IOS XE Software could allow an unauthentic
ghsa_unreviewed·2022-05-24
CVE-2020-3227 [CRITICAL] CWE-863 GHSA-qmfx-jqw3-rhhv: A vulnerability in the authorization controls for the Cisco IOx application hosting infrastructure in Cisco IOS XE Software could allow an unauthentic
A vulnerability in the authorization controls for the Cisco IOx application hosting infrastructure in Cisco IOS XE Software could allow an unauthenticated, remote attacker to execute Cisco IOx API commands without proper authorization. The vulnerability is due to incorrect handling of requests for authorization tokens. An attacker could exploit this vulnerability by using a crafted API call to request such a token. An exploit could allow the attacker to obtain an authorization token and execute any of the IOx API commands on an affected device.
Cisco
Cisco IOx for IOS XE Software Privilege Escalation Vulnerability
vendor_cisco·2020-06-03·CVSS 9.8
CVE-2020-3227 [CRITICAL] CWE-264 Cisco IOx for IOS XE Software Privilege Escalation Vulnerability
Cisco IOx for IOS XE Software Privilege Escalation Vulnerability
A vulnerability in the authorization controls for the Cisco IOx application hosting infrastructure in Cisco IOS XE Software could allow an unauthenticated, remote attacker to execute Cisco IOx API commands without proper authorization.
The vulnerability is due to incorrect handling of requests for authorization tokens. An attacker could exploit this vulnerability by using a crafted API call to request such a token. An exploit could allow the attacker to obtain an authorization token and execute any of the IOx API commands on an affected device.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:https:
Cisco
Cisco IOx for IOS XE Software Privilege Escalation Vulnerability
vendor_cisco·CVSS 3.0
CVE-2020-3227 Cisco IOx for IOS XE Software Privilege Escalation Vulnerability
CVE-2020-3227: Cisco IOx for IOS XE Software Privilege Escalation Vulnerability
A vulnerability in the authorization controls for the Cisco IOx application hosting infrastructure in Cisco IOS XE Software could allow an unauthenticated, remote attacker to execute Cisco IOx API commands without proper authorization. The vulnerability is due to incorrect handling of requests for authorization tokens. An attacker could exploit this vulnerability by using a crafted API call to request such a token. An exploit could allow the attacker to obtain an authorization token and execute any of the IOx API commands on an affected device. Cisco has released software updates that address this vulnerability. There are no
CVSS: 3.0
CWE: CWE-264, CWE-264
Bug IDs: CSCvq18527, CSCvq83400
Suricata
ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid DELETE
suricata·2010-07-30·CVSS 7.5
CVE-2007-0631 [HIGH] ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid DELETE
ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid DELETE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid DELETE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"catid="; nocase; fast_pattern; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0631; reference:url,www.milw0rm.com/exploits/3227; classtype:web-application-attack; sid:2005114; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitr
Suricata
ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid UNION SELECT
suricata·2010-07-30·CVSS 7.5
CVE-2007-0631 [HIGH] ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid UNION SELECT
ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid UNION SELECT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid UNION SELECT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"catid="; nocase; fast_pattern; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0631; reference:url,www.milw0rm.com/exploits/3227; classtype:web-application-attack; sid:2005112; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_i
Suricata
ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid ASCII
suricata·2010-07-30·CVSS 7.5
CVE-2007-0631 [HIGH] ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid ASCII
ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid ASCII
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid ASCII"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"catid="; nocase; fast_pattern; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0631; reference:url,www.milw0rm.com/exploits/3227; classtype:web-application-attack; sid:2005115; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitr
Suricata
ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid INSERT
suricata·2010-07-30·CVSS 7.5
CVE-2007-0631 [HIGH] ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid INSERT
ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid INSERT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid INSERT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"catid="; nocase; fast_pattern; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0631; reference:url,www.milw0rm.com/exploits/3227; classtype:web-application-attack; sid:2005113; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitr
Suricata
ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid UPDATE
suricata·2010-07-30·CVSS 7.5
CVE-2007-0631 [HIGH] ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid UPDATE
ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid UPDATE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid UPDATE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"catid="; nocase; fast_pattern; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0631; reference:url,www.milw0rm.com/exploits/3227; classtype:web-application-attack; sid:2005116; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre
No public exploits indexed.
No writeups or analysis indexed.
2020-06-03
Published