ID

VAR-202007-1048


CVE

CVE-2020-3382


TITLE

Cisco Data Center Network Manager Vulnerability in using hard-coded credentials in

Trust: 0.8

sources: JVNDB: JVNDB-2020-008962

DESCRIPTION

A vulnerability in the REST API of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability exists because different installations share a static encryption key. An attacker could exploit this vulnerability by using the static key to craft a valid session token. A successful exploit could allow the attacker to perform arbitrary actions through the REST API with administrative privileges. (DoS) It may be put into a state. Cisco Data Center Network Manager (DCNM) is a data center management system of Cisco (Cisco). The system is available for Cisco Nexus and MDS series switches and provides storage visualization, configuration and troubleshooting functions. The following products and versions are affected: Cisco DCNM Release 11.0(1), Release 11.1(1), Release 11.2(1), Release 11.3(1)

Trust: 1.71

sources: NVD: CVE-2020-3382 // JVNDB: JVNDB-2020-008962 // VULHUB: VHN-181507

AFFECTED PRODUCTS

vendor:ciscomodel:data center network managerscope:ltversion:11.4\(1\)

Trust: 1.0

vendor:ciscomodel:data center network managerscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2020-008962 // NVD: CVE-2020-3382

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-3382
value: CRITICAL

Trust: 1.0

ykramarz@cisco.com: CVE-2020-3382
value: CRITICAL

Trust: 1.0

NVD: JVNDB-2020-008962
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-202007-1703
value: CRITICAL

Trust: 0.6

VULHUB: VHN-181507
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2020-3382
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2020-008962
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-181507
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-3382
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

ykramarz@cisco.com: CVE-2020-3382
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.0

NVD: JVNDB-2020-008962
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-181507 // JVNDB: JVNDB-2020-008962 // CNNVD: CNNVD-202007-1703 // NVD: CVE-2020-3382 // NVD: CVE-2020-3382

PROBLEMTYPE DATA

problemtype:CWE-798

Trust: 1.9

sources: VULHUB: VHN-181507 // JVNDB: JVNDB-2020-008962 // NVD: CVE-2020-3382

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202007-1703

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-202007-1703

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-008962

PATCH

title:cisco-sa-dcnm-bypass-dyEejUMsurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dcnm-bypass-dyEejUMs

Trust: 0.8

title:Cisco Data Center Network Manager Repair measures for trust management problem vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=125213

Trust: 0.6

sources: JVNDB: JVNDB-2020-008962 // CNNVD: CNNVD-202007-1703

EXTERNAL IDS

db:NVDid:CVE-2020-3382

Trust: 2.5

db:JVNDBid:JVNDB-2020-008962

Trust: 0.8

db:CNNVDid:CNNVD-202007-1703

Trust: 0.7

db:NSFOCUSid:47824

Trust: 0.6

db:AUSCERTid:ESB-2020.2600

Trust: 0.6

db:CNVDid:CNVD-2020-44062

Trust: 0.1

db:VULHUBid:VHN-181507

Trust: 0.1

sources: VULHUB: VHN-181507 // JVNDB: JVNDB-2020-008962 // CNNVD: CNNVD-202007-1703 // NVD: CVE-2020-3382

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-dcnm-bypass-dyeejums

Trust: 2.3

url:https://nvd.nist.gov/vuln/detail/cve-2020-3382

Trust: 1.4

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-3382

Trust: 0.8

url:https://www.auscert.org.au/bulletins/esb-2020.2600/

Trust: 0.6

url:https://vigilance.fr/vulnerability/cisco-data-center-network-manager-privilege-escalation-via-rest-api-32964

Trust: 0.6

url:http://www.nsfocus.net/vulndb/47824

Trust: 0.6

sources: VULHUB: VHN-181507 // JVNDB: JVNDB-2020-008962 // CNNVD: CNNVD-202007-1703 // NVD: CVE-2020-3382

SOURCES

db:VULHUBid:VHN-181507
db:JVNDBid:JVNDB-2020-008962
db:CNNVDid:CNNVD-202007-1703
db:NVDid:CVE-2020-3382

LAST UPDATE DATE

2024-08-14T14:03:38.162000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-181507date:2020-08-05T00:00:00
db:JVNDBid:JVNDB-2020-008962date:2020-10-08T00:00:00
db:CNNVDid:CNNVD-202007-1703date:2020-08-18T00:00:00
db:NVDid:CVE-2020-3382date:2020-08-05T14:18:54.413

SOURCES RELEASE DATE

db:VULHUBid:VHN-181507date:2020-07-31T00:00:00
db:JVNDBid:JVNDB-2020-008962date:2020-10-08T00:00:00
db:CNNVDid:CNNVD-202007-1703date:2020-07-29T00:00:00
db:NVDid:CVE-2020-3382date:2020-07-31T00:15:13.147