Details of VAR-202010-1029

ID

VAR-202010-1029

CVE

CVE-2020-3467

TITLE

Cisco Identity Services Engine Authentication Vulnerability in Microsoft

Trust: 0.8

sources: JVNDB: JVNDB-2020-012236

DESCRIPTION

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to modify parts of the configuration on an affected device. The vulnerability is due to improper enforcement of role-based access control (RBAC) within the web-based management interface. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to modify parts of the configuration. The modified configuration could either allow unauthorized devices onto the network or prevent authorized devices from accessing the network. To exploit this vulnerability, an attacker would need valid Read-Only Administrator credentials. Cisco Identity Services Engine (ISE) Contains an improper authentication vulnerability.Denial of service (DoS) It may be put into a state. The platform monitors the network by collecting real-time information on the network, users and devices, and formulating and implementing corresponding policies

Trust: 1.71

sources: NVD: CVE-2020-3467 // JVNDB: JVNDB-2020-012236 // VULHUB: VHN-181592

AFFECTED PRODUCTS

vendor:	cisco	model:	identity services engine	scope:	eq	version:	2.7\(0.356\)	Trust: 1.0
vendor:	cisco	model:	identity services engine	scope:	lte	version:	2.4	Trust: 1.0
vendor:	cisco	model:	identity services engine	scope:	eq	version:	2.7	Trust: 1.0
vendor:	cisco	model:	identity services engine	scope:	eq	version:	2.7.0.356	Trust: 1.0
vendor:	cisco	model:	identity services engine	scope:	eq	version:	2.6.0	Trust: 1.0
vendor:	cisco	model:	identity services engine	scope:	eq	version:	2.5	Trust: 1.0
vendor:	cisco	model:	identity services engine	scope:	eq	version:	2.6.0.156	Trust: 1.0
vendor:	cisco	model:	identity services engine	scope:	eq	version:	2.6\(0.156\)	Trust: 1.0
vendor:	cisco	model:	identity services engine	scope:	eq	version:	2.4.0.357	Trust: 1.0
vendor:	cisco	model:	identity services engine	scope:	eq	version:	2.4\(0.357\)	Trust: 1.0
vendor:	シスコシステムズ	model:	cisco identity services engine ソフトウェア	scope:	eq	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco identity services engine ソフトウェア	scope:	eq	version:	cisco identity services engine software	Trust: 0.8

sources: JVNDB: JVNDB-2020-012236 // NVD: CVE-2020-3467

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-3467
value:	HIGH
Trust: 1.0
ykramarz@cisco.com:	CVE-2020-3467
value:	HIGH
Trust: 1.0
NVD:	CVE-2020-3467
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202010-234
value:	HIGH
Trust: 0.6
VULHUB:	VHN-181592
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-3467
severity:	MEDIUM
baseScore:	5.5
vectorString:	AV:N/AC:L/AU:S/C:N/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-181592
severity:	MEDIUM
baseScore:	5.5
vectorString:	AV:N/AC:L/AU:S/C:N/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

ykramarz@cisco.com:	CVE-2020-3467
baseSeverity:	HIGH
baseScore:	7.7
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	3.1
impactScore:	4.0
version:	3.0
Trust: 1.8
nvd@nist.gov:	CVE-2020-3467
baseSeverity:	HIGH
baseScore:	7.7
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	3.1
impactScore:	4.0
version:	3.1
Trust: 1.0

sources: VULHUB: VHN-181592 // JVNDB: JVNDB-2020-012236 // CNNVD: CNNVD-202010-234 // NVD: CVE-2020-3467 // NVD: CVE-2020-3467

PROBLEMTYPE DATA

problemtype:	CWE-863	Trust: 1.1
problemtype:	Bad authentication (CWE-863) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-181592 // JVNDB: JVNDB-2020-012236 // NVD: CVE-2020-3467

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202010-234

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202010-234

PATCH

title:	cisco-sa-ise-auth-bypass-uJWqLTZM	url:	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-auth-bypass-uJWqLTZM	Trust: 0.8
title:	Cisco Identity Services Engine Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=129863	Trust: 0.6

sources: JVNDB: JVNDB-2020-012236 // CNNVD: CNNVD-202010-234

EXTERNAL IDS

db:	NVD	id:	CVE-2020-3467	Trust: 2.5
db:	JVNDB	id:	JVNDB-2020-012236	Trust: 0.8
db:	AUSCERT	id:	ESB-2020.3481	Trust: 0.6
db:	NSFOCUS	id:	50138	Trust: 0.6
db:	CNNVD	id:	CNNVD-202010-234	Trust: 0.6
db:	CNVD	id:	CNVD-2020-56457	Trust: 0.1
db:	VULHUB	id:	VHN-181592	Trust: 0.1

sources: VULHUB: VHN-181592 // JVNDB: JVNDB-2020-012236 // CNNVD: CNNVD-202010-234 // NVD: CVE-2020-3467

REFERENCES

url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-ise-auth-bypass-ujwqltzm	Trust: 2.3
url:	https://nvd.nist.gov/vuln/detail/cve-2020-3467	Trust: 1.4
url:	https://www.auscert.org.au/bulletins/esb-2020.3481/	Trust: 0.6
url:	http://www.nsfocus.net/vulndb/50138	Trust: 0.6

sources: VULHUB: VHN-181592 // JVNDB: JVNDB-2020-012236 // CNNVD: CNNVD-202010-234 // NVD: CVE-2020-3467

SOURCES

db:	VULHUB	id:	VHN-181592
db:	JVNDB	id:	JVNDB-2020-012236
db:	CNNVD	id:	CNNVD-202010-234
db:	NVD	id:	CVE-2020-3467

LAST UPDATE DATE

2024-08-14T13:43:49.826000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-181592	date:	2020-10-16T00:00:00
db:	JVNDB	id:	JVNDB-2020-012236	date:	2021-04-27T06:50:00
db:	CNNVD	id:	CNNVD-202010-234	date:	2020-11-04T00:00:00
db:	NVD	id:	CVE-2020-3467	date:	2020-10-16T16:16:27.810

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-181592	date:	2020-10-08T00:00:00
db:	JVNDB	id:	JVNDB-2020-012236	date:	2021-04-27T00:00:00
db:	CNNVD	id:	CNNVD-202010-234	date:	2020-10-08T00:00:00
db:	NVD	id:	CVE-2020-3467	date:	2020-10-08T05:15:14.663