ID

VAR-202209-1886


CVE

CVE-2022-20662


TITLE

Cisco Systems  macOS  for  Duo  Authentication vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-018197

DESCRIPTION

A vulnerability in the smart card login authentication of Cisco Duo for macOS could allow an unauthenticated attacker with physical access to bypass authentication. This vulnerability exists because the assigned user of a smart card is not properly matched with the authenticating user. An attacker could exploit this vulnerability by configuring a smart card login to bypass Duo authentication. A successful exploit could allow the attacker to use any personal identity verification (PIV) smart card for authentication, even if the smart card is not assigned to the authenticating user. (DoS) It may be in a state. Cisco Duo is a fully managed solution from Cisco. Provide secure access to your applications and data. An authorization problem vulnerability exists in Cisco Duo

Trust: 1.8

sources: NVD: CVE-2022-20662 // JVNDB: JVNDB-2022-018197 // VULHUB: VHN-405215 // VULMON: CVE-2022-20662

AFFECTED PRODUCTS

vendor:ciscomodel:duoscope:ltversion:2.0.0

Trust: 1.0

vendor:シスコシステムズmodel:duoscope:eqversion: -

Trust: 0.8

vendor:シスコシステムズmodel:duoscope:eqversion:2.0.0

Trust: 0.8

sources: JVNDB: JVNDB-2022-018197 // NVD: CVE-2022-20662

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-20662
value: MEDIUM

Trust: 1.0

ykramarz@cisco.com: CVE-2022-20662
value: MEDIUM

Trust: 1.0

NVD: CVE-2022-20662
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202209-2858
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2022-20662
baseSeverity: MEDIUM
baseScore: 6.8
vectorString: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: PHYSICAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 0.9
impactScore: 5.9
version: 3.1

Trust: 1.0

ykramarz@cisco.com: CVE-2022-20662
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector: PHYSICAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 0.9
impactScore: 5.2
version: 3.1

Trust: 1.0

NVD: CVE-2022-20662
baseSeverity: MEDIUM
baseScore: 6.8
vectorString: CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: PHYSICAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2022-018197 // CNNVD: CNNVD-202209-2858 // NVD: CVE-2022-20662 // NVD: CVE-2022-20662

PROBLEMTYPE DATA

problemtype:CWE-287

Trust: 1.1

problemtype:Inappropriate authentication (CWE-287) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-405215 // JVNDB: JVNDB-2022-018197 // NVD: CVE-2022-20662

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-202209-2858

PATCH

title:cisco-sa-duo-macOS-bypass-uKZNpXE6url:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-duo-macOS-bypass-uKZNpXE6

Trust: 0.8

title:Cisco Duo Remediation measures for authorization problem vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=209317

Trust: 0.6

title:Cisco: Cisco Duo for macOS Authentication Bypass Vulnerabilityurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-duo-macOS-bypass-uKZNpXE6

Trust: 0.1

sources: VULMON: CVE-2022-20662 // JVNDB: JVNDB-2022-018197 // CNNVD: CNNVD-202209-2858

EXTERNAL IDS

db:NVDid:CVE-2022-20662

Trust: 3.4

db:JVNDBid:JVNDB-2022-018197

Trust: 0.8

db:AUSCERTid:ESB-2022.4812

Trust: 0.6

db:CNNVDid:CNNVD-202209-2858

Trust: 0.6

db:CNVDid:CNVD-2022-69161

Trust: 0.1

db:VULHUBid:VHN-405215

Trust: 0.1

db:VULMONid:CVE-2022-20662

Trust: 0.1

sources: VULHUB: VHN-405215 // VULMON: CVE-2022-20662 // JVNDB: JVNDB-2022-018197 // CNNVD: CNNVD-202209-2858 // NVD: CVE-2022-20662

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-duo-macos-bypass-ukznpxe6

Trust: 2.5

url:https://nvd.nist.gov/vuln/detail/cve-2022-20662

Trust: 0.8

url:https://www.auscert.org.au/bulletins/esb-2022.4812

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2022-20662/

Trust: 0.6

url:https://nvd.nist.gov

Trust: 0.1

sources: VULHUB: VHN-405215 // VULMON: CVE-2022-20662 // JVNDB: JVNDB-2022-018197 // CNNVD: CNNVD-202209-2858 // NVD: CVE-2022-20662

SOURCES

db:VULHUBid:VHN-405215
db:VULMONid:CVE-2022-20662
db:JVNDBid:JVNDB-2022-018197
db:CNNVDid:CNNVD-202209-2858
db:NVDid:CVE-2022-20662

LAST UPDATE DATE

2024-08-14T15:06:07.476000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-405215date:2022-10-04T00:00:00
db:VULMONid:CVE-2022-20662date:2022-09-30T00:00:00
db:JVNDBid:JVNDB-2022-018197date:2023-10-19T02:26:00
db:CNNVDid:CNNVD-202209-2858date:2022-10-08T00:00:00
db:NVDid:CVE-2022-20662date:2023-11-07T03:42:33.423

SOURCES RELEASE DATE

db:VULHUBid:VHN-405215date:2022-09-30T00:00:00
db:VULMONid:CVE-2022-20662date:2022-09-30T00:00:00
db:JVNDBid:JVNDB-2022-018197date:2023-10-19T00:00:00
db:CNNVDid:CNNVD-202209-2858date:2022-09-28T00:00:00
db:NVDid:CVE-2022-20662date:2022-09-30T19:15:10.437